Issue #79, June 2026

Good morning! 

Much of what keeps an organization secure isn't technically complicated — it just requires that people “show up” on a regular basis.

The problem is that absent structure, “regular” turns into “occasional,” turns into “never.” At that point, many cybersecurity programs quietly fall apart. There’s a better way.

In today’s newsletter, I explain how a well-designed meeting cadence — the right people, at the right frequency — can turn good intentions into something that actually happens.

I appreciate and look forward to your comments! Please reply to this email to share them with me.

Rob Black, CISSP
CEO & Founder
Fractional CISO

Just Show Up

Another day, another piece of snail mail junk.

But wait a minute… why am I getting mail from the town of Marlborough, Connecticut? I’ve never even been there.

Ah, but it seems I know someone who has.

Because inside the letter was a fuzzy picture of my car — the one my wife drives and that is registered in my name.

And not just a picture. There was also a $65 speeding ticket for going 44 in a 30 MPH zone.

“Rachel, were you in Marlborough, Connecticut two Saturdays ago?”

“No. Oh, wait. I had lunch with my parents.”

“Um, were you going 44 in a 30 MPH zone?”

“Of course not. Well, maybe.”

“They had an automated traffic cam. It looks like they got you.”

True or not, I wasn’t happy. Why are they sending ME a ticket when I wasn’t driving?

So I appealed (twice) until they gave me an online hearing date and an opportunity to make my case.

A couple of weeks later, I jumped on the Microsoft Teams meeting as instructed.

One minute, two minutes… seven minutes past the scheduled start time and still nobody joining me. So I logged into the “other” standing meeting they have for tickets. (Why do they have two?)

Still nothing.

Finally, after a couple of bounced emails came back, I consulted my favorite LLM and asked what to do. It gave me some additional contacts.

I sent more emails, and eventually (20 minutes?), I got a call from someone at the town of Marlborough:

“Good news, we are having some IT problems with the meeting. Case dismissed.”

And that, is the power of just showing up.

(Granted, it kind of made me wish I had been accused of a more serious crime, but that’s fine, I’ll take it!)

Showing Up is Half the Battle

As with speeding ticket appeals, when running a cybersecurity program, there is a lot to be gained by showing up.

Yes, being an expert helps. And of course, there are some tough calls that require more knowledge, data, time, and money than showing up alone can solve.

But there are a whole bunch of things — important, cybersecurity things — that require little more than your ongoing attention. Things like…

• Consistent software updates
• Access removal for former employees
• Multi-factor authentication across the board
• Ensuring former vendors delete your data
• Regular cybersecurity training

None of these things are technically complex. Almost anyone in your organization can ensure they happen — provided they show up.

Regular Meetings Provide a Framework

Setting up a standard “meeting structure” within your organization is a proven way to keep things on track.

But not all meetings serve the same purpose, which means not everyone involved in your cybersecurity programs needs to be at every meeting. Here’s an easy way to think about it…

Weekly Meetings

These help build momentum for new initiatives. They also keep the topic top of mind and create short timelines for task completion.

In addition to a tech person, and because so much of cybersecurity is program-related (training, policies, audits, etc.), you’ll want some type of program or project manager; someone who knows how to run things.

But be careful about adding people for the sake of numbers. Too much overlap and people start assuming “someone else” is taking care of things.

Monthly Meetings

Cybersecurity touches all aspects of the organization. So while weekly meetings are not necessary for everyone, monthly meetings are a way of ensuring your cybersecurity program remains on track.

Here is where you might include an HR representative (e.g., to ensure access has been removed for off-boarded employees), or the head of your development team (e.g., to check in on your Secure Software Development Lifecycle [S-SDLC] progress).

Remember, just because you set up a cybersecurity program or procedure in the past, it doesn’t mean it is still happening. If you never check in with those involved, you’ll never know.

Quarterly Meetings

Once a quarter, you’ll want to share a well-polished presentation with your Executive Team — something that includes relevant data, a tightly-tuned message, and clearly laid out requests (share requests beforehand, so there are no surprises).

Executive support does not come with a “forever” stamp. So while you may only have this group’s attention for 30-45 minutes each quarter, you want them to continue believing your work is a worthwhile investment of company time and resources.

Don’t Forget the Agenda

As it happens, there are people who do not think cybersecurity is the most important thing on Earth (I know, I can’t believe it either). So there is always a risk that some individuals won’t take things seriously or even avoid meetings entirely.

A detailed agenda, distributed prior to the meeting with names, tasks, and deadlines, will demonstrate that this is a real thing worthy of their attention. Show them you are not going to waste their time with something they are already not excited about.

The Meeting is the Message

There is a version of cybersecurity that involves firefighting, emergency patches, and 2 a.m. incident calls. Nobody wants that.

Fortunately, the alternative isn’t some impossibly sophisticated program. Instead, it’s a structure that makes “showing up” easy and consistent — for you, your team, and the executives whose ongoing support you need.

Fuzzy photos optional.

Subscribe to this newsletter

Pro Tip: Treat Your AI Tools Like Any Other Shadow IT

By Meghana Mummidi

In 2014, the security conversation was about employees uploading files to personal Dropbox accounts. Today, the same problem has a new face: AI tools.

Developers paste code into ChatGPT to debug it. Salespeople drop client data into an AI email assistant. HR feeds offer letters and salary info into a summarizer. Most of the time, nobody asked IT — it just happened — because the tools are fast, free, and genuinely useful.

The problem is that many of these tools use your inputs to train future models by default, or at a minimum, log and store them on third-party servers. That means proprietary code, customer PII, and confidential business data can quietly leave your organization with zero visibility.

Here's a practical starting point:

Survey your team informally and ask what AI tools they're actually using. You'll likely get a longer list than expected. From there, identify which ones have enterprise or privacy-preserving tiers (most major tools do), and create a short, approved list with guidance on what data is and isn't okay to share.

There, that’s the first third of your Acceptable Use of AI Policy!

Team Update: Fractional CISO’s Trade Show Spring

This Spring, Fractional CISO has been on the road! We’ve started attending trade shows.

Austin for Saastock. Miami for The Business Show. Plus two shows here in Boston: Techspo and the Small Business Expo.

Trade shows are a new strategy for us. We’re learning a lot and I’m very impressed with the team. They did not have a lot of experience with in-person events like this and have risen to the occasion. We’ve had a lot of great conversations and meetings coming out of them.

Check us out at our booth! Everyone tells us they love how it looks. (I do too!) 

Latest Rob & Rob Video: Junior Vibe Coding, What Could Go Wrong?

Software development is one of AI’s killer applications. 

For experienced developers, the speed and efficiency gains are real.

It also enables less (even zero) experienced people to write functional code.

But is it good? Maybe. Is it well-documented? Almost definitely not!

That’s what we took a look at in the latest Rob & Rob video! 

If you’re using AI in your software development workflows, make sure you aren’t skipping the documentation process. You want to understand and explain how your code works to other stakeholders.

Know someone who might benefit from this newsletter?
Please share it. Anyone can subscribe, here.

About Us

Rob Black, CISSP, is the Founder and CEO of Fractional CISO, a Boston area company that specializes in reducing cybersecurity risk for mid-size companies. Learn more about our services, here.