RISK & CYBERSECURITY

The great thing about the security industry is it’s made up of a variety of roles and people from many backgrounds, disciplines, skill...

Since the last post about leverage points in managing complex systems I thought it would be good to revisit and update a post from a few...

Security is an emergent property of the complex systems we inhabit. In other words, security isn’t a thing that you do, rather it's a...

Unless you’re doing continuous or quarterly budgeting, which some organizations do, then you’ll no doubt be getting ready for the long...

As an industry we spend a lot of time talking about workforce development and skills shortages. However, we tend not to talk about how to...

Maturing a security program in any type of organization is not just to increase specific control effectiveness but also to increase its...

Just over a year ago I put out this blog post on the 10 fundamental (but really hard) security metrics. Since then I’ve discussed this...

In the last post we talked about the challenges and opportunities of using individual and organizational incentives to ensure effective...

Force 5 : Complex Systems break in Unpredictable Ways // Central Idea: While component level simplicity is vital, seeking to eliminate...

Force 4 : Entropy is King // Central Idea: Adopting a control reliability engineering mindset by continuous control monitoring is...

Force 3 : Services want to be on // Central Idea: Take architectural steps to inherently reduce your attack surface - don’t just rely...

Force 2 : Code wants to be wrong // Central Idea: Shift from a pure focus on only reducing security vulnerabilities towards increasing...

Force 1: Information wants to be free // Central Idea: Shift from perimeter based surveillance and tactical blocking to data governance...

I first posted this as a Twitter thread in 2019. These forces still seem very much current - perhaps even more so. It is interesting to...

There is a lot of conventional security that is based on established ceremonies and an unquestioning faith that if we keep doing these...

It’s that time of year when you’ve inevitably written notes to your organization and leadership about all your team’s achievements over...

There is a notion I keep coming back to thanks to this article from a few years ago. The essence is that there are things that have...

Since I first wrote this post 2 years ago I keep seeing it reinforced. The basic premise is that, sometimes, advanced levels of security...

Some of you in the US, and maybe others, might be familiar with the ongoing, somewhat self-deprecating, Jeff Foxworthy skit of “You might...

How much of your work that you would like to describe as a “grand” challenge is really more of a “grind”? As an industry we like to talk...