Bug Bounty Programs
There are still plenty of organizations that don’t have a well defined and accessible bug bounty program. More surprisingly, there are...
top of page
Search
- Nov 4
- 7 min
Caricatures of Security People
The great thing about the security industry is it’s made up of a variety of roles and people from many backgrounds, disciplines, skill...
18,214 views
- Sep 23
- 7 min
Is Complexity the Enemy of Security?
Since the last post about leverage points in managing complex systems I thought it would be good to revisit and update a post from a few...
1,954 views
- Sep 9
- 14 min
Leverage Points - A Cybersecurity Perspective
Security is an emergent property of the complex systems we inhabit. In other words, security isn’t a thing that you do, rather it's a...
2,514 views
- Aug 26
- 6 min
Security Budgets - Supply and Demand
Unless you’re doing continuous or quarterly budgeting, which some organizations do, then you’ll no doubt be getting ready for the long...
3,609 views
- Aug 12
- 4 min
Building Balanced Security Teams - Updated
As an industry we spend a lot of time talking about workforce development and skills shortages. However, we tend not to talk about how to...
2,627 views
- Jun 3
- 8 min
Delivering Security at Scale: From Artisanal to Industrial
Maturing a security program in any type of organization is not just to increase specific control effectiveness but also to increase its...
4,131 views
- May 20
- 10 min
You Only Get 3 Metrics - Which Ones Would You Pick?
Just over a year ago I put out this blog post on the 10 fundamental (but really hard) security metrics. Since then I’ve discussed this...
7,555 views
- May 7
- 13 min
The Illusion of Choice : A Review
In the last post we talked about the challenges and opportunities of using individual and organizational incentives to ensure effective...
3,331 views
- Apr 7
- 8 min
Handling Complexity
Force 5 : Complex Systems break in Unpredictable Ways // Central Idea: While component level simplicity is vital, seeking to eliminate...
2,394 views
- Mar 25
- 7 min
Fighting Security Entropy
Force 4 : Entropy is King // Central Idea: Adopting a control reliability engineering mindset by continuous control monitoring is...
2,201 views
- Mar 12
- 9 min
Attack Surface Management
Force 3 : Services want to be on // Central Idea: Take architectural steps to inherently reduce your attack surface - don’t just rely...
3,080 views
- Feb 25
- 8 min
Software Security is More than Vulnerabilities
Force 2 : Code wants to be wrong // Central Idea: Shift from a pure focus on only reducing security vulnerabilities towards increasing...
1,933 views
- Feb 11
- 8 min
Data Security and Data Governance
Force 1: Information wants to be free // Central Idea: Shift from perimeter based surveillance and tactical blocking to data governance...
1,764 views
- Jan 28
- 2 min
The 6 Fundamental Forces of Information Security Risk
I first posted this as a Twitter thread in 2019. These forces still seem very much current - perhaps even more so. It is interesting to...
4,106 views
- Jan 14
- 12 min
Ceremonial Security and Cargo Cults
There is a lot of conventional security that is based on established ceremonies and an unquestioning faith that if we keep doing these...
17,398 views
- Dec 31, 2022
- 7 min
Simple Ways to Communicate Successes
It’s that time of year when you’ve inevitably written notes to your organization and leadership about all your team’s achievements over...
5,101 views
- Dec 17, 2022
- 3 min
Dangerous Embedded Assumptions
There is a notion I keep coming back to thanks to this article from a few years ago. The essence is that there are things that have...
1,554 views
- Dec 3, 2022
- 8 min
The Uncanny Valley of Security - Updated
Since I first wrote this post 2 years ago I keep seeing it reinforced. The basic premise is that, sometimes, advanced levels of security...
4,763 views
- Nov 5, 2022
- 4 min
How to Tell if You Really are an InfoSec Professional
Some of you in the US, and maybe others, might be familiar with the ongoing, somewhat self-deprecating, Jeff Foxworthy skit of “You might...
9,398 views
bottom of page