Jun 74 minAre Security Incidents Really Increasing?I see regular waves of articles and commentary that assert : “We are spending more and more on security but security incidents / breaches...
May 173 minCrypto isn’t the Only Cyber Issue in a Post Quantum WorldLet’s assume general purpose quantum computers that can operate usefully at scale are coming. I think a reasonable timeframe is 15 years....
May 92 minThink Twice Before Switching Off Controls : Chesterton's FenceChesterton's Fence is a cautionary tale to make sure that before you change things you actually understand their purpose. This is particu...
May 35 minCyber Risk QuantificationRisk quantification, in any field, is not an end in itself. It exists to compel some action. That action might be to drive decisions or s...
Apr 265 minAre You Managing Your Risk Register Effectively?Not all risks are possible to fully mitigate in every context, so you need to record and manage those residual risks. These are often put...
Apr 194 minIntelligence Failures - “The Distortion of Retrospect”The codebreaking and overall intelligence success of Bletchley Park in World War II is legendary. Ultra, along with broader Allied signal...
Apr 53 minPrioritizing Security Improvements - A Deceptively Simple WayIn most organizations you are constantly upgrading your security controls. This is for many reasons, including: New threats induce higher...
Mar 222 minSelling into a Crisis (Rights and Wrongs) It can be irritating to receive e-mails from vendors during a time of crisis, like now, with the spin that their products can help. It is...
Mar 13 minCybersecurity Macro Themes for the 2020'sIn this coming decade there will be 5 major themes that differentiate great security programs, products, features and processes. These ar...
Feb 25 minDealing with the Deluge of VendorsEveryone is deluged with approaches from product and service vendors, small and large. Even vendors struggle to keep track of who their c...
Jan 242 minThe Leading Indicators of a Great Info/Cybersecurity ProgramIt can be hard to effectively assess, with a suitable degree of rigor, the security of your suppliers, counter-parties or companies you a...
Jan 13 minPredictions and Calls to ActionIt’s that time of year for all the predictions of what to expect for the next year, and now - the next decade. I’m generally not a fan of...
Dec 1, 20193 minInsider Threat Risk - Blast Radius PerspectiveThe management of insider threats is a complex and often under-thought process - people who work on it appreciate the subtlety and diffic...
Nov 24, 20192 minAlternative Risk Management Strategies. Much focus of risk mitigation is about implementing controls: preventative, detective and reactive. This is necessary in most cases, and ...
Nov 10, 20191 minShrines of Failure I was at an event recently where one participant talked passionately about a disaster they had that they have since preserved artifacts f...
Oct 26, 20191 minCareer Longevity & "The Don't Fire Me Chart"To fix anything sustainably requires long term action. This is especially true in technology risk and cybersecurity. The trouble is this ...
Oct 5, 20192 minThe Stress and Joy of Security JobsA few months ago there was this whole thing about the stress of security roles, CISOs self-medicating, and a whole range of burn-out talk...
Sep 29, 20193 minCybersecurity is not the only Technology RiskCybersecurity is not the only technology risk, in fact, when you total up actual losses it is likely not even the biggest risk. Although ...
Sep 15, 20193 minSecurity Program TacticsWhen starting or reinvigorating a security program, focus on a small number of meta-objectives that can have sustained outsize effects - ...
Sep 1, 20192 minVulnerability ManagementI don’t see much written on vulnerability management in more holistic terms vs. patch/bug fixing. This might be ok given a lot of vulnera...