Is Complexity the Enemy of Security?
Since the last post about leverage points in managing complex systems I thought it would be good to revisit and update a post from a few...
top of page
Search
- Sep 9
- 14 min
Leverage Points - A Cybersecurity Perspective
Security is an emergent property of the complex systems we inhabit. In other words, security isn’t a thing that you do, rather it's a...
2,090 views
- Aug 26
- 6 min
Security Budgets - Supply and Demand
Unless you’re doing continuous or quarterly budgeting, which some organizations do, then you’ll no doubt be getting ready for the long...
3,096 views
- Aug 12
- 4 min
Building Balanced Security Teams - Updated
As an industry we spend a lot of time talking about workforce development and skills shortages. However, we tend not to talk about how to...
2,373 views
- Jun 3
- 8 min
Delivering Security at Scale: From Artisanal to Industrial
Maturing a security program in any type of organization is not just to increase specific control effectiveness but also to increase its...
3,578 views
- May 20
- 10 min
You Only Get 3 Metrics - Which Ones Would You Pick?
Just over a year ago I put out this blog post on the 10 fundamental (but really hard) security metrics. Since then I’ve discussed this...
7,125 views
- May 7
- 13 min
The Illusion of Choice : A Review
In the last post we talked about the challenges and opportunities of using individual and organizational incentives to ensure effective...
3,179 views
- Apr 7
- 8 min
Handling Complexity
Force 5 : Complex Systems break in Unpredictable Ways // Central Idea: While component level simplicity is vital, seeking to eliminate...
2,338 views
- Mar 25
- 7 min
Fighting Security Entropy
Force 4 : Entropy is King // Central Idea: Adopting a control reliability engineering mindset by continuous control monitoring is...
2,084 views
- Mar 12
- 9 min
Attack Surface Management
Force 3 : Services want to be on // Central Idea: Take architectural steps to inherently reduce your attack surface - don’t just rely...
3,011 views
- Feb 25
- 8 min
Software Security is More than Vulnerabilities
Force 2 : Code wants to be wrong // Central Idea: Shift from a pure focus on only reducing security vulnerabilities towards increasing...
1,900 views
- Feb 11
- 8 min
Data Security and Data Governance
Force 1: Information wants to be free // Central Idea: Shift from perimeter based surveillance and tactical blocking to data governance...
1,732 views
- Jan 28
- 2 min
The 6 Fundamental Forces of Information Security Risk
I first posted this as a Twitter thread in 2019. These forces still seem very much current - perhaps even more so. It is interesting to...
3,992 views
- Jan 14
- 12 min
Ceremonial Security and Cargo Cults
There is a lot of conventional security that is based on established ceremonies and an unquestioning faith that if we keep doing these...
17,151 views
- Dec 31, 2022
- 7 min
Simple Ways to Communicate Successes
It’s that time of year when you’ve inevitably written notes to your organization and leadership about all your team’s achievements over...
4,950 views
- Dec 17, 2022
- 3 min
Dangerous Embedded Assumptions
There is a notion I keep coming back to thanks to this article from a few years ago. The essence is that there are things that have...
1,543 views
- Dec 3, 2022
- 8 min
The Uncanny Valley of Security - Updated
Since I first wrote this post 2 years ago I keep seeing it reinforced. The basic premise is that, sometimes, advanced levels of security...
4,608 views
- Nov 5, 2022
- 4 min
How to Tell if You Really are an InfoSec Professional
Some of you in the US, and maybe others, might be familiar with the ongoing, somewhat self-deprecating, Jeff Foxworthy skit of “You might...
9,331 views
- Oct 22, 2022
- 10 min
Grand Challenges or Grind Challenges
How much of your work that you would like to describe as a “grand” challenge is really more of a “grind”? As an industry we like to talk...
1,823 views
- Oct 8, 2022
- 7 min
Field Guide to the Various Communities of Security
Which part of the security community are you in? Often, when one part of the security community talks about the overall community they...
2,971 views
bottom of page