top of page
Search
Dec 3, 20228 min read
The Uncanny Valley of Security - Updated
Since I first wrote this post 2 years ago I keep seeing it reinforced. The basic premise is that, sometimes, advanced levels of security...
5,237 views
Nov 5, 20224 min read
How to Tell if You Really are an InfoSec Professional
Some of you in the US, and maybe others, might be familiar with the ongoing, somewhat self-deprecating, Jeff Foxworthy skit of “You might...
9,510 views
Oct 22, 202210 min read
Grand Challenges or Grind Challenges
How much of your work that you would like to describe as a “grand” challenge is really more of a “grind”? As an industry we like to talk...
1,912 views
Oct 8, 20227 min read
Field Guide to the Various Communities of Security
Which part of the security community are you in? Often, when one part of the security community talks about the overall community they...
3,126 views
Sep 24, 20226 min read
Essential Attributes of Security Leadership
Since I first wrote this back in 2021 (titled "CISO: Archeologist, Historian or Explorer?") it seems ever more true that complex and...
3,333 views
Sep 10, 202213 min read
Crucial Questions from Governments and Regulators
In this, fourth and final post in the series of Crucial Questions I’m going to focus on those from governments and regulators. This...
1,838 views
Aug 27, 202223 min read
Crucial Questions from CISOs and Security Teams
In this, third in a series of Crucial Questions posts I’m going to focus on the questions from CISOs and security teams. This builds on...
6,622 views
Aug 13, 202213 min read
Crucial Questions from CIOs and CTOs
In the last post I covered the crucial questions from Boards and executives. Here I will cover the questions I’m asked by CIOs, CTOs and...
5,045 views
Jul 16, 20223 min read
3 Year Review
I’ve been doing this blog for around 3 years, largely succeeding in posting every 2 weeks. I have learnt a lot in this process and I...
3,259 views
Jul 2, 20225 min read
The Reporting Line of Security Teams / CISOs - Updated
This can be an emotive topic for many people. It is one, I’ve found, colored more by dogma than nuance (as it seems with many things...
5,908 views
Jun 18, 20226 min read
Are Security Analogies Counterproductive?
Do analogies actually help us or do they set back our ability to drive change? On the face of it they are a useful explanatory tool, as...
2,306 views
May 21, 20227 min read
Defense in Depth
Defense in depth is a well accepted security principle. Intuitively, it stipulates there should be multiple lines of controls so as to...
5,663 views
Apr 21, 20223 min read
The Stress and Joy of Security Jobs - Updated
There’s a lot going on in the world from conflict, crime, economic and many other pressures. Many of these matters have security...
3,252 views
Apr 9, 20229 min read
10 Fundamental (but really hard) Security Metrics
As an industry we have been trying to deal with the issue of security metrics for a long time. I’ve written about this here, and in the...
17,272 views
Mar 12, 20229 min read
Human Error
Human error is not an explanation, rather it is something to be explained. In analyzing and learning from incidents, not just security...
2,587 views
Feb 26, 20224 min read
Controls - Updated
I wrote the first version of this post nearly 3 years ago. It is interesting that since then much of it remains true. Oddly, it also...
4,263 views
Jan 29, 202216 min read
Secrets of Successful Security Programs - Part 2
As introduced in the last post, a successful security program is made up of two distinct elements: A series of episodic big bets that...
6,282 views
Jan 15, 202211 min read
Secrets of Successful Security Programs - Part 1
A successful security program (although I imagine this advice could apply to any discipline) is made up of two distinct elements: A...
10,844 views
Dec 4, 20218 min read
How is the Security Profession Doing?
I spoke on a CIISEC panel a few months ago about the state of the information security profession. This post is based on remarks I made...
2,687 views
Nov 20, 20214 min read
Security Program Tactics - Updated
When starting or reinvigorating a security program, focus on a small number of meta-objectives that can have sustained outsize effects in...
2,417 views
bottom of page