Writing on cybersecurity strategy, AI risk, security leadership, and lessons from 20+ years in cybersecurity.https://loravaughn.com/en-ushttps://loravaughn.com/blog/your-ransomware-negotiator-might-be-playing-both-sides/https://loravaughn.com/blog/your-ransomware-negotiator-might-be-playing-both-sides/The DigitalMint conviction proves your IR vendor pre-vetting is part of your security program, not an afterthought. Here is what to ask before the next incident, not during it.Tue, 02 Jun 2026 00:00:00 GMTincident-responsesecurity-operationssecurity-strategyhttps://loravaughn.com/blog/we-used-to-have-pockets-then-someone-took-them/https://loravaughn.com/blog/we-used-to-have-pockets-then-someone-took-them/A choir practice rant about why women's clothing has no real pockets, how that happened, and why a missing pocket was never really about the pocket.Wed, 27 May 2026 00:00:00 GMTpersonalculturecommentaryhttps://loravaughn.com/blog/the-ai-questionnaire-your-vendors-arent-ready-for/https://loravaughn.com/blog/the-ai-questionnaire-your-vendors-arent-ready-for/Your vendors' employees are using AI tools. That means your data is flowing to model providers you've never assessed. Here are the questions to start asking.Tue, 26 May 2026 00:00:00 GMThttps://loravaughn.com/blog/your-tabletop-exercise-isnt-testing-what-you-think-it-is/https://loravaughn.com/blog/your-tabletop-exercise-isnt-testing-what-you-think-it-is/Most tabletop exercises are scripted theater that confirm what people already believe. Here's what actually breaks during a real incident, and how to design an exercise that finds it before someone else does.Wed, 20 May 2026 00:00:00 GMTincident-responsetabletop-exercisessecurity-leadershiphttps://loravaughn.com/blog/concentration-risk-wasnt-just-about-loans/https://loravaughn.com/blog/concentration-risk-wasnt-just-about-loans/Community banks have managed concentration risk for a century. Then we handed every customer record to a handful of SaaS aggregators. ShinyHunters is teaching us what that actually costs.Mon, 11 May 2026 00:00:00 GMThttps://loravaughn.com/blog/your-vendor-questionnaire-doesnt-ask-the-right-oauth-questions/https://loravaughn.com/blog/your-vendor-questionnaire-doesnt-ask-the-right-oauth-questions/Regulators have been citing 4th party risk for years. OAuth token chains are how it actually executes, and most vendor programs aren't built to catch it. Here's what to ask.Tue, 05 May 2026 00:00:00 GMThttps://loravaughn.com/blog/phishing-tests-dont-work-fight-me/https://loravaughn.com/blog/phishing-tests-dont-work-fight-me/Phishing simulation click rates are a metric, not a security outcome. AI just made real phishing dramatically harder to spot. Your tests haven't caught up.Mon, 27 Apr 2026 00:00:00 GMTsecurity-culturehacklorehuman-riskhttps://loravaughn.com/blog/nist-just-stopped-doing-part-of-your-job-now-what/https://loravaughn.com/blog/nist-just-stopped-doing-part-of-your-job-now-what/NIST is no longer enriching every CVE in the National Vulnerability Database. If CVSS scores were the backbone of your vulnerability management program, you have a problem that predates this announcement.Tue, 21 Apr 2026 00:00:00 GMTvulnerability-managementrisk-managementcisohttps://loravaughn.com/blog/your-ai-vendor-said-their-model-is-accurate-explainable-and-compliant-did-they-prove-it/https://loravaughn.com/blog/your-ai-vendor-said-their-model-is-accurate-explainable-and-compliant-did-they-prove-it/Community banks are getting pitched AI tools right now. Standard vendor due diligence doesn't cover what actually matters with AI. Here's what to ask before you sign anything.Mon, 20 Apr 2026 00:00:00 GMTcommunity-banksai-governancecompliancevendor-selectionhttps://loravaughn.com/blog/how-to-pick-an-mdr-provider-when-youre-a-community-bank/https://loravaughn.com/blog/how-to-pick-an-mdr-provider-when-youre-a-community-bank/Every MDR vendor says they do detection and response. Here's what to actually evaluate before you sign a contract, and the questions most community banks never think to ask.Mon, 13 Apr 2026 00:00:00 GMTcommunity-banksmdrsecurity-operationsvendor-selectionffiechttps://loravaughn.com/blog/the-ffiec-cat-is-gone-now-what/https://loravaughn.com/blog/the-ffiec-cat-is-gone-now-what/The FFIEC retired the Cybersecurity Assessment Tool. Here's what community banks actually need to do now, what examiners are looking for instead, and how to transition without starting from scratch.Fri, 27 Mar 2026 00:00:00 GMTcommunity-banksffieccompliancenist-csfrisk-managementhttps://loravaughn.com/blog/the-framework-trap-when-compliance-kills-security/https://loravaughn.com/blog/the-framework-trap-when-compliance-kills-security/Security frameworks were built to guide programs, not replace thinking. Do security right and compliance follows. Here's why most organizations have it backwards.Mon, 23 Mar 2026 00:00:00 GMTcompliancesecurity-strategycommunity-bankinghttps://loravaughn.com/blog/i-spent-eight-hours-on-my-home-network-im-still-not-done/https://loravaughn.com/blog/i-spent-eight-hours-on-my-home-network-im-still-not-done/A home network rebuild that's still in progress and already has lessons. Documentation debt is real, and it costs you more than a weekend.Tue, 17 Mar 2026 00:00:00 GMTsecurity-operationspersonallessons-learnedhttps://loravaughn.com/blog/your-vendors-are-your-biggest-security-risk-heres-what-to-do-about-it/https://loravaughn.com/blog/your-vendors-are-your-biggest-security-risk-heres-what-to-do-about-it/Most community banks can answer every question about their own security posture. But ask about their vendors, and you get silence. Here's how to fix that.Mon, 09 Mar 2026 00:00:00 GMThttps://loravaughn.com/blog/the-real-ai-threat-isnt-job-loss-its-irrelevance/https://loravaughn.com/blog/the-real-ai-threat-isnt-job-loss-its-irrelevance/Everyone's worried AI will take their job. The bigger risk is becoming the person who can't keep up because you refused to learn how to use it.Mon, 23 Feb 2026 00:00:00 GMTai-for-businessai-toolscareerhttps://loravaughn.com/blog/its-2026-you-can-use-the-guest-wifi/https://loravaughn.com/blog/its-2026-you-can-use-the-guest-wifi/A security professional scolded me for connecting to guest WiFi. Meanwhile, 100+ CISOs signed a letter asking people to stop giving exactly that advice.Thu, 12 Feb 2026 00:00:00 GMTsecurity-culturehacklorepractical-securityhttps://loravaughn.com/blog/you-want-to-try-openclaw-heres-how-to-not-wreck-yourself/https://loravaughn.com/blog/you-want-to-try-openclaw-heres-how-to-not-wreck-yourself/OpenClaw is genuinely cool technology—and a real security risk. Instead of telling you to run away, here's how to experiment with it safely.Sat, 07 Feb 2026 00:00:00 GMTai-securityagentic-aiopenclawsecurity-controlshttps://loravaughn.com/blog/why-your-incident-response-plan-will-fail-and-what-to-build-instead/https://loravaughn.com/blog/why-your-incident-response-plan-will-fail-and-what-to-build-instead/Most IR plans fail not because they're poorly written, but because plans don't survive contact with reality. Here's how to build response capability instead of just documentation.Tue, 03 Feb 2026 00:00:00 GMTincident-responsesecurity-operationscrisis-managementtabletop-exercisessecurity-leadershipcisobusiness-continuitysecurity-planninghttps://loravaughn.com/blog/the-drinking-bird-at-the-nuclear-plant/https://loravaughn.com/blog/the-drinking-bird-at-the-nuclear-plant/Sam Altman wants to give AI full access to everything. Your users will too. Your AI security strategy isn't competing against attackers; it's competing against tedium. Tedium wins.Sun, 01 Feb 2026 00:00:00 GMTai-securityagentic-aisecurity-controlsuser-behaviorrisk-managementsecurity-leadershipopenaiautomationhttps://loravaughn.com/blog/siem-vs-mdr-for-community-banks-what-actually-works-and-whats-a-waste-of-money/https://loravaughn.com/blog/siem-vs-mdr-for-community-banks-what-actually-works-and-whats-a-waste-of-money/A practical guide for community banks choosing between SIEM and MDR solutions. Real costs, what examiners actually want, and a decision framework for banks under $2B in assets.Mon, 26 Jan 2026 00:00:00 GMTcommunity-bankssiemmdrffieccompliancesecurity-operationsbankingvirtual-cisothreat-detectionsecurity-budgethttps://loravaughn.com/blog/the-security-program-you-actually-need-not-the-one-vendors-are-selling-you/https://loravaughn.com/blog/the-security-program-you-actually-need-not-the-one-vendors-are-selling-you/Most security advice assumes you're a Fortune 500. You're not. Here's what you actually need at your size, what you can skip, and how to know when to level up.Wed, 21 Jan 2026 00:00:00 GMTcommunity-banksfintechstartupssecurity-programsright-sizing-securityhttps://loravaughn.com/blog/i-built-a-live-deepfake-in-30-minutes-heres-the-part-that-actually-scares-me/https://loravaughn.com/blog/i-built-a-live-deepfake-in-30-minutes-heres-the-part-that-actually-scares-me/Using AI coding tools, I built a convincing live deepfake demo in 30 minutes with zero machine learning knowledge. The barrier to creating sophisticated attacks isn't technical skill anymore, it's just intent.Thu, 08 Jan 2026 00:00:00 GMTAIDeepfakesFraud-PreventionSocial-Engineeringhttps://loravaughn.com/blog/intentions-not-resolutions-on-choosing-presence-over-urgency/https://loravaughn.com/blog/intentions-not-resolutions-on-choosing-presence-over-urgency/On knowing the always-on CISO life isn't sustainable, doing it anyway, and what fractional work is teaching me about presence.Tue, 30 Dec 2025 00:00:00 GMTcareerCISOleadershipwork-life-balancefractional-CISOnew-yearsintentionshttps://loravaughn.com/blog/when-everything-is-critical-nothing-is-critical/https://loravaughn.com/blog/when-everything-is-critical-nothing-is-critical/Your vulnerability scanner flagged 10,000 issues. Your SIEM has 500 critical alerts. Every project is top priority. So what do you actually fix first?Tue, 16 Dec 2025 12:00:00 GMTvulnerability managementprioritizationsecurity-operationsCISOrisk managementsecurity-strategyhttps://loravaughn.com/blog/security-theater-vs-security-how-to-tell-the-difference/https://loravaughn.com/blog/security-theater-vs-security-how-to-tell-the-difference/That shiny new security tool looks impressive in the demo. But will it actually reduce risk? Here's how to tell security theater from real security before you waste the budget.Tue, 02 Dec 2025 12:00:00 GMTsecurity-strategybudget-planningsecurity-toolsCISOrisk-managementsecurity-theaterhttps://loravaughn.com/blog/stop-protecting-systems-start-protecting-data/https://loravaughn.com/blog/stop-protecting-systems-start-protecting-data/Why modern security strategies must shift from system-centric defenses to data-centric protection approaches.Sun, 23 Nov 2025 18:00:00 GMTdata-securitysecurity-strategydata-protectionhttps://loravaughn.com/blog/when-your-bank-examiner-says-risk-assessment-and-you-break-out-in-hives/https://loravaughn.com/blog/when-your-bank-examiner-says-risk-assessment-and-you-break-out-in-hives/Why most cybersecurity guidance for community banks is useless, and what to do insteadWed, 19 Nov 2025 00:00:00 GMTcybersecuritybankingcompliancecommunity-banksrisk-managementhttps://loravaughn.com/blog/vibe-coding-how-to-write-secure-code-when-ai-does-the-heavy-lifting/https://loravaughn.com/blog/vibe-coding-how-to-write-secure-code-when-ai-does-the-heavy-lifting/AI coding tools are powerful, but they're trained on decades of mediocre code. Here's how to harness them without inheriting every security mistake we've been making since the 90s.Thu, 13 Nov 2025 00:00:00 GMTsecurityAIdevelopmentcodingAI-codingsecure-developmentcopilotclaude-codebest-practiceshttps://loravaughn.com/blog/how-to-respond-when-your-customer-sends-you-a-security-questionnaire/https://loravaughn.com/blog/how-to-respond-when-your-customer-sends-you-a-security-questionnaire/Your biggest deal just sent a 200-question security assessment. Here's your step-by-step playbook for responding without losing the deal or your mind.Wed, 05 Nov 2025 00:00:00 GMThttps://loravaughn.com/blog/how-to-get-soc-2-certified-startup-guide-costs-15k-50k-takes-3-6-months/https://loravaughn.com/blog/how-to-get-soc-2-certified-startup-guide-costs-15k-50k-takes-3-6-months/How much does SOC 2 cost? $15K-50K for audit + $5K-30K/year in tools. Real timeline: 3-6 months prep + 4-8 weeks audit. Here's what you actually need (and what you can skip).Mon, 03 Nov 2025 12:00:00 GMTSOC2compliancestartup-securityauditsSOC2-costSOC2-requirementshttps://loravaughn.com/blog/feats-of-endurance-and-stupidity-what-running-in-circles-teaches-us-about-cybersecurity/https://loravaughn.com/blog/feats-of-endurance-and-stupidity-what-running-in-circles-teaches-us-about-cybersecurity/What ultramarathon running teaches us about incident response and cybersecurity resilience. Lessons from a CISO on training for chaos, mental endurance, and why preparation beats reaction.Fri, 24 Oct 2025 00:00:00 GMTcybersecurityleadershipincident-responseresiliencehttps://loravaughn.com/blog/from-jewels-to-data-why-we-never-learn/https://loravaughn.com/blog/from-jewels-to-data-why-we-never-learn/The Louvre got robbed. Companies get breached. Both could've been prevented. Here's why waiting for the 'oh crap' moment is a terrible security strategy.Wed, 22 Oct 2025 00:00:00 GMTcybersecurityincident-responsesecurity-strategyrisk-managementhttps://loravaughn.com/blog/do-you-need-a-fractional-ciso-heres-how-to-tell/https://loravaughn.com/blog/do-you-need-a-fractional-ciso-heres-how-to-tell/Not sure if you need security leadership yet? Here's when a fractional CISO makes sense, what your options look like, and how to avoid overspending on security too early.Mon, 20 Oct 2025 12:00:00 GMTfractional-CISOvirtual-CISOstartup-securitySMB-securitysecurity-leadershiphttps://loravaughn.com/blog/the-engineered-forest-why-the-best-security-programs-are-invisible/https://loravaughn.com/blog/the-engineered-forest-why-the-best-security-programs-are-invisible/What a carefully managed New Hampshire forest taught me about building security programs that enable rather than block. The best security, like the best ecosystems, looks effortless but is intentionally designed.Wed, 15 Oct 2025 12:00:00 GMTsecurityleadershipphilosophyCISOhttps://loravaughn.com/blog/is-your-smart-device-actually-smart-a-simple-test/https://loravaughn.com/blog/is-your-smart-device-actually-smart-a-simple-test/Before connecting that next device to WiFi, ask one question: does the benefit actually outweigh the risk? A security professional's practical guide to smart home decisions.Tue, 23 Sep 2025 00:00:00 GMTconsumer-securityiotprivacysmart-homepractical-securityhttps://loravaughn.com/blog/when-perfect-plans-meet-imperfect-reality/https://loravaughn.com/blog/when-perfect-plans-meet-imperfect-reality/Sometimes the consequences of IR plan failure aren't just about downtime or data. Sometimes they're about life and death.Thu, 18 Sep 2025 00:00:00 GMTincident-responsecybersecurityhealthcaresecurity-leadershiphttps://loravaughn.com/blog/the-question-that-made-everyone-in-the-room-go-silent/https://loravaughn.com/blog/the-question-that-made-everyone-in-the-room-go-silent/I asked one simple question about incident response plans. The silence that followed told me everything I needed to know.Thu, 11 Sep 2025 00:00:00 GMTincident-responsecybersecuritysecurity-leadershiphttps://loravaughn.com/blog/building-an-autonomous-sunset-timelapse-system-part-2---historical-processing/https://loravaughn.com/blog/building-an-autonomous-sunset-timelapse-system-part-2---historical-processing/Process historical camera footage into timelapse videos with Python and OpenCV. Bulk video processing, Reolink API integration, and FFmpeg automation for recovering missed captures.Fri, 05 Sep 2025 00:00:00 GMThistorical-processingapi-integrationvideo-processingdata-pipelineautomationpythonprojectshttps://loravaughn.com/blog/building-an-automated-sunset-timelapse-part-1---live-capture-engineering/https://loravaughn.com/blog/building-an-automated-sunset-timelapse-part-1---live-capture-engineering/Build an automated Raspberry Pi sunset timelapse system with Python, FFmpeg, and RTSP. Complete tutorial with code for capturing, processing, and uploading to YouTube automatically.Thu, 04 Sep 2025 00:00:00 GMTraspberry-pirtspcomputer-visionautomationpythonlive-captureprojectshttps://loravaughn.com/blog/your-cybersecurity-degree-may-not-have-prepared-you-for-the-real-world/https://loravaughn.com/blog/your-cybersecurity-degree-may-not-have-prepared-you-for-the-real-world/Why choosing the right cybersecurity program matters, and how to match your degree to your career goals.Thu, 28 Aug 2025 00:00:00 GMTcybersecurityeducationcomputer-sciencehot-takehttps://loravaughn.com/blog/how-not-to-find-a-cybersecurity-mentor-a-guide-for-career-seekers/https://loravaughn.com/blog/how-not-to-find-a-cybersecurity-mentor-a-guide-for-career-seekers/Turning a real-world example into lessons for breaking into cybersecurity the right wayThu, 21 Aug 2025 00:00:00 GMTcareer-transitioncybersecuritybuilder-mindsethttps://loravaughn.com/blog/when-life-gives-you-network-timeouts-make-automated-sunsets/https://loravaughn.com/blog/when-life-gives-you-network-timeouts-make-automated-sunsets/How I turned camera API failures into an automated sunset timelapse system using Raspberry Pi, RTSP streaming, and YouTube uploads. A story about pivoting when technology doesn't cooperate.Tue, 19 Aug 2025 00:00:00 GMTraspberry-piautomationpythoniotsecurityopen-sourcecameratimelapseyoutube-apihome-automationhttps://loravaughn.com/blog/automating-ourselves-into-a-cybersecurity-crisis/https://loravaughn.com/blog/automating-ourselves-into-a-cybersecurity-crisis/How AI automation in cybersecurity is eliminating entry-level roles and creating a dangerous skills gap, and why we must act now to prevent a workforce crisis.Thu, 14 Aug 2025 00:00:00 GMTcybersecurityworkforce-developmentai-automationtalent-pipelinesecurity-leadershipapprenticeshipsincident-responsesoc-operationshttps://loravaughn.com/blog/the-unexpected-joy-of-unemployment-and-building-geeky-little-things/https://loravaughn.com/blog/the-unexpected-joy-of-unemployment-and-building-geeky-little-things/Rediscovering my inner builder, and giving my weather-obsessed husband the gift of livestreamed skies.Fri, 01 Aug 2025 00:00:00 GMTcareer-transitiontech-projectslivestreamingsmart-homeai-toolspersonal-blogcybersecuritybuilder-mindsethttps://loravaughn.com/blog/basically-a-tribute-to-dr-lewis-i-patterson/https://loravaughn.com/blog/basically-a-tribute-to-dr-lewis-i-patterson/Honoring the beloved Birmingham-Southern College professor whose high standards, dry wit, and quiet encouragement shaped generations of computer science students.Mon, 28 Jul 2025 00:00:00 GMTdr-lewis-pattersonbirmingham-southern-collegealabama-tech-communitytech-mentorshipprofessor-tributebsc-computer-sciencein-memoriamlife-lessons-in-techbasically