top of page
Search
Building Balanced Security Teams - Updated
As an industry we spend a lot of time talking about workforce development and skills shortages. However, we tend not to talk about how to...
Aug 12, 20234 min read
3,022 views
Delivering Security at Scale: From Artisanal to Industrial
Maturing a security program in any type of organization is not just to increase specific control effectiveness but also to increase its...
Jun 3, 20238 min read
7,446 views
You Only Get 3 Metrics - Which Ones Would You Pick?
Just over a year ago I put out this blog post on the 10 fundamental (but really hard) security metrics. Since then I’ve discussed this...
May 20, 202310 min read
9,375 views
The Illusion of Choice : A Review
In the last post we talked about the challenges and opportunities of using individual and organizational incentives to ensure effective...
May 7, 202313 min read
3,740 views
Handling Complexity
Force 5 : Complex Systems break in Unpredictable Ways // Central Idea: While component level simplicity is vital, seeking to eliminate...
Apr 7, 20238 min read
2,546 views
Fighting Security Entropy
Force 4 : Entropy is King // Central Idea: Adopting a control reliability engineering mindset by continuous control monitoring is...
Mar 25, 20237 min read
2,449 views
Attack Surface Management
Force 3 : Services want to be on // Central Idea: Take architectural steps to inherently reduce your attack surface - don’t just rely...
Mar 12, 20239 min read
3,463 views
Software Security is More than Vulnerabilities
Force 2 : Code wants to be wrong // Central Idea: Shift from a pure focus on only reducing security vulnerabilities towards increasing...
Feb 25, 20238 min read
2,146 views
Data Security and Data Governance
Force 1: Information wants to be free // Central Idea: Shift from perimeter based surveillance and tactical blocking to data governance...
Feb 11, 20238 min read
1,979 views
The 6 Fundamental Forces of Information Security Risk
I first posted this as a Twitter thread in 2019. These forces still seem very much current - perhaps even more so. It is interesting to...
Jan 28, 20232 min read
4,722 views
Ceremonial Security and Cargo Cults
There is a lot of conventional security that is based on established ceremonies and an unquestioning faith that if we keep doing these...
Jan 14, 202312 min read
18,987 views
Simple Ways to Communicate Successes
It’s that time of year when you’ve inevitably written notes to your organization and leadership about all your team’s achievements over...
Dec 31, 20227 min read
5,642 views
Dangerous Embedded Assumptions
There is a notion I keep coming back to thanks to this article from a few years ago. The essence is that there are things that have...
Dec 17, 20223 min read
1,604 views
The Uncanny Valley of Security - Updated
Since I first wrote this post 2 years ago I keep seeing it reinforced. The basic premise is that, sometimes, advanced levels of security...
Dec 3, 20228 min read
5,359 views
How to Tell if You Really are an InfoSec Professional
Some of you in the US, and maybe others, might be familiar with the ongoing, somewhat self-deprecating, Jeff Foxworthy skit of “You might...
Nov 5, 20224 min read
9,529 views
Grand Challenges or Grind Challenges
How much of your work that you would like to describe as a “grand” challenge is really more of a “grind”? As an industry we like to talk...
Oct 22, 202210 min read
1,946 views
Field Guide to the Various Communities of Security
Which part of the security community are you in? Often, when one part of the security community talks about the overall community they...
Oct 8, 20227 min read
3,179 views
Essential Attributes of Security Leadership
Since I first wrote this back in 2021 (titled "CISO: Archeologist, Historian or Explorer?") it seems ever more true that complex and...
Sep 24, 20226 min read
3,374 views
Crucial Questions from Governments and Regulators
In this, fourth and final post in the series of Crucial Questions I’m going to focus on those from governments and regulators. This...
Sep 10, 202213 min read
1,860 views
Crucial Questions from CISOs and Security Teams
In this, third in a series of Crucial Questions posts I’m going to focus on the questions from CISOs and security teams. This builds on...
Aug 27, 202223 min read
6,712 views
bottom of page