Sign in Subscribe

Security Leadership

Security Leadership

Strategic frameworks, program-building playbooks, and board-level communication guidance for practitioners moving into management and CISOs early in their tenure.

NIST CSF 2.0 Risk Management Strategy (GV.RM): Turning Risk Tolerance Into Actionable Cyber Decisions

NIST CSF 2.0 Risk Management Strategy (GV.RM): Turning Risk Tolerance Into Actionable Cyber Decisions

After nearly two decades as a CISO in large, complex organizations, one truth has been constant: Most cybersecurity programs don’t fail because they lack controls—they fail because they lack a coherent risk strategy. NIST CSF 2.0 directly addresses this gap through GV.RM – Risk Management Strategy. If

NIST CSF 2.0 Organizational Context (GV.OC): Governing Cybersecurity With Business Clarity

NIST CSF 2.0 Organizational Context (GV.OC): Governing Cybersecurity With Business Clarity

As a CISO in a large, global organization, I’ve learned that most cybersecurity failures are not caused by missing controls or weak tools. They are caused by misalignment—between security, business priorities, risk tolerance, and decision-making authority. That is precisely why NIST CSF 2.0 elevated governance and

Generative AI Policies: Aligning Organizational Governance with the NIST AI Risk Management Framework

Generative AI Policies: Aligning Organizational Governance with the NIST AI Risk Management Framework

Generative AI is moving faster than most organizational control structures. Employees are already using tools like ChatGPT, Copilot, Claude, and image generators to write code, summarize documents, build presentations, and analyze data—often without security or legal review. Banning generative AI outright is rarely effective. Ignoring it is worse. What

Generative AI Governance: Using the NIST Framework to Build Trust, Reduce Risk, and Lead Secure AI Adoption

Generative AI Governance: Using the NIST Framework to Build Trust, Reduce Risk, and Lead Secure AI Adoption

Generative AI has moved faster than nearly any technology security leaders have dealt with. Tools that can generate text, code, images, and data insights are now embedded into productivity platforms, security tooling, development workflows, and business operations—often before security teams are formally involved. For CISOs, this creates a familiar

Why Mean Time to Detect (MTTD) Is a Foundational Cybersecurity Metric

Why Mean Time to Detect (MTTD) Is a Foundational Cybersecurity Metric

In any mature security program, metrics drive decisions. You invest in controls, monitor alerts, and invest in tooling — but if you cannot quickly detect threats, the rest of your defenses may never get the chance to act. That’s where Mean Time to Detect (MTTD) becomes indispensable. Where Mean Time

Why Mean Time to Contain (MTTC) Matters as a Core Cybersecurity Metric

Why Mean Time to Contain (MTTC) Matters as a Core Cybersecurity Metric

When discussing cybersecurity performance and resilience, most organizations first think about prevention: firewalls, patching cadence, penetration testing, vulnerability counts, and control coverage. These are necessary defenses, but like all defenses, they will eventually be tested. As discussed in the previous post on Mean Time to Respond (MTTR), how quickly an

NIST CSF 2.0 for Executives: How the Six Functions Work Together to Reduce Business Risk

NIST CSF 2.0 for Executives: How the Six Functions Work Together to Reduce Business Risk

Cybersecurity risk is no longer a technical issue confined to IT teams. It is an enterprise risk discipline that directly impacts operational continuity, regulatory exposure, brand trust, and strategic execution. The NIST Cybersecurity Framework 2.0 (CSF 2.0) reflects this reality. Unlike earlier versions, CSF 2.0 places stronger