Latest Writing
The County IT Director’s Dilemma: Cybersecurity With a Municipal Budget
Your cyber insurance carrier wants a NIST CSF assessment. Your shared IT staff is two people. Here is how a mid-Hudson Valley municipality closed the gap.
The $15,000 Question: When a Fractional CISO Costs Less Than Your Next Breach
A ransomware incident cost a Hudson Valley manufacturer $340,000 in eleven days. The fractional CISO they hired afterward costs $15,000 a year. A clear-eyed look at what security leadership actually costs, what its absence actually costs, and what 8-12 hours of strategic oversight per month buys a 50-500 employee business.
Ransomware Changed in 2025. Your Response Plan Didn’t.
Attackers now move from initial access to full network compromise in under a minute. Most mid-market incident response plans were written for a world where you had hours. That world is gone.
The Question Your Board Will Ask This Year — And Why Most CISOs Can’t Answer It
Every board in America will ask some version of “are we secure?” this year. The honest answer is more useful than the comfortable one — but only if you know how to frame it.
Your Organization Doesn't Have A Culture. It Has Several.
Why generic security programs fail, how subcultures silently shape risk decisions, and the diagnostic method that actually works — combining surveys and interviews to build a current-state view you can trust and act on.
The AI Policy You Wrote Last Quarter Is Already Wrong
A community bank discovered 11 unapproved AI tools across 6 departments. The acceptable use policy written four months earlier was already obsolete. Shadow AI is the new shadow IT — but faster and with data exposure baked in.
Your Incident Response Plan Survived the Audit. It Won't Survive Tuesday.
A mid-size manufacturer's IR plan checked every compliance box. During a tabletop exercise, it fell apart in 20 minutes. The plant manager wasn't in the communication chain. The backup vendor contract had expired. Nobody had tested restoring from backups in 14 months.
The Board Doesn't Want a Dashboard. They Want a Decision.
A 400-bed health system's CISO was presenting 47 metrics monthly. The board couldn't act on any of them. How restructuring reporting around decision-ready risk statements transformed governance overnight.