RISK & CYBERSECURITY

The DORA AI Capabilities Model (DevOps Research and Asssesment, not the EU Digital Operational Resilience Act) report is well worth a read not just to get a perspective from the developer community but to look at the many security implications it uncovers. This post is a summary of the explicit findings and some of broader implications from reading between the lines of the report. 1. Data Protection and Access Control A primary security concern is ensuring AI tools respect e

Some time ago I saw a comment about the distinction between acting like a “watchmaker” or a “gardener” when undertaking organization transformations. I misplaced the original reference so, unfortunately, I can’t credit appropriately. But, I’ve been thinking a lot about what this would mean in the context of security leadership. Specifically, should the CISO be a watchmaker or a gardener, or both? The Watchmaker CISO: Precision and Control Imagine a master watchmaker, meticulo

The most read posts in 2025 coalesced around the concept that successful cybersecurity is fundamentally a function of business leadership, strategic design, and sustainable execution . The unifying themes across the top posts emphasize shifting security from an artisanal, reactive craft to an industrial-scale, proactive capability focused on building scalable, self-reinforcing systems (flywheels). Transformation requires leaders to manage stakeholder expectations carefully, p

This is the final of the series grouping together sets of prior posts into a particular theme.  Security Leadership Master Class 1 : Leveling up your leadership Security Leadership Master Class 2 : Dealing with the board and other executives Security Leadership Master Class 3 : Building a security program Security Leadership Master Class 4 : Enhancing/refreshing a security program Security Leadership Master Class 5 : Getting hired and doing hiring Security Leadership Master C

This is part 6 of a 7 part series grouping together sets of prior posts into a particular theme.  Security Leadership Master Class 1 : Leveling up your leadership Security Leadership Master Class 2 : Dealing with the board and other executives Security Leadership Master Class 3 : Building a security program Security Leadership Master Class 4 : Enhancing/refreshing a security program Security Leadership Master Class 5 : Getting hired and doing hiring Security Leadership Master

This is part 5 of a 7 part series grouping together sets of prior posts into a particular theme.  Security Leadership Master Class 1 : Leveling up your leadership Security Leadership Master Class 2 : Dealing with the board and other executives Security Leadership Master Class 3 : Building a security program Security Leadership Master Class 4 : Enhancing/refreshing a security program Security Leadership Master Class 5 : Getting hired and doing hiring Security Leadership Master

This is part 4 of a 7 part series grouping together sets of prior posts into a particular theme.  Security Leadership Master Class 1 : Leveling up your leadership Security Leadership Master Class 2 : Dealing with the board and other executives Security Leadership Master Class 3 : Building a security program Security Leadership Master Class 4 : Enhancing/refreshing a security program Security Leadership Master Class 5 : Getting hired and doing hiring Security Leadership Master

This is part 3 of a 7 part series grouping together sets of prior posts into a particular theme.  Security Leadership Master Class 1 : Leveling up your leadership Security Leadership Master Class 2 : Dealing with the board and other executives Security Leadership Master Class 3 : Building a security program Security Leadership Master Class 4 : Enhancing or refreshing a security program Security Leadership Master Class 5 : Getting hired and doing hiring Security Leadership Mas

This is part 2 of this 7 part series grouping together a set of prior posts into a particular theme.  Security Leadership Master Class 1 : Leveling up your leadership Security Leadership Master Class 2 : Dealing with the board and other executives Security Leadership Master Class 3 : Building a security program Security Leadership Master Class 4 : Enhancing or refreshing a security program  Security Leadership Master Class 5 : Getting hired and doing hiring Security Leadershi

This is the first of a 7 part series where I’ll group together a set of prior posts into a particular theme that will make it all the...

In a first for this blog here is a post I worked on with Mike Aiello , a former colleague from Goldman Sachs and Google and someone, like...

Cybersecurity is a field built on metaphor. We wage "cyber wars," build "digital fortresses," and practice "cyber hygiene." These phrases...