Bug Bounty Programs
There are still plenty of organizations that don’t have a well defined and accessible bug bounty program. More surprisingly, there are...
top of page
Search
Nov 4, 20237 min read
Caricatures of Security People
The great thing about the security industry is it’s made up of a variety of roles and people from many backgrounds, disciplines, skill...
19,574 views
Sep 23, 20237 min read
Is Complexity the Enemy of Security?
Since the last post about leverage points in managing complex systems I thought it would be good to revisit and update a post from a few...
2,339 views
Sep 9, 202314 min read
Leverage Points - A Cybersecurity Perspective
Security is an emergent property of the complex systems we inhabit. In other words, security isn’t a thing that you do, rather it's a...
2,867 views
Aug 26, 20236 min read
Security Budgets - Supply and Demand
Unless you’re doing continuous or quarterly budgeting, which some organizations do, then you’ll no doubt be getting ready for the long...
4,202 views
Aug 12, 20234 min read
Building Balanced Security Teams - Updated
As an industry we spend a lot of time talking about workforce development and skills shortages. However, we tend not to talk about how to...
2,930 views
Jun 3, 20238 min read
Delivering Security at Scale: From Artisanal to Industrial
Maturing a security program in any type of organization is not just to increase specific control effectiveness but also to increase its...
6,957 views
May 20, 202310 min read
You Only Get 3 Metrics - Which Ones Would You Pick?
Just over a year ago I put out this blog post on the 10 fundamental (but really hard) security metrics. Since then I’ve discussed this...
8,888 views
May 7, 202313 min read
The Illusion of Choice : A Review
In the last post we talked about the challenges and opportunities of using individual and organizational incentives to ensure effective...
3,641 views
Apr 7, 20238 min read
Handling Complexity
Force 5 : Complex Systems break in Unpredictable Ways // Central Idea: While component level simplicity is vital, seeking to eliminate...
2,501 views
Mar 25, 20237 min read
Fighting Security Entropy
Force 4 : Entropy is King // Central Idea: Adopting a control reliability engineering mindset by continuous control monitoring is...
2,407 views
Mar 12, 20239 min read
Attack Surface Management
Force 3 : Services want to be on // Central Idea: Take architectural steps to inherently reduce your attack surface - don’t just rely...
3,406 views
Feb 25, 20238 min read
Software Security is More than Vulnerabilities
Force 2 : Code wants to be wrong // Central Idea: Shift from a pure focus on only reducing security vulnerabilities towards increasing...
2,095 views
Feb 11, 20238 min read
Data Security and Data Governance
Force 1: Information wants to be free // Central Idea: Shift from perimeter based surveillance and tactical blocking to data governance...
1,938 views
Jan 28, 20232 min read
The 6 Fundamental Forces of Information Security Risk
I first posted this as a Twitter thread in 2019. These forces still seem very much current - perhaps even more so. It is interesting to...
4,595 views
Jan 14, 202312 min read
Ceremonial Security and Cargo Cults
There is a lot of conventional security that is based on established ceremonies and an unquestioning faith that if we keep doing these...
18,633 views
Dec 31, 20227 min read
Simple Ways to Communicate Successes
It’s that time of year when you’ve inevitably written notes to your organization and leadership about all your team’s achievements over...
5,579 views
Dec 17, 20223 min read
Dangerous Embedded Assumptions
There is a notion I keep coming back to thanks to this article from a few years ago. The essence is that there are things that have...
1,592 views
Dec 3, 20228 min read
The Uncanny Valley of Security - Updated
Since I first wrote this post 2 years ago I keep seeing it reinforced. The basic premise is that, sometimes, advanced levels of security...
5,206 views
Nov 5, 20224 min read
How to Tell if You Really are an InfoSec Professional
Some of you in the US, and maybe others, might be familiar with the ongoing, somewhat self-deprecating, Jeff Foxworthy skit of “You might...
9,501 views
bottom of page