RISK & CYBERSECURITY

I managed to keep up the pace of 1 post every 2 weeks throughout 2024. Just when I think I might be running out of ideas, and the backlog...

Every few months some association or other learned group of professionals makes a fresh call to action for cybersecurity regulatory...

I’ve previously posted about some of the best security movies made  but I have to confess I’m not a big fan of the genre. They tend not...

If you work for a large organization, especially public or otherwise regulated companies, then you may well have faced the prospect of...

I wrote the original version of this post over 4 years ago. In revisiting this it is interesting to note that not much has actually...

Security training is often considered a bit of a waste of time. Maybe this is unfair, but unsurprising in the face of the worst forms of...

One of the many paradoxes of security is that when you have invested appropriately (sometimes at significant expense) and you have less...

Several years after writing the first version of this blog I still see a repeated pattern of problematic events attributed to human...

A major success marker of great security leaders and their teams is one simple prioritization technique: the ability to know what needs...

Every major technological change is heralded with claims of significant, even apocalyptic, risks. These almost never turn out to be...

Each year, DevOps Research and Assessment (DORA) within Google Cloud publishes the excellent State of DevOps report. The 2023 report...

Ever since I first became familiar with the 80/20 principle, and other circumstances marked by Pareto distributions, I began to see...

Thankfully I managed to keep up the pace of 1 post every 2 weeks throughout 2023. Just when I think I might be running out of ideas, and...

The skills for your role and your leadership style build up throughout your career. But I’ve found, personally and in talking to others,...

Since the last post about leverage points in managing complex systems I thought it would be good to revisit and update a post from a few...

Security is an emergent property of the complex systems we inhabit. In other words, security isn’t a thing that you do, rather it's a...

Resilience Engineering: Concepts and Precepts is an excellent collection of standalone essays, woven into a consistent whole on the...

There is a lot of good discussion and emerging methods to manage the risks of AI in various forms from training data protection, model...

Just over a year ago I put out this blog post on the 10 fundamental (but really hard) security metrics. Since then I’ve discussed this...

In the last post we talked about the challenges and opportunities of using individual and organizational incentives to ensure effective...