Sign in Subscribe

Security Leadership

Security Leadership

Strategic frameworks, program-building playbooks, and board-level communication guidance for practitioners moving into management and CISOs early in their tenure.

NIST CSF 2.0 – Identify Function Deep Dive: Asset Management (ID.AM)

NIST CSF 2.0 – Identify Function Deep Dive: Asset Management (ID.AM)

If you ask most CISOs where breaches really start, the answer is rarely “lack of tools.” It’s almost always lack of clarity. You cannot protect what you do not know exists. That is why Asset Management (ID.AM) sits at the foundation of the NIST Cybersecurity Framework (CSF) 2.

Cybersecurity Governance That Works: A Board and Executive Guide to the NIST CSF 2.0 GOVERN Function

Cybersecurity Governance That Works: A Board and Executive Guide to the NIST CSF 2.0 GOVERN Function

Cybersecurity has permanently moved out of the data center and into the boardroom. Regulators, customers, and investors now expect senior leadership to understand, oversee, and deliberately manage cyber risk. The NIST Cybersecurity Framework 2.0 reflects this reality by elevating GOVERN to a first-class function—placing leadership accountability at

NIST CSF 2.0 – GOVERN (GV.SC): Governing Cyber Risk Beyond Your Organizational Boundaries

NIST CSF 2.0 – GOVERN (GV.SC): Governing Cyber Risk Beyond Your Organizational Boundaries

Cybersecurity governance does not stop at your network perimeter. Modern enterprises rely on a complex ecosystem of vendors, cloud providers, SaaS platforms, integrators, and partners. Each dependency introduces risk—often outside the direct control of the CISO. GV.SC (Supply Chain Risk Management) exists to ensure those risks are governed

Choosing the Right Security Framework for Your Organization

Choosing the Right Security Framework for Your Organization

How to pick a framework that fits, scales, and actually covers what your business needs — including regulatory risk If you've spent any time in information security, you've heard the word "framework" thrown around a lot. NIST this, ISO that, somebody in the corner mumbling

NIST CSF 2.0 – GOVERN (GV.OV): Turning Governance Into Oversight That Works

NIST CSF 2.0 – GOVERN (GV.OV): Turning Governance Into Oversight That Works

In the previous post on GV.PO – Policies, Processes, and Procedures, we focused on how organizations define expectations for cybersecurity. But governance does not stop at documentation. Policies without oversight are aspirational at best—and risky at worst. This is where GV.OV (Oversight) comes in. Under NIST CSF 2.

NIST CSF 2.0 Policies, Processes, and Procedures (GV.PO): Turning Governance Into Operational Reality

NIST CSF 2.0 Policies, Processes, and Procedures (GV.PO): Turning Governance Into Operational Reality

After decades leading cybersecurity programs in large, global organizations, I’ve learned that governance only matters when it shows up in daily decisions. Policies that live in binders, processes that no one follows, and procedures that exist only for audits do not reduce risk—they create the illusion of control.

NIST CSF 2.0 Roles, Responsibilities, and Authorities (GV.RR): Eliminating Ambiguity in Cybersecurity Leadership

NIST CSF 2.0 Roles, Responsibilities, and Authorities (GV.RR): Eliminating Ambiguity in Cybersecurity Leadership

After more than twenty years leading cybersecurity programs in global enterprises, I’ve seen sophisticated security architectures fail for one simple reason: no one was truly accountable. Technology does not fail in isolation—organizations do. GV.RR exists to eliminate the ambiguity that undermines even the most mature security programs