Examines frameworks, methodologies, and practical approaches for identifying, assessing, and mitigating cybersecurity risks. Topics include risk assessments, threat modeling, vulnerability management, and building a risk-aware organizational culture.
posts
The Framework That 50% of U.S. Organizations Still Get Wrong When Colonial Pipeline went dark in 2021, it wasn't because the company lacked a security budget. It was because basic controls — like multi-factor authentication on a legacy VPN — weren't in place. A single compromised credential
When Colonial Pipeline paid $4.4 million in ransom after a single compromised password shut down fuel delivery across the Eastern Seaboard, it wasn't a failure of exotic technology. It was a failure of fundamentals — the exact fundamentals the NIST Cybersecurity Framework was designed to address. I'
When Target lost 40 million credit card records in 2013, the attackers didn't breach Target directly. They compromised an HVAC vendor. Over a decade later, the playbook hasn't changed — it's just gotten more devastating. Third party vendor cybersecurity risk is now the single fastest-growing
The Framework 83% of Organizations Claim to Follow — But Few Actually Implement When the City of Dallas was hit by a devastating ransomware attack in May 2023, investigations revealed systemic gaps in risk management, incident response, and access controls — the exact areas the NIST Cybersecurity Framework was designed to address.
In 2022, a former employee of Cash App's parent company, Block Inc., downloaded reports containing the personal information of 8.2 million customers — months after being terminated. The company's failure to revoke access cost them regulatory scrutiny, a class-action lawsuit, and reputational damage that no PR
The Framework That Could Have Prevented a $150 Million Mistake When Equifax disclosed its catastrophic 2017 breach affecting 147 million Americans, the postmortem was brutal. The company had failed at the most basic elements of what the NIST Cybersecurity Framework prescribes: asset inventory, patch management, and network segmentation. The FTC
The Salesforce Instance Nobody Knew About In 2022, a mid-size healthcare company discovered that one of its marketing teams had been running an entirely separate Salesforce instance — for eleven months. Patient-adjacent data sat in an environment with no encryption at rest, no access controls, and no logging. The IT security
$4.24 Million Per Breach — and the Trajectory Is Ugly IBM's 2021 Cost of a Data Breach Report pegged the global average at $4.24 million per incident — the highest in 17 years of the study. That figure jumped 10% from the prior year. If you're
When Colonial Pipeline shut down 5,500 miles of fuel infrastructure in May 2021 due to a single compromised password, it wasn't a failure of technology. It was a failure of framework. The company lacked the layered defenses, detection capabilities, and response plans that the NIST Cybersecurity Framework
The Breach That Started With a Spreadsheet App In 2023, a midsize healthcare company discovered that an employee had been syncing patient records to an unauthorized cloud storage service for over eight months. The service had no encryption, no access controls, and no audit logging. By the time the security
