RISK & CYBERSECURITY

The most read posts in 2025 coalesced around the concept that successful cybersecurity is fundamentally a function of business leadership, strategic design, and sustainable execution . The unifying themes across the top posts emphasize shifting security from an artisanal, reactive craft to an industrial-scale, proactive capability focused on building scalable, self-reinforcing systems (flywheels). Transformation requires leaders to manage stakeholder expectations carefully, p

This is the final of the series grouping together sets of prior posts into a particular theme.  Security Leadership Master Class 1 : Leveling up your leadership Security Leadership Master Class 2 : Dealing with the board and other executives Security Leadership Master Class 3 : Building a security program Security Leadership Master Class 4 : Enhancing/refreshing a security program Security Leadership Master Class 5 : Getting hired and doing hiring Security Leadership Master C

This is part 6 of a 7 part series grouping together sets of prior posts into a particular theme.  Security Leadership Master Class 1 : Leveling up your leadership Security Leadership Master Class 2 : Dealing with the board and other executives Security Leadership Master Class 3 : Building a security program Security Leadership Master Class 4 : Enhancing/refreshing a security program Security Leadership Master Class 5 : Getting hired and doing hiring Security Leadership Master

This is part 5 of a 7 part series grouping together sets of prior posts into a particular theme.  Security Leadership Master Class 1 : Leveling up your leadership Security Leadership Master Class 2 : Dealing with the board and other executives Security Leadership Master Class 3 : Building a security program Security Leadership Master Class 4 : Enhancing/refreshing a security program Security Leadership Master Class 5 : Getting hired and doing hiring Security Leadership Master

This is part 4 of a 7 part series grouping together sets of prior posts into a particular theme.  Security Leadership Master Class 1 : Leveling up your leadership Security Leadership Master Class 2 : Dealing with the board and other executives Security Leadership Master Class 3 : Building a security program Security Leadership Master Class 4 : Enhancing/refreshing a security program Security Leadership Master Class 5 : Getting hired and doing hiring Security Leadership Master

This is part 3 of a 7 part series grouping together sets of prior posts into a particular theme.  Security Leadership Master Class 1 : Leveling up your leadership Security Leadership Master Class 2 : Dealing with the board and other executives Security Leadership Master Class 3 : Building a security program Security Leadership Master Class 4 : Enhancing or refreshing a security program Security Leadership Master Class 5 : Getting hired and doing hiring Security Leadership Mas

This is part 2 of this 7 part series grouping together a set of prior posts into a particular theme.  Security Leadership Master Class 1 : Leveling up your leadership Security Leadership Master Class 2 : Dealing with the board and other executives Security Leadership Master Class 3 : Building a security program Security Leadership Master Class 4 : Enhancing or refreshing a security program  Security Leadership Master Class 5 : Getting hired and doing hiring Security Leadershi

This is the first of a 7 part series where I’ll group together a set of prior posts into a particular theme that will make it all the...

In a first for this blog here is a post I worked on with Mike Aiello , a former colleague from Goldman Sachs and Google and someone, like...

Cybersecurity is a field built on metaphor. We wage "cyber wars," build "digital fortresses," and practice "cyber hygiene." These phrases...

Apparently what Mike Tyson actually said in a 1987 interview was, " Everybody has plans until they get hit for the first time". In any...

I re-stumbled across this well-worn meme of the 7 deadly sins and social media so, as many of you come back from Las Vegas I thought it...

As security specialists, we regularly see claims about the escalating scale of cybercrime, often hearing staggering claims that it’s a...

One of the more common patterns of security program success vs. failure is how much leadership is prepared to stick with the work over...

I thought I’d try something different and share some thoughts on the Cyentia Institute’s latest report, the Information Risk Insights...

This is an update to a post from 2001 which I’m revisiting in part because some things have changed, but also because (surprisingly) much...

There is a plethora of sample job descriptions for security leaders that are often strictly correct but can also be uninspiring or too...

I recently joined Clint Gibler (tl;dr sec) at RSA for a great discussion. In it we cover a wide array of topics from the challenge of...

I’ve had a number of requests to write a post about how to start and grow a new security program - or a substantial reassessment and...

I first wrote this post back in 2021 so I thought it’s time for a revisit with an addition of a few more roles.  We talk about attackers...