top of page
Search
May 9, 20202 min read
Think Twice Before Switching Off Controls : Chesterton's Fence
Chesterton's Fence is a cautionary tale to make sure that before you change things you actually understand their purpose. This is...
2,554 views
May 3, 20205 min read
Cyber Risk Quantification
Risk quantification, in any field, is not an end in itself. It exists to compel some action. That action might be to drive decisions or...
5,586 views
Apr 26, 20205 min read
Are You Managing Your Risk Register Effectively?
Not all risks are possible to fully mitigate in every context, so you need to record and manage those residual risks. These are often put...
3,735 views
Apr 19, 20204 min read
Intelligence Failures - “The Distortion of Retrospect”
The codebreaking and overall intelligence success of Bletchley Park in World War II is legendary. Ultra, along with broader Allied...
661 views
Apr 5, 20203 min read
Prioritizing Security Improvements - A Deceptively Simple Way
In most organizations you are constantly upgrading your security controls. This is for many reasons, including: New threats induce higher...
2,438 views
Mar 22, 20202 min read
Selling into a Crisis (Rights and Wrongs)
It can be irritating to receive e-mails from vendors during a time of crisis, like now, with the spin that their products can help. It is...
8,454 views
Mar 1, 20203 min read
Cybersecurity Macro Themes for the 2020's
In this coming decade there will be 5 major themes that differentiate great security programs, products, features and processes. These...
2,071 views
Feb 2, 20205 min read
Dealing with the Deluge of Vendors
Everyone is deluged with approaches from product and service vendors, small and large. Even vendors struggle to keep track of who their...
1,549 views
Jan 23, 20202 min read
The Leading Indicators of a Great Info/Cybersecurity Program
It can be hard to effectively assess, with a suitable degree of rigor, the security of your suppliers, counter-parties or companies you...
1,940 views
Jan 1, 20203 min read
Predictions and Calls to Action
It’s that time of year for all the predictions of what to expect for the next year, and now - the next decade. I’m generally not a fan of...
133 views
Dec 1, 20193 min read
Insider Threat Risk - Blast Radius Perspective
The management of insider threats is a complex and often under-thought process - people who work on it appreciate the subtlety and...
301 views
Nov 24, 20192 min read
Alternative Risk Management Strategies.
Much focus of risk mitigation is about implementing controls: preventative, detective and reactive. This is necessary in most cases, and...
1,391 views
Nov 10, 20191 min read
Shrines of Failure
I was at an event recently where one participant talked passionately about a disaster they had that they have since preserved artifacts...
668 views
Oct 26, 20191 min read
Career Longevity & "The Don't Fire Me Chart"
To fix anything sustainably requires long term action. This is especially true in technology risk and cybersecurity. The trouble is this...
4,132 views
Oct 5, 20192 min read
The Stress and Joy of Security Jobs
A few months ago there was this whole thing about the stress of security roles, CISOs self-medicating, and a whole range of burn-out...
1,538 views
Sep 29, 20193 min read
Cybersecurity is not the only Technology Risk
Cybersecurity is not the only technology risk, in fact, when you total up actual losses it is likely not even the biggest risk. Although...
512 views
Sep 15, 20193 min read
Security Program Tactics
When starting or reinvigorating a security program, focus on a small number of meta-objectives that can have sustained outsize effects -...
536 views
Sep 1, 20192 min read
Vulnerability Management
I don’t see much written on vulnerability management in more holistic terms vs. patch/bug fixing. This might be ok given a lot of...
224 views
Aug 17, 20192 min read
Cybersecurity as a First Class Business Risk
I see a lot of commentary on the need to “treat cyber/info-security as a business issue not an IT issue”. The problem is it implies that...
390 views
Jul 21, 20192 min read
Fundamental Drivers of Information Security Risk
As I get older and (hopefully) wiser it has become ever more apparent that all the issues and risks we face arise from a small number of...
419 views
bottom of page