What we're seeing in the field.
Operator perspective on cybersecurity, M&A diligence, AI governance, and the decisions our clients face. Short, opinionated, written by the people doing the work.
Document the program, or run it.
Twenty years of opening GRC tools to do something a GRC tool was not built to do. The category serves the audit. The operator runs the program. The tools you choose tell you which one you are really trying to do.
Read noteThe hidden tax of TPRM done badly.
Four CISO and CIO seats, four board meetings that opened with a TPRM completion percentage. The percentage was always high. The risk was never measured. Three taxes the audit committee never sees, and the fourth one that has a Tuesday.
Read noteThe 12-month security program is a lie.
Security advisor and fractional CISO engagements are sized to 12 months because that is how procurement buys. Programs mature on a 24 to 36 month curve. The gap is where security work goes to die.
Read noteThe four cybersecurity questions your board should be asking in 2026.
Most boards still ask cyber questions designed for a 2015 risk landscape. Here are the four that actually matter now: SEC disclosure readiness, third-party concentration risk, AI ownership, and CISO key-person risk.
Read note