RISK & CYBERSECURITY

Just over a year ago I put out this blog post on the 10 fundamental (but really hard) security metrics. Since then I’ve discussed this...

In the last post we talked about the challenges and opportunities of using individual and organizational incentives to ensure effective...

Force 6 : People, organizations and AI respond to incentives and inherent biases but not always the ones we think are rational. //...

Force 5 : Complex Systems break in Unpredictable Ways // Central Idea: While component level simplicity is vital, seeking to eliminate...

Force 4 : Entropy is King // Central Idea: Adopting a control reliability engineering mindset by continuous control monitoring is...

Force 3 : Services want to be on // Central Idea: Take architectural steps to inherently reduce your attack surface - don’t just rely...

Force 2 : Code wants to be wrong // Central Idea: Shift from a pure focus on only reducing security vulnerabilities towards increasing...

Force 1: Information wants to be free // Central Idea: Shift from perimeter based surveillance and tactical blocking to data governance...

I first posted this as a Twitter thread in 2019. These forces still seem very much current - perhaps even more so. It is interesting to...

There is a lot of conventional security that is based on established ceremonies and an unquestioning faith that if we keep doing these...

It’s that time of year when you’ve inevitably written notes to your organization and leadership about all your team’s achievements over...

Since I first wrote this post 2 years ago I keep seeing it reinforced. The basic premise is that, sometimes, advanced levels of security...

I typically don’t do book reviews, but this book was impressive and it resonated with many information security and risk management...

How much of your work that you would like to describe as a “grand” challenge is really more of a “grind”? As an industry we like to talk...

In this, fourth and final post in the series of Crucial Questions I’m going to focus on those from governments and regulators. This...

In this, third in a series of Crucial Questions posts I’m going to focus on the questions from CISOs and security teams. This builds on...

Over the past few years I have done a lot of speaking at conferences, events and small group settings for Board directors and corporate...

I’ve been doing this blog for around 3 years, largely succeeding in posting every 2 weeks. I have learnt a lot in this process and I...

This can be an emotive topic for many people. It is one, I’ve found, colored more by dogma than nuance (as it seems with many things...

Do analogies actually help us or do they set back our ability to drive change? On the face of it they are a useful explanatory tool, as...