RISK & CYBERSECURITY

Force 1: Information wants to be free // Central Idea: Shift from perimeter based surveillance and tactical blocking to data governance...

I first posted this as a Twitter thread in 2019. These forces still seem very much current - perhaps even more so. It is interesting to...

There is a lot of conventional security that is based on established ceremonies and an unquestioning faith that if we keep doing these...

It’s that time of year when you’ve inevitably written notes to your organization and leadership about all your team’s achievements over...

There is a notion I keep coming back to thanks to this article from a few years ago. The essence is that there are things that have...

Since I first wrote this post 2 years ago I keep seeing it reinforced. The basic premise is that, sometimes, advanced levels of security...

Some of you in the US, and maybe others, might be familiar with the ongoing, somewhat self-deprecating, Jeff Foxworthy skit of “You might...

How much of your work that you would like to describe as a “grand” challenge is really more of a “grind”? As an industry we like to talk...

Which part of the security community are you in? Often, when one part of the security community talks about the overall community they...

Since I first wrote this back in 2021 (titled "CISO: Archeologist, Historian or Explorer?") it seems ever more true that complex and...

In this, fourth and final post in the series of Crucial Questions I’m going to focus on those from governments and regulators. This...

In this, third in a series of Crucial Questions posts I’m going to focus on the questions from CISOs and security teams. This builds on...

In the last post I covered the crucial questions from Boards and executives. Here I will cover the questions I’m asked by CIOs, CTOs and...

I’ve been doing this blog for around 3 years, largely succeeding in posting every 2 weeks. I have learnt a lot in this process and I...

This can be an emotive topic for many people. It is one, I’ve found, colored more by dogma than nuance (as it seems with many things...

Do analogies actually help us or do they set back our ability to drive change? On the face of it they are a useful explanatory tool, as...

Defense in depth is a well accepted security principle. Intuitively, it stipulates there should be multiple lines of controls so as to...

There’s a lot going on in the world from conflict, crime, economic and many other pressures. Many of these matters have security...

As an industry we have been trying to deal with the issue of security metrics for a long time. I’ve written about this here, and in the...

Human error is not an explanation, rather it is something to be explained. In analyzing and learning from incidents, not just security...