RISK & CYBERSECURITY

Escalating issues is part of the foundation of any good risk and security program. Unfortunately, human nature is such that most people a...

As an industry we spend a lot of time talking about workforce development and skills shortages. We tend not to talk about how to organize...

There are lots of problem solving techniques across many fields. These are often represented as mental models or behavioral short-cuts. H...

How you obtain and manage a budget to drive an adequate level of security is immensely important. Yet, it is one of the least discussed a...

It is still somewhat frustrating that most of the dialog about the skills shortage in cybersecurity focuses, perhaps inevitably, on the a...

In any sizable organization it is important to have some form of management steering group or committee to oversee your risk program. The...

How to represent cybersecurity (or technology / information risks more generally) to the Board is an ongoing subject of discussion in mos...

The underlying secret of most great security leaders and teams is one thing: the ability to know what needs to be done really well vs. wh...

I’ve been using variants of these principles for many years in many contexts, both for security and broader risk management teams. I have...

Disagreement arises in many situations. It is an inevitable part of any work in any organization, or life in general. It is especially ap...

Resilience can be thought of as the ability to absorb shocks, adjust as needed and continue operation in the face of adversity. In other w...

It can be irritating to receive e-mails from vendors during a time of crisis, like now, with the spin that their products can help. It is...

For some reason, first at a TAG_Cyber event and then coincidentally at 2 other events, the question of what books security people should ...

A critical measure of success for most security roles is the ability to influence. I’ve often found people think influence skills are inn...

Over the years I made note of what behaviors I’ve seen from successful people. By success, I mean getting results, increase span of influ...

I was at an event recently where one participant talked passionately about a disaster they had that they have since preserved artifacts f...

To fix anything sustainably requires long term action. This is especially true in technology risk and cybersecurity. The trouble is this ...

A few months ago there was this whole thing about the stress of security roles, CISOs self-medicating, and a whole range of burn-out talk...

When starting or reinvigorating a security program, focus on a small number of meta-objectives that can have sustained outsize effects - ...

Having read many people’s strong-held views on this topic I thought I’d add to the mix. Despite a lot of people now inevitably thinking “...