RISK & CYBERSECURITY

Security training is often considered a bit of a waste of time. Maybe this is unfair, but unsurprising in the face of the worst forms of...

One of the many paradoxes of security is that when you have invested appropriately (sometimes at significant expense) and you have less...

Several years after writing the first version of this blog I still see a repeated pattern of problematic events attributed to human...

When you strip away all the fluff, security succeeds when: You are moving quicker than attackers - mitigating specific attacks ahead of,...

We’re getting it wrong on the messaging for incentives to do security - and people are pretending it’s landing when it isn’t. There are 5...

A major success marker of great security leaders and their teams is one simple prioritization technique: the ability to know what needs...

There are many well known, so called, laws of technology. Moore’s law being particularly emblematic. Let’s look at some of them and see...

A few weeks ago The White House published our PCAST report on cyber-physical resilience. Thank you for all the positive reactions to...

We still have plenty of open problems in information and cybersecurity (InfoSec). Many of these problems are what could easily be classed...

Each year, DevOps Research and Assessment (DORA) within Google Cloud publishes the excellent State of DevOps report. The 2023 report...

As we start out, or even when entering a new stage of our careers, we realize the need to be connected to a professional community. For...

Ever since I first became familiar with the 80/20 principle, and other circumstances marked by Pareto distributions, I began to see...

Everyone has their list of favorite security movies and I bet some are on everyone’s list. There’s also a set of movies that aren’t...

Thankfully I managed to keep up the pace of 1 post every 2 weeks throughout 2023. Just when I think I might be running out of ideas, and...

There are still plenty of organizations that don’t have a well defined and accessible bug bounty program. More surprisingly, there are...

The great thing about the security industry is it’s made up of a variety of roles and people from many backgrounds, disciplines, skill...

Since the last post about leverage points in managing complex systems I thought it would be good to revisit and update a post from a few...

Security is an emergent property of the complex systems we inhabit. In other words, security isn’t a thing that you do, rather it's a...

Unless you’re doing continuous or quarterly budgeting, which some organizations do, then you’ll no doubt be getting ready for the long...

As an industry we spend a lot of time talking about workforce development and skills shortages. However, we tend not to talk about how to...