01 — BLOG

Blog.

Useful writing on the compliance work that brings small businesses to TACSOP. Cyber insurance applications. Customer security questionnaires. State safe harbor statutes. The structure of a written security program. The blog started in May 2026 and publishes when posts are worth publishing, not on a schedule.

02 — LATEST

Latest.

May 2026 · 6 min

What your cyber insurance application is actually asking.

Cyber insurance applications fall into three categories of questions: technical controls (MFA, backups, patching), process controls (access reviews, training, vendor tiering), and governance controls (policies, named coordinator, incident response plan). Underwriters use these categories to estimate your risk, and a documented "yes" is worth substantially more than an undocumented one. A walk-through of what each category covers and what a credible answer looks like.
Read the post
May 2026 · 7 min

How to respond to a customer security questionnaire (SIG, CAIQ, or custom).

Your customer sent you a SIG questionnaire, a CAIQ, or something their procurement team built themselves. The questions look intimidating but come from a standard list; the answers don't have to be invented every time. A walk-through of the common questionnaire structures, what each section is testing for, and how to build a reusable response file you populate once.
Read the post
May 2026 · 9 min

State safe harbor statutes for cybersecurity: what they offer and how to qualify.

Four U.S. states (Texas, Connecticut, Ohio, Utah) offer liability protection to businesses that align with a recognized cybersecurity framework. Each statute has slightly different qualification criteria, scope, and procedural requirements. A walk-through of what each statute offers, who qualifies, and what documentation triggers the protection.
Read the post
May 2026 · 9 min

How to prepare for a security audit, regulator review, or board cybersecurity question.

The form of the scrutiny varies (a customer security audit, an FTC Safeguards Rule review, an ABA professional responsibility review, a board member's first cybersecurity question), but the underlying question is the same: what can you produce? A walk-through of what each type of reviewer is actually looking for, what counts as a credible answer, and how to be ready before the request arrives rather than scrambling after.
Read the post

03 — FOLLOW

Follow the blog.

The blog has an RSS feed for readers who want new posts in their feed reader of choice.

04 — WHAT THIS BLOG ISN'T

What this blog isn't.

Not a daily news feed. We don't publish reactions to vulnerabilities, breaches, or threat-of-the-week posts. Other publications cover that work; we don't.

Not a listicle factory. No "7 ways to..." or "5 reasons why..." headlines. Posts have to earn their place by being genuinely useful on a specific topic.

Not a TACSOP advertisement. Each post is useful regardless of whether you buy TACSOP. We mention the kit at the end of each post as a footnote, not as the post's reason for existing.

05 — NEXT STEP

Where to go from here.

Read a post above. Pick the one that matches your situation.

Subscribe to RSS. The link is above.

Find out what TACSOP is. Home

Blog.

Latest.

What your cyber insurance application is actually asking.

How to respond to a customer security questionnaire (SIG, CAIQ, or custom).

State safe harbor statutes for cybersecurity: what they offer and how to qualify.

How to prepare for a security audit, regulator review, or board cybersecurity question.

Follow the blog.

What this blog isn't.

Where to go from here.