Skip to main content
Currently on loravaughn.com → visit Vaughn Cyber Group
Lora Vaughn

// POSTS TAGGED "insights"

Insights.

All posts tagged insights.

← back to all posts
Featured image for Phishing Tests Don't Work. Fight Me.

Phishing Tests Don't Work. Fight Me.

Phishing simulation click rates are a metric, not a security outcome. AI just made real phishing dramatically harder to spot. Your tests haven't caught up.

security-culturehacklorehuman-riskinsights
Featured image for Concentration Risk Wasn't Just About Loans

Concentration Risk Wasn't Just About Loans

Community banks have managed concentration risk for a century. Then we handed every customer record to a handful of SaaS aggregators. ShinyHunters is teaching us what that actually costs.

community-bankingvendor-riskthird-party-riskconcentration-riskinsights
Featured image for Your Vendor Questionnaire Doesn't Ask the Right OAuth Questions

Your Vendor Questionnaire Doesn't Ask the Right OAuth Questions

Regulators have been citing 4th party risk for years. OAuth token chains are how it actually executes, and most vendor programs aren't built to catch it. Here's what to ask.

third-party-riskvendor-riskoauthsaas-securityinsights
Featured image for Your Tabletop Exercise Isn't Testing What You Think It Is

Your Tabletop Exercise Isn't Testing What You Think It Is

Most tabletop exercises are scripted theater that confirm what people already believe. Here's what actually breaks during a real incident, and how to design an exercise that finds it before someone else does.

incident-responsetabletop-exercisessecurity-leadershipinsights
Featured image for The AI Questionnaire Your Vendors Aren't Ready For

The AI Questionnaire Your Vendors Aren't Ready For

Your vendors' employees are using AI tools. That means your data is flowing to model providers you've never assessed. Here are the questions to start asking.

third-party-riskvendor-riskai-securitycommunity-bankinginsights
Featured image for Your no-code MVP can't legally hold the data it was built for

Your no-code MVP can't legally hold the data it was built for

No-code and AI app builders are great for prototypes, but they won't sign the agreement that lets you legally handle regulated data. Here's the line every founder needs to know before real data shows up.

hipaacompliancehealthcarestartup-securityinsights
Featured image for "We Have an AI Policy" Is the New "We Passed the Audit"

"We Have an AI Policy" Is the New "We Passed the Audit"

OpenAI just admitted prompt injection isn't getting solved, and companies are wiring AI agents into production anyway. A policy document is not a control.

ai-governancesecurity-theatercommunity-bankingai-securityinsights
Featured image for Your AI Agent Has a Supply Chain. Did You Audit It?

Your AI Agent Has a Supply Chain. Did You Audit It?

One in four MCP servers expose AI agents to remote code execution. Most teams deploying agents do not know what an MCP server is. That is a supply chain problem disguised as an AI launch.

ai-securitysupply-chainvendor-riskai-governanceinsights
Featured image for Your Ransomware Negotiator Might Be Playing Both Sides

Your Ransomware Negotiator Might Be Playing Both Sides

The DigitalMint conviction proves your IR vendor pre-vetting is part of your security program, not an afterthought. Here is what to ask before the next incident, not during it.

incident-responsesecurity-operationssecurity-strategyinsights
Featured image for When Your Bank Examiner Says 'Risk Assessment' and You Break Out in Hives

When Your Bank Examiner Says 'Risk Assessment' and You Break Out in Hives

Why most cybersecurity guidance for community banks is useless, and what to do instead

cybersecuritybankingcompliancecommunity-banksrisk-managementinsights