Guides
Cybersecurity guides for operators, boards, and deal teams.
Evergreen guides on fractional CISO leadership, M&A cybersecurity due diligence, cloud and data security posture, and cyber risk quantification. Written by Nick Shevelyov from 30+ years of operator experience, including 15 years as Chief Security Officer at Silicon Valley Bank. For timely analysis and commentary, see the blog.
-
Template · 14 min read
Business Continuity Plan Template
A practical business continuity plan template — scope, impact analysis, recovery strategies, roles, communications, and testing.
Read the guide -
Checklist · 16 min read
CMMC 2.0 Compliance Checklist
CMMC 2.0 checklist for defense contractors: the three levels, NIST 800-171 mapping, scoping, control domains, assessments, and POA&M rules.
Read the guide -
Framework · 13 min read
How to Build and Defend a Cybersecurity Budget
Framework for sizing cybersecurity budgets by company stage, allocating by category, presenting to the board, and prioritizing what to cut last.
Read the guide -
Guide · 11 min read
How to Build a Cybersecurity Roadmap
Sequencing security investments across 12-36 months — from foundations through maturity, tied to business milestones.
Read the guide -
Guide · 11 min read
Vendor Risk Management Program Guide
How to build an ongoing vendor risk management program — tiering, onboarding, monitoring, contracts, and concentration risk for enterprises.
Read the guide -
Guide · 12 min read
Disaster Recovery for Small Business: A Practical Plan
How to build a disaster recovery plan with no IT department — SaaS-first DR, the 3-2-1 backup rule, and RTO/RPO in plain English.
Read the guide -
Process guide · 13 min read
How to Get SOC 2 Certified
The step-by-step path to SOC 2 attestation: scoping, readiness, remediation, auditor selection, and the observation window.
Read the guide -
Guide · 16 min read
ISO 27001 Certification Process: Step by Step
The ISO 27001 certification path: scoping, gap analysis, risk assessment, internal audit, Stage 1 and 2 audits, and the 3-year cycle.
Read the guide -
Guide · 14 min read
Network Penetration Testing: A Buyer's Guide
Network penetration testing explained: external vs internal scope, methodology phases, reading reports, and choosing a provider.
Read the guide -
Guide · 13 min read
Network Security Audit: Complete Guide
Network audit scope, methodology, deliverables, how it differs from pentesting, benchmark frameworks, and when to audit.
Read the guide -
Operations · 14 min read
Security Compliance Automation: What It Automates
What compliance automation actually does — evidence collection, control monitoring, policy distribution. When it pays off. And what it can't do.
Read the guide -
Framework · 13 min read
SOC 2 Trust Services Criteria Explained
The five SOC 2 Trust Services Criteria broken down: what each requires, which are mandatory, and who should include them in scope.
Read the guide -
Penetration Testing · 13 min read
Web Application Penetration Testing Guide
What web app penetration testing covers: OWASP methodology, business logic flaws, API testing, scoping, and reading reports.
Read the guide -
Guide · 12 min read
Automated Penetration Testing Guide
How automated penetration testing works, where it fits vs manual testing and vulnerability scanning, tool categories, and the hybrid model.
Read the guide -
Guide · 14 min read
Cloud Security Compliance Guide
How to achieve and maintain cloud security compliance across AWS, Azure, and GCP using SOC 2, ISO 27001, FedRAMP, HIPAA, and PCI DSS frameworks.
Read the guide -
Guide · 14 min read
Data Breach Prevention: A Practical Guide
How to prevent data breaches: root causes, technical controls, access management, monitoring, employee training, and incident readiness.
Read the guide -
Guide · 14 min read
Information Security Risk Management
A practical ISRM guide covering the risk lifecycle, frameworks (ISO 27005, NIST RMF, FAIR), risk registers, and metrics for board reporting.
Read the guide -
Guide · 16 min read
Security Operations Center (SOC) Guide
What a security operations center is, SOC models, team roles, core technology, processes, cost of building vs buying, maturity models, and key metrics.
Read the guide -
Comparison · 12 min read
Vulnerability Assessment vs Penetration Testing
Vulnerability assessment vs penetration testing: definitions, differences, when you need each, the VAPT approach, and choosing a provider.
Read the guide -
Guide · 12 min read
Application Security Best Practices
What application security covers, secure SDLC integration, OWASP Top 10, SAST/DAST, dependency scanning, API security, and AppSec program maturity.
Read the guide -
Guide · 12 min read
Attack Surface Management Guide
What attack surface management is, the ASM lifecycle, internal vs external attack surface, ASM vs vulnerability management, and how to build an ASM program
Read the guide -
Guide · 12 min read
Business Continuity and Disaster Recovery
How business continuity and disaster recovery work together, what BCDR planning involves, RPO and RTO explained, cloud DR, and common BCDR failures.
Read the guide -
Guide · 13 min read
Business Continuity Strategies
How to build and test business continuity strategies that keep operations running through disruptions, from BCP frameworks to recovery metrics.
Read the guide -
Guide · 13 min read
Cloud Security Architecture Guide
What cloud security architecture is, the shared responsibility model, architecture pillars, multi-cloud considerations, and common architecture mistakes.
Read the guide -
Guide · 16 min read
Cost of Cybersecurity for Businesses
What cybersecurity actually costs, from staffing and tools to compliance and breach expenses, with benchmarks by company size.
Read the guide -
Checklist · 15 min read
Cyber Insurance Coverage Checklist
What to look for in a cyber insurance policy, coverage types, common exclusions, and how your security posture affects premiums.
Read the guide -
Guide · 13 min read
Cyber Threat Hunting
What cyber threat hunting is, how it differs from detection, the hunting loop, methodologies, tools, and how to build a threat hunting program.
Read the guide -
Checklist · 18 min read
Cybersecurity Checklist for Businesses
A practical cybersecurity checklist covering access control, endpoints, network, data, cloud, incident response, compliance, and training.
Read the guide -
Reference · 25 min read
Cybersecurity Glossary
Definitions of essential cybersecurity terms, acronyms, and concepts used by security teams, executives, and auditors.
Read the guide -
Template · 13 min read
Disaster Recovery Plan Template
What a disaster recovery plan should cover, key components, RPO/RTO by system tier, testing types, and how to maintain the plan over time.
Read the guide -
Guide · 12 min read
Insider Threat Indicators Guide
What insider threats are, behavioral and technical indicators, building an insider threat program, monitoring without eroding trust, and response.
Read the guide -
Guide · 13 min read
Managed Cybersecurity Services
What managed cybersecurity services include, MSSP vs MDR vs SOCaaS, when to outsource, how to evaluate providers, SLAs, metrics, and cost benchmarks.
Read the guide -
Guide · 13 min read
Supply Chain Security Guide
What supply chain security means, key threat vectors, frameworks like NIST C-SCRM and SLSA, SBOMs, and how to build a supply chain security program.
Read the guide -
Guide · 14 min read
Cybersecurity Risk Assessment: A Guide
How to conduct a cybersecurity risk assessment -- frameworks (NIST, FAIR, ISO 27005), threat modeling, scoring methodology, and board reporting.
Read the guide -
Guide · 14 min read
Data Protection Strategy: A Complete Guide
How to build a data protection strategy: classification, encryption, DLP, access control, cloud considerations, AI/ML workloads, and metrics.
Read the guide -
Guide · 14 min read
Data Security Compliance: A Complete Guide
What data security compliance requires, the regulations that drive it, how to build a program, common gaps, and the controls that matter.
Read the guide -
Guide · 14 min read
ISO 27001 Requirements: A Complete Guide
What ISO 27001 requires: mandatory clauses, Annex A controls, the 2022 updates, certification process, and how it compares to SOC 2 and NIST.
Read the guide -
Guide · 14 min read
IT Compliance Audit: A Complete Guide
What an IT compliance audit covers, key frameworks (SOX ITGC, COBIT, SOC 1), what IT auditors evaluate, how to prepare, and cost and timeline.
Read the guide -
Guide · 14 min read
NIST Compliance: A Complete Guide
What NIST compliance requires, how CSF 2.0 and SP 800-53 work, who needs it, steps to achieve compliance, and how NIST compares to ISO 27001 and SOC 2.
Read the guide -
Guide · 14 min read
PCI Audit: A Complete Guide for 2026
What a PCI audit covers, PCI-DSS 4.0 changes, merchant levels 1 through 4, QSA vs SAQ, the 12 requirements, common findings, and cost and timeline.
Read the guide -
Guide · 14 min read
Security Incident Management Guide
How to build a security incident management program: lifecycle, severity classification, roles, communication protocols, post-incident review, and metrics.
Read the guide -
Guide · 10 min read
SOC Report: Types, Purpose, and How to Use
What a SOC report is, the differences between SOC 1, 2, and 3, Type I vs Type II, how to read a SOC 2 report, and what it costs to get one.
Read the guide -
Guide · 14 min read
Vulnerability Management Lifecycle Guide
The vulnerability management lifecycle: six phases from asset discovery through reporting. Prioritization, remediation workflows, and metrics.
Read the guide -
Guide · 13 min read
Cybersecurity Assessment: A Complete Guide
What a cybersecurity assessment covers, types compared, the assessment process, audit vs assessment, cadence, and how to choose a provider.
Read the guide -
Guide · 12 min read
Cybersecurity Audit: A Complete Guide
What a cybersecurity audit covers, types of audits, the audit process, what auditors evaluate, cost, timeline, and how to prepare.
Read the guide -
Template · 13 min read
Cybersecurity Policy Template
Cybersecurity policy template covering essential policies, template structure, writing guidance, governance cadence, and compliance framework alignment.
Read the guide -
Guide · 13 min read
Cybersecurity Risk Management Frameworks
A guide to cybersecurity risk management framework selection, comparison (NIST CSF, ISO 27001, CIS, FAIR, COBIT), and implementation.
Read the guide -
Guide · 14 min read
Identity and Access Management Guide
A complete guide to identity and access management: core components, IAM vs PAM vs IGA, cloud IAM, best practices, and compliance alignment.
Read the guide -
Guide · 14 min read
Managed Detection and Response (MDR)
What managed detection and response covers, how MDR works, costs, and how to evaluate MDR providers for your security program.
Read the guide -
Guide · 13 min read
SOC as a Service: A Complete Guide
What SOC as a service covers, how it works, costs and pricing models, and how to evaluate SOCaaS providers for your security program.
Read the guide -
Guide · 14 min read
Zero Trust Architecture: A Complete Guide
Zero trust architecture eliminates implicit trust from network design. Principles, NIST 800-207 framework, five pillars, and implementation roadmap.
Read the guide -
Comparison · 16 min read
Best GRC Tools 2026: Honest Vendor Comparison
10 GRC platforms compared — Vanta, Drata, OneTrust, ServiceNow, Archer, LogicGate, and more. Strengths, gaps, and who each tool actually fits.
Read the guide -
Guide · 13 min read
Cybersecurity Gap Analysis: Complete Guide
How to run a cybersecurity gap analysis -- process, frameworks (NIST CSF, ISO 27001, CIS, SOC 2), deliverables, and the pitfalls that undermine results.
Read the guide -
Guide · 14 min read
Information Security Policy Guide
How to write an information security policy: core components, common policy types, framework alignment with NIST, ISO 27001, and SOC 2.
Read the guide -
Pricing Guide · 9 min read
Security Awareness Training Cost in 2026
Security awareness training costs $10–$60/user/year. What drives pricing, how vendors compare, hidden costs, and how to budget realistically.
Read the guide -
Guide · 11 min read
Cybersecurity for Startups: A Practical Guide
A stage-by-stage cybersecurity guide for startups — essential controls, compliance pathways, budget guidance, and when to hire security leadership.
Read the guide -
Methodology · 11 min read
Cybersecurity KPIs: Metrics That Matter
A methodology guide to cybersecurity KPIs — operational, risk, compliance, and financial metrics, selection criteria, and reporting cadences.
Read the guide -
Guide · 12 min read
Cybersecurity Maturity Assessment Guide
How cybersecurity maturity assessments work -- models, scoring, board reporting, roadmapping, and the mistakes that undermine them.
Read the guide -
Guide · 11 min read
How to Sell Cybersecurity Services
How to sell cybersecurity services: the consultative sales approach, buyer personas, pricing models, objection handling, and trust-based selling.
Read the guide -
Template · 12 min read
Incident Response Plan Template
A practical incident response plan template covering the 6 NIST phases, roles, communication plans, regulatory reporting, and testing procedures.
Read the guide -
Guide · 11 min read
Security Posture Assessment: Complete Guide
What a security posture assessment covers, how it works, and what it delivers -- frameworks, process, deliverables, and provider criteria.
Read the guide -
Checklist · 14 min read
SOC 2 Compliance Checklist
A practical SOC 2 compliance checklist covering trust service criteria, pre-audit readiness, the audit process, common findings, and ongoing compliance.
Read the guide -
Guide · 12 min read
Third-Party Vendor Risk Assessment Guide
How to assess third-party vendor risk — tiering, questionnaires, evidence review, risk scoring, frameworks, contract terms, and continuous monitoring.
Read the guide -
Definition · 11 min read
What Does a CISO Do?
What a CISO does — core responsibilities, reporting structure, required skills, how the role is evolving, and when organizations need one.
Read the guide -
Comparison · 11 min read
Best SSPM Tools 2026: Vendor Comparison
Best SSPM tools 2026 compared — AppOmni, Obsidian, Adaptive Shield, DoControl, Valence, Nudge, Wing, Theodolite. Honest vendor-by-vendor assessment.
Read the guide -
Guide · 12 min read
Cloud Security Risk Assessment Guide
How to assess cloud security risk across AWS, Azure, and GCP — shared responsibility gaps, misconfiguration analysis, and FAIR-based risk quantification.
Read the guide -
Checklist · 10 min read
Cyber Security Risk Assessment Checklist
A cybersecurity risk assessment checklist covering pre-assessment, execution, deliverables, and post-assessment follow-through.
Read the guide -
Guide · 12 min read
Cybersecurity Compliance Services Guide
What cybersecurity compliance services deliver -- frameworks compared, engagement phases, provider evaluation, and deliverables checklist.
Read the guide -
Guide · 11 min read
Cybersecurity GRC: Governance, Risk & Compliance
Cybersecurity GRC unifies governance, risk management, and compliance into one program. Frameworks compared, platforms evaluated, implementation roadmap.
Read the guide -
Guide · 12 min read
Cybersecurity Services Provider Guide
How to evaluate and choose a cybersecurity services provider -- types, evaluation criteria, red flags, and proposal comparison from a former CSO.
Read the guide -
Guide · 13 min read
Cybersecurity Tabletop Exercises: Guide
How to plan and run cybersecurity tabletop exercises -- scenarios, facilitator checklist, and after-action report template from a former CSO.
Read the guide -
Guide · 12 min read
Cloud Workload Protection Platforms (CWPP)
What CWPP does, how it differs from CSPM, top vendors compared, and how to evaluate a cloud workload protection platform.
Read the guide -
Guide · 12 min read
Cybersecurity Governance: A CISO's Guide
How to build cybersecurity governance that works — frameworks, board reporting, metrics, and practical advice from a former bank CSO.
Read the guide -
Guide · 14 min read
Security Risk Assessment: Complete Guide
How to run a cybersecurity risk assessment -- frameworks, methodology, deliverables, and practical advice from a 15-year CISO.
Read the guide -
Comparison · 7 min read
CSO vs CISO: What's the Difference?
CSO vs CISO explained: scope, reporting lines, and when each title fits. By a former CSO who held both roles at Silicon Valley Bank for 15 years.
Read the guide -
Calculator · 8 min read
Annual Loss Expectancy: Formula & Calculator
ALE turns cyber risk into dollars your board can act on. The formula, three worked examples, and how to use annualized loss expectancy for budget defense.
Read the guide -
Comparison · 18 min read
Best CSPM Tools 2026: A CSO's Vendor Breakdown
8 CSPM vendors rated by a 15-year CSO — Wiz, Prisma Cloud, CrowdStrike, Orca, Aqua, Datadog. Real gaps, pricing context, and what each actually does well.
Read the guide -
Comparison · 11 min read
Best DSPM Tools 2026: A CSO's Vendor Breakdown
9 DSPM platforms assessed by a former bank CSO — Cyera, BigID, Varonis, Wiz, Sentra, and more. Where each excels, where each falls short.
Read the guide -
Comparison · 11 min read
CRQ Tools 2026: 6 Platforms Compared by a CSO
Cyber risk quantification tools compared — Safe Security, Kovrr, Axio, RiskLens, FortifyData. FAIR vs Monte Carlo, and what boards actually need.
Read the guide -
Checklist · 14 min read
Cyber Due Diligence Checklist for PE & M&A
9-category cybersecurity due diligence checklist for PE sponsors and acquirers. Key questions per area and red flags that reshape deal terms.
Read the guide -
Investor's Guide · 9 min read
Cybersecurity Due Diligence for PE & VC
Cybersecurity due diligence for PE and VC — how investor-side diligence differs from corporate M&A, findings that change terms, and RWI underwriting.
Read the guide -
Methodology · 9 min read
FAIR vs Monte Carlo Risk Quantification Guide
FAIR and Monte Carlo aren't competing CRQ approaches — they're complementary. How each works, where they fit together, and which combination to use.
Read the guide -
Methodology · 9 min read
How to Measure Cybersecurity ROI: Formula & Metrics
Cybersecurity ROI measures dollar risk reduction vs cost. The formula, three worked examples, and how to defend your security budget to the CFO.
Read the guide -
Guide · 11 min read
Risk-Based Vulnerability Management Guide
RBVM prioritizes patching by business impact, not CVSS alone. How risk-based vulnerability management works, why CVSS fails, and tool evaluation.
Read the guide -
Guide · 12 min read
What Is Sensitive Data Discovery? A Practical Guide
Sensitive data discovery finds and classifies regulated data across cloud environments. What it covers, how the tools work, and how to evaluate them.
Read the guide -
Role Guide · 8 min read
Virtual CISO Responsibilities: What It Covers
A virtual CISO carries the same responsibilities as a full-time CISO, part-time. What the role covers, what changes by stage, and what can't be delegated.
Read the guide -
Definition · 9 min read
What Is Cloud Security Posture Management (CSPM)?
CSPM monitors cloud infrastructure for misconfigurations and compliance gaps. How it works, why it matters, and how it relates to DSPM and CNAPP.
Read the guide -
Definition · 9 min read
What Is Cyber Risk Quantification (CRQ)?
Cyber risk quantification translates security findings into dollars executives can act on. How CRQ works, the methodologies, and how to evaluate tools.
Read the guide -
Definition · 8 min read
Cybersecurity Due Diligence: The M&A Playbook
What PE sponsors and acquirers miss in cyber due diligence — and what changes deal terms. Valuation impact, SPA scope, and post-close remediation.
Read the guide -
Definition · 9 min read
What Is Data Security Posture Management (DSPM)?
DSPM finds sensitive data across cloud environments and assesses exposure. How it works and how data security posture management differs from CSPM and DLP.
Read the guide -
Pricing Guide · 7 min read
Fractional CISO Cost & vCISO Pricing 2026
Fractional CISO and vCISO pricing runs $8K–$25K/month. What drives pricing — hours, scope, operator seniority — and how to budget realistically.
Read the guide -
Industry Guide · 8 min read
Fractional CISO for Fintech and SaaS
Fractional CISO for fintech and SaaS — SOC 2, GLBA, PCI, NYDFS compliance. How the role fits regulated companies and what to look for in an operator.
Read the guide -
Buyer's Guide · 9 min read
How to Choose a Fractional CISO
How to hire a fractional CISO: five questions for every candidate, red flags to watch, contract terms that matter, and firm vs. individual evaluation.
Read the guide -
Comparison · 6 min read
vCISO vs Fractional CISO: What's the Difference?
vCISO and fractional CISO describe the same role. Here's where the terms diverge, why it's mostly marketing, and what actually matters when choosing.
Read the guide -
Definition · 8 min read
What Is a Fractional CISO?
A fractional CISO leads your security program part-time — strategy, board reporting, and incident response without a full-time hire. What it covers.
Read the guide
Want a real conversation, not a sales pitch?
First call is strategy. We reply within one business day, and most first calls end with a clear next step — not a contract.
Talk to Nick