The AI Questionnaire Your Vendors Aren't Ready For
Your vendors' employees are using AI tools. That means your data is flowing to model providers you've never assessed. Here are the questions to start asking.
Read on loravaughn.comInsights & Thought Leadership
Cybersecurity strategy, AI risk, and security leadership from Lora Vaughn.
incident-response tabletop-exercises security-leadership
Your Tabletop Exercise Isn't Testing What You Think It Is
Most tabletop exercises are scripted theater that confirm what people already believe. Here's what actually breaks during a real incident, and how to design an exercise that finds it before someone...
Read on loravaughn.comConcentration Risk Wasn't Just About Loans
Community banks have managed concentration risk for a century. Then we handed every customer record to a handful of SaaS aggregators. ShinyHunters is teaching us what that actually costs.
Read on loravaughn.comYour Vendor Questionnaire Doesn't Ask the Right OAuth Questions
Regulators have been citing 4th party risk for years. OAuth token chains are how it actually executes, and most vendor programs aren't built to catch it. Here's what to ask.
Read on loravaughn.com security-culture hacklore human-risk
Phishing Tests Don't Work. Fight Me.
Phishing simulation click rates are a metric, not a security outcome. AI just made real phishing dramatically harder to spot. Your tests haven't caught up.
Read on loravaughn.com vulnerability-management risk-management ciso
NIST Just Stopped Doing Part of Your Job. Now What?
NIST is no longer enriching every CVE in the National Vulnerability Database. If CVSS scores were the backbone of your vulnerability management program, you have a problem that predates this...
Read on loravaughn.comFor more writing and industry commentary, visit loravaughn.com/blog
Last updated: May 31, 2026 at 08:12 AM
Need cybersecurity guidance?
Let's talk about how I can help your business get secure without the bloat.
Book Free Consult