RISK & CYBERSECURITY

The most read posts in 2025 coalesced around the concept that successful cybersecurity is fundamentally a function of business leadership, strategic design, and sustainable execution . The unifying themes across the top posts emphasize shifting security from an artisanal, reactive craft to an industrial-scale, proactive capability focused on building scalable, self-reinforcing systems (flywheels). Transformation requires leaders to manage stakeholder expectations carefully, p

This is the final of the series grouping together sets of prior posts into a particular theme.  Security Leadership Master Class 1 : Leveling up your leadership Security Leadership Master Class 2 : Dealing with the board and other executives Security Leadership Master Class 3 : Building a security program Security Leadership Master Class 4 : Enhancing/refreshing a security program Security Leadership Master Class 5 : Getting hired and doing hiring Security Leadership Master C

This is part 6 of a 7 part series grouping together sets of prior posts into a particular theme.  Security Leadership Master Class 1 : Leveling up your leadership Security Leadership Master Class 2 : Dealing with the board and other executives Security Leadership Master Class 3 : Building a security program Security Leadership Master Class 4 : Enhancing/refreshing a security program Security Leadership Master Class 5 : Getting hired and doing hiring Security Leadership Master

This is part 5 of a 7 part series grouping together sets of prior posts into a particular theme.  Security Leadership Master Class 1 : Leveling up your leadership Security Leadership Master Class 2 : Dealing with the board and other executives Security Leadership Master Class 3 : Building a security program Security Leadership Master Class 4 : Enhancing/refreshing a security program Security Leadership Master Class 5 : Getting hired and doing hiring Security Leadership Master

This is part 4 of a 7 part series grouping together sets of prior posts into a particular theme.  Security Leadership Master Class 1 : Leveling up your leadership Security Leadership Master Class 2 : Dealing with the board and other executives Security Leadership Master Class 3 : Building a security program Security Leadership Master Class 4 : Enhancing/refreshing a security program Security Leadership Master Class 5 : Getting hired and doing hiring Security Leadership Master

This is part 3 of a 7 part series grouping together sets of prior posts into a particular theme.  Security Leadership Master Class 1 : Leveling up your leadership Security Leadership Master Class 2 : Dealing with the board and other executives Security Leadership Master Class 3 : Building a security program Security Leadership Master Class 4 : Enhancing or refreshing a security program Security Leadership Master Class 5 : Getting hired and doing hiring Security Leadership Mas

This is part 2 of this 7 part series grouping together a set of prior posts into a particular theme.  Security Leadership Master Class 1 : Leveling up your leadership Security Leadership Master Class 2 : Dealing with the board and other executives Security Leadership Master Class 3 : Building a security program Security Leadership Master Class 4 : Enhancing or refreshing a security program  Security Leadership Master Class 5 : Getting hired and doing hiring Security Leadershi

This is the first of a 7 part series where I’ll group together a set of prior posts into a particular theme that will make it all the...

In a first for this blog here is a post I worked on with Mike Aiello , a former colleague from Goldman Sachs and Google and someone, like...

Apparently what Mike Tyson actually said in a 1987 interview was, " Everybody has plans until they get hit for the first time". In any...

One of the more common patterns of security program success vs. failure is how much leadership is prepared to stick with the work over...

There is a plethora of sample job descriptions for security leaders that are often strictly correct but can also be uninspiring or too...

I first wrote this post back in 2021 so I thought it’s time for a revisit with an addition of a few more roles.  We talk about attackers...

For many years I’ve observed the same pattern of failure in projects, programs, issue mitigation and indeed anything that requires more...

Many security leaders, at all levels, correctly focus on having a good strategy and executing against that. However, many teams confuse...

I have a regular set of go to books both for myself and what I recommend to others at all stages in their career. Here they all are with...

Jim Collins  wrote a great little book called Turning the Flywheel  to further develop an idea introduced in his book Good to Great to...

There are organizations that seem to have disproportionately created a large number of leaders who have gone on to be CISOs or other...

I’ve given variants of this talk at a few events in 2024 and received a lot of requests for the slides and a blog post. So here we go. ...

I managed to keep up the pace of 1 post every 2 weeks throughout 2024. Just when I think I might be running out of ideas, and the backlog...