top of page
Search
Apr 7, 20238 min read
Handling Complexity
Force 5 : Complex Systems break in Unpredictable Ways // Central Idea: While component level simplicity is vital, seeking to eliminate...
2,507 views
Mar 25, 20237 min read
Fighting Security Entropy
Force 4 : Entropy is King // Central Idea: Adopting a control reliability engineering mindset by continuous control monitoring is...
2,409 views
Mar 12, 20239 min read
Attack Surface Management
Force 3 : Services want to be on // Central Idea: Take architectural steps to inherently reduce your attack surface - don’t just rely...
3,417 views
Feb 25, 20238 min read
Software Security is More than Vulnerabilities
Force 2 : Code wants to be wrong // Central Idea: Shift from a pure focus on only reducing security vulnerabilities towards increasing...
2,105 views
Feb 11, 20238 min read
Data Security and Data Governance
Force 1: Information wants to be free // Central Idea: Shift from perimeter based surveillance and tactical blocking to data governance...
1,941 views
Jan 28, 20232 min read
The 6 Fundamental Forces of Information Security Risk
I first posted this as a Twitter thread in 2019. These forces still seem very much current - perhaps even more so. It is interesting to...
4,614 views
Jan 14, 202312 min read
Ceremonial Security and Cargo Cults
There is a lot of conventional security that is based on established ceremonies and an unquestioning faith that if we keep doing these...
18,668 views
Dec 31, 20227 min read
Simple Ways to Communicate Successes
It’s that time of year when you’ve inevitably written notes to your organization and leadership about all your team’s achievements over...
5,589 views
Dec 3, 20228 min read
The Uncanny Valley of Security - Updated
Since I first wrote this post 2 years ago I keep seeing it reinforced. The basic premise is that, sometimes, advanced levels of security...
5,225 views
Nov 19, 202213 min read
A New Way to Think : Review
I typically don’t do book reviews, but this book was impressive and it resonated with many information security and risk management...
2,692 views
Oct 22, 202210 min read
Grand Challenges or Grind Challenges
How much of your work that you would like to describe as a “grand” challenge is really more of a “grind”? As an industry we like to talk...
1,910 views
Sep 10, 202213 min read
Crucial Questions from Governments and Regulators
In this, fourth and final post in the series of Crucial Questions I’m going to focus on those from governments and regulators. This...
1,837 views
Aug 27, 202223 min read
Crucial Questions from CISOs and Security Teams
In this, third in a series of Crucial Questions posts I’m going to focus on the questions from CISOs and security teams. This builds on...
6,614 views
Jul 31, 202211 min read
Crucial Questions from CEOs and Boards
Over the past few years I have done a lot of speaking at conferences, events and small group settings for Board directors and corporate...
6,115 views
Jul 16, 20223 min read
3 Year Review
I’ve been doing this blog for around 3 years, largely succeeding in posting every 2 weeks. I have learnt a lot in this process and I...
3,256 views
Jul 2, 20225 min read
The Reporting Line of Security Teams / CISOs - Updated
This can be an emotive topic for many people. It is one, I’ve found, colored more by dogma than nuance (as it seems with many things...
5,895 views
Jun 18, 20226 min read
Are Security Analogies Counterproductive?
Do analogies actually help us or do they set back our ability to drive change? On the face of it they are a useful explanatory tool, as...
2,302 views
May 21, 20227 min read
Defense in Depth
Defense in depth is a well accepted security principle. Intuitively, it stipulates there should be multiple lines of controls so as to...
5,659 views
May 8, 20229 min read
Regulatory Relationships
For some reason there have been a few people already in or moving into highly regulated industries, like finance or healthcare, that have...
1,848 views
Apr 9, 20229 min read
10 Fundamental (but really hard) Security Metrics
As an industry we have been trying to deal with the issue of security metrics for a long time. I’ve written about this here, and in the...
17,227 views
bottom of page