CISO Brief
Regulatory compliance, cyber risk, and board-level security strategy
NIS2 Directive: The CISO's Compliance Roadmap by Sector
What CISOs must implement under the EU's NIS2 Directive — sector-specific obligations, board accountability requirements, and the cost of non-compliance.
CIRCIA Is Live: What the 72-Hour Reporting Rule Means for Your Organisation
The Cyber Incident Reporting for Critical Infrastructure Act final rule took effect in May 2026, establishing mandatory 72-hour incident reports and 24-hour ransomware payment disclosure for covered entities. Here's what CISOs need to have in place before an incident.
NIS2 Supply Chain Security: What Article 21 Actually Requires — and What Most Organisations Are Getting Wrong
NIS2 Article 21 mandates supply chain security as a core cybersecurity obligation for essential and important entities. This briefing covers what the directive requires, the implementation gaps most organisations have, and what boards need to understand before their national regulator comes looking.
Nightmare-Eclipse: What the Windows Zero-Day Campaign Means for Your Board
Six actively exploited Windows vulnerabilities, three confirmed in live attacks, and a credible remote-code-execution threat arriving in June. A plain-English board briefing for security leaders.
The AI Vulnerability Wave: What Every CISO Needs to Tell the Board Right Now
Anthropic's Project Glasswing found 10,000+ critical vulnerabilities in open source in a single month. The NCSC has warned of a forced correction of technical debt. What this means for board risk posture, vendor expectations, and patch SLAs that are already obsolete.
Quantifying Cyber Risk for the Board: Combining NIST CSF 2.0 with FAIR
Boards are asking for cyber risk in business terms, not security metrics. This brief explains how to combine NIST CSF 2.0's Govern function with FAIR financial quantification to produce board-ready risk reporting.
Cyber Due Diligence in M&A: What CISOs Need to Assess Before the Deal Closes
Mergers and acquisitions carry hidden cyber risk that traditional financial due diligence doesn't capture. This brief covers what CISOs must assess before signing, the regulatory obligations that transfer with an acquisition, and how to structure post-merger security integration.
- May 28, 2026 CIRCIA Is Live: What the 72-Hour Reporting Rule Means for Your Organisation
- May 27, 2026 NIS2 Supply Chain Security: What Article 21 Actually Requires — and What Most Organisations Are Getting Wrong
- May 26, 2026 Nightmare-Eclipse: What the Windows Zero-Day Campaign Means for Your Board
- May 25, 2026 The AI Vulnerability Wave: What Every CISO Needs to Tell the Board Right Now
- May 23, 2026 Quantifying Cyber Risk for the Board: Combining NIST CSF 2.0 with FAIR
- May 23, 2026 Cyber Due Diligence in M&A: What CISOs Need to Assess Before the Deal Closes
- May 22, 2026 Cyber Insurance in 2026 — What CISOs Need to Know Before Renewal
- May 10, 2026 NIS2 Directive: The CISO's Compliance Roadmap by Sector