Cybersecurity advisory writing.
Practical perspectives on cybersecurity governance, risk, operational maturity, and executive decision-making. Written for the leaders accountable for the outcome.
AI Governance Series
AI governance is not a tooling problem. It is a coordination and decision-system problem.
A multi-part examination of how decision authority, ownership, and accountability hold — or fail — as AI moves from procurement into deployment across the enterprise.
- Part 01Published
AI Doesn’t Break Governance. It Exposes Existing Governance Failures.
Why most of what gets called “AI risk” is governance debt with a new label — and what that means for security leaders.
Read Part 01 - Part 02Published
Who Owns AI Risk? Everyone Claims It. Nobody Holds It.
AI risk is not a single category. It is four distinct risks being treated as one — assigned to everyone, owned by no one.
Read Part 02 - Part 03Forthcoming
Why AI Governance Fails After Deployment.
What changes once AI moves out of procurement review and into daily operations — and where oversight quietly degrades.
Coming soon
- Security program designPILLAR / 01
Why Security Programs Fail
Most security programs don’t fail because of missing controls. They fail because decision authority is unclear, ownership is distributed, and accountability exists on paper but not in practice.
Read the pillar - Mid-market securityPILLAR / 02
The Mid-Market Security Problem
Mid-market organizations face enterprise-level threat exposure without enterprise-level infrastructure. The security industry has no good answer for this — and most programs reflect that gap.
Read the pillar - Security governancePILLAR / 03
Governance Is a Decision System, Not a Document
Governance gets treated as a documentation exercise. The actual function of governance is to establish who owns decisions, who can commit resources, and who is accountable when something breaks.
Read the pillar - Compliance and riskPILLAR / 04
Compliance Is Not a Security Program
A SOC 2 report tells you what was true at a point in time. A HIPAA attestation tells you what was documented. Neither tells you whether the organization is reducing risk.
Read the pillar
- Security Leadership & vCISO
Is Your Cybersecurity Program Built for 2026?
Most mid-market security programs were built for a threat environment that no longer exists. Here's what's changed — and what readiness actually looks like now.
June 5, 20265 min read - AI Risk & Governance
Who Owns AI Risk? Everyone Claims It. Nobody Holds It.
Part 2 of the AI Governance Series. AI risk is not a single category. It is four distinct risks being treated as one — assigned to everyone, owned by no one.
June 5, 20266 min read - AI Risk & Governance
AI Doesn’t Break Governance. It Exposes Existing Governance Failures.
Part 1 of the AI Governance Series. AI is not introducing new governance problems. It is exposing the ones organizations already had — faster than most can respond.
June 3, 20266 min read - Cybersecurity Strategy
Cybersecurity Silos Revisited: The Problem Was Never the Silo
A revised perspective on an earlier argument. Specialization is the cost of maturity. The variable that determines outcomes is whether governance, decision authority, and accountability scale with it.
May 28, 20268 min read - Cybersecurity Strategy
Behavioral Security Evolution (2016–2026)
A 2016 article on behavioral analysis and anomaly detection, preserved unchanged, with a 2026 retrospective on how the field has shifted to identity, cloud, and AI-augmented detection.
May 26, 202612 min read - AI Risk & Governance
The Future of AI and Compliance: How NIST's AI Risk Management Framework Will Shape What's Next
NIST's AI Risk Management Framework offers a structured blueprint for managing AI risk — and it is positioned to serve as the compliance playbook as AI regulation solidifies.
February 12, 20266 min read - AI Risk & Governance
How AI Is Rewriting the Rules of Cybersecurity Risk
AI is not a temporary disruption to the cybersecurity landscape. It is a permanent reset of the risk dynamic — and most organizations have not internalized what that means yet.
February 5, 20267 min read - Cybersecurity Strategy
Ransomware's Evolution: From Early Malware to Ransomware-as-a-Service
With the rise of Ransomware-as-a-Service, what was once a specialized criminal capability has become a commoditized product — available to anyone willing to pay for access.
January 29, 20266 min read - Incident Response
Building an Incident Response Plan That Actually Works When You Need It
Most organizations have an incident response plan. Very few have one that would hold up under the pressure of an actual incident. The difference is not the length of the document.
January 22, 20267 min read
Real engagements. Structural outcomes.
Operational case studies drawn from advisory and incident work — published with client permission, anonymized where required.
- Case study
vCISO Engagement — Specialty Services Company
How vCISO advisory support rebuilt security decision-making across a complex specialty services company following CISO departure and organizational restructuring.
Security Leadership & vCISO7 min read - Case study
Ransomware Containment Through Access Control & Network Segmentation Reform
A manufacturing organization moved from recovery-focused response to structural containment — eliminating lateral movement paths by replacing flat network architecture with identity-based segmentation and centralized governance.
Incident Response6 min read
Have a situation that requires senior advisory perspective?
A 30–45 minute advisory call covers operating context, current posture, and the decisions forcing the work. If a fit exists, we propose scope.