<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Frameworks on CybersecurityOS</title><link>http://www.cybersecurityos.net/categories/frameworks/</link><description>Recent content in Frameworks on CybersecurityOS</description><generator>Hugo</generator><language>en-us</language><lastBuildDate>Wed, 08 Jul 2026 17:19:19 -0500</lastBuildDate><atom:link href="http://www.cybersecurityos.net/categories/frameworks/index.xml" rel="self" type="application/rss+xml"/><item><title>Security KPIs That Actually Matter: What to Report to the Board</title><link>http://www.cybersecurityos.net/posts/os-weekly/security-kpis-board-reporting/</link><pubDate>Wed, 03 Jun 2026 00:00:00 +0000</pubDate><guid>http://www.cybersecurityos.net/posts/os-weekly/security-kpis-board-reporting/</guid><description>&lt;p&gt;Most CISOs walk into board meetings and report something like this:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;&amp;ldquo;We patched 1,247 vulnerabilities this quarter. Our SIEM generated 43,000 alerts. Security training completion is at 98%.&amp;rdquo;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The board nods. The CFO checks their phone. The meeting moves on.&lt;/p&gt;
&lt;p&gt;And no one in that room — including the CISO — is any clearer on whether the company faces material risk.&lt;/p&gt;
&lt;p&gt;This is the core problem with &lt;strong&gt;security board reporting&lt;/strong&gt;: the metrics security teams naturally track are operational metrics. Boards don&amp;rsquo;t need operational visibility. They need risk governance visibility. Those are completely different things — and confusing the two is one of the most common and costly mistakes in security leadership.&lt;/p&gt;</description></item><item><title>Good CISO vs. Bad CISO: The Hidden Mindsets That Make or Break Security Leadership</title><link>http://www.cybersecurityos.net/posts/os-weekly/bad-good-ciso-2025/</link><pubDate>Sun, 28 Sep 2025 00:00:00 +0000</pubDate><guid>http://www.cybersecurityos.net/posts/os-weekly/bad-good-ciso-2025/</guid><description>&lt;p&gt;Inspired by &lt;a href="https://www.philvenables.com/post/good-ciso---bad-ciso"&gt;Phil Venables’ &lt;em&gt;Good CISO / Bad CISO&lt;/em&gt; framework&lt;/a&gt;, this piece explores the mental models that distinguish effective security leaders from those trapped in reactive cycles.&lt;/p&gt;
&lt;p&gt;I’ve spent the past decade working across cloud, application, and enterprise security. I currently serve as an Information Security Lead and Deputy CISO.&lt;/p&gt;
&lt;p&gt;My work centers on &lt;strong&gt;advising executives on risk, resilience, and security strategy&lt;/strong&gt; while ensuring that security aligns with broader business priorities.&lt;/p&gt;</description></item><item><title>Cyber Threats Reimagined: Strategic Frameworks for Defeating Evolving Attacks</title><link>http://www.cybersecurityos.net/posts/os-weekly/cyber-threats-reimagined-2025/</link><pubDate>Sun, 17 Aug 2025 00:00:00 +0000</pubDate><guid>http://www.cybersecurityos.net/posts/os-weekly/cyber-threats-reimagined-2025/</guid><description>&lt;p&gt;The cyber battlefield is being redrawn.&lt;/p&gt;
&lt;p&gt;Phishing is no longer just a stray email—it’s a multi-layered operation targeting financial systems. APT groups are blurring lines across regions and industries. Even hardware and infrastructure once assumed safe are now entry points for attackers.&lt;/p&gt;
&lt;p&gt;This isn’t fear-mongering. It’s reality. And in 2025, &lt;strong&gt;reactive defenses won’t cut it&lt;/strong&gt;.&lt;/p&gt;
&lt;p&gt;To stay ahead, cybersecurity leaders, aspiring analysts, and startups alike must adopt new frameworks—mental models that turn complexity into clarity and pressure into strategy.&lt;/p&gt;</description></item><item><title>Building Blocks of a Security Program: Aligning with NIST Framework &amp; SOC 2 Controls</title><link>http://www.cybersecurityos.net/posts/secops/security-program-framework/</link><pubDate>Wed, 13 Nov 2024 10:58:08 -0400</pubDate><guid>http://www.cybersecurityos.net/posts/secops/security-program-framework/</guid><description>&lt;p&gt;Creating a resilient security program that meets industry standards is crucial for today’s organizations, especially with the rising expectations around data security and regulatory compliance.&lt;/p&gt;
&lt;p&gt;For CISOs, Security Managers, GRC Specialists, and technology professionals, aligning with established frameworks such as the NIST Cybersecurity Framework (CSF) and SOC 2 controls provides a solid foundation for protecting sensitive data and ensuring trust with clients and stakeholders.&lt;/p&gt;
&lt;p&gt;This blog will outline how to build a security program that effectively aligns with both NIST and SOC 2, leveraging the strengths of each.&lt;/p&gt;</description></item></channel></rss>