// #governance
7 articles
Enterprise Java Middleware Security Governance: Bringing WebLogic and JBoss into the Vulnerability Management Programme
Oracle WebLogic, Red Hat JBoss/WildFly, and IBM WebSphere are foundational enterprise application infrastructure that frequently falls outside the scope of corporate vulnerability management programmes. CVE-2024-21182's CISA KEV addition — 18 months after the patch — reflects what happens when middleware is governed outside the security programme.
Netlogon CVE-2026-41089: Enterprise Risk Management Framework for Active Directory Compromise Scenarios
A CVSS 9.8 vulnerability with active exploitation and a public PoC against domain controllers requires risk management decisions at the business level, not just patching at the technical level. This guide covers the risk assessment, escalation triggers, and business continuity considerations that security leadership should present to boards and executives.
Developer Workstations as Supply-Chain Risk: Governance Framework for Engineering Environments
TeamPCP's simultaneous three-vector attack on developer tooling reveals a governance gap that exists in most organisations: developer workstations accumulate privileged access over time but operate outside the security governance processes that manage server infrastructure. A developer machine with production credentials is server-equivalent infrastructure.
After Pwn2Own Berlin 2026: A Risk Manager's Assessment of 47 Zero-Days in Enterprise Infrastructure
Pwn2Own Berlin 2026 produced 47 unique zero-day vulnerabilities across Windows 11, VMware ESXi, Exchange Server, SharePoint, Oracle VirtualBox, Red Hat Enterprise Linux, and five AI products. For enterprise risk managers and CISOs, the results require a structured response that goes beyond individual CVE patches and addresses the systemic implications.
NIS2 Moves From Grace Period to Enforcement — Germany's BSI Registration Deadline Is Now
Eighteen months after the NIS2 transposition deadline, EU member states are moving from legislative implementation to active supervisory enforcement. Germany's BSI has set April 2026 as the registration deadline for essential and important entities under the national NIS2 implementation (NIS2UmsuCG). Organisations still treating NIS2 as a future requirement face immediate regulatory exposure as national competent authorities begin audit and penalty activity.
CIRCIA Final Rule Expected May 2026: What Critical Infrastructure Operators Must Do Now
CISA is expected to publish the long-awaited CIRCIA final rule in May 2026, mandating 72-hour cyber incident reporting and 24-hour ransomware payment reporting for critical infrastructure sectors. With weeks remaining, organisations that have not started preparing face significant compliance and legal exposure when the rule takes effect.
March 2026 Patch Cycle: The Governance and Risk Metrics That CISOs Should Be Reporting
March 2026 has been an unusually demanding patch cycle — 83 Microsoft CVEs, three new CISA KEV additions across F5, Citrix, and Active Directory, and concurrent exploitable vulnerabilities across Linux, PAN-OS, and Dell hardware. CISOs face board-level questions about patching velocity and exposure windows. This analysis provides the governance framework and risk metrics to answer those questions accurately.
Commentary tagged #governance
The CISO Role Is Structurally Broken — and Fixing It Requires Honesty About Why
The average CISO tenure is 18 to 26 months. We treat this as a talent pipeline problem. It isn't. It's a governance problem that the industry has been unwilling to name clearly for fifteen years.
CipherWatch Editorial
Security Intelligence Platform
Vendor Security Ratings Are a Confidence Trick — And We Keep Buying Them
The third-party security ratings industry has built a billion-dollar business on a simple premise: that an outside-in scan of your suppliers' infrastructure tells you something meaningful about their security posture. It doesn't. And the gap between what these tools imply and what they deliver is creating a false sense of supply chain security in boardrooms everywhere.
CipherWatch Editorial
Security Intelligence Platform