RISK & CYBERSECURITY

Of the vast canon of insightful commentary that has come from Dan Geer over many years, one that especially stuck with me was his...

How to represent cybersecurity (or technology / information risks more generally) to the Board is an ongoing subject of discussion in...

It is sad that many security discussions are so binary: that is, if you’re not wildly for something then you must be wildly against it....

This is an update from a thread that became a post last year. Threat intelligence seems, at least to me, to get maligned too much. For...

The underlying secret of most great security leaders and teams is one thing: the ability to know what needs to be done really well vs....

I see regular waves of articles and commentary that assert : “We are spending more and more on security but security incidents / breaches...

Let’s assume general purpose quantum computers that can operate usefully at scale are coming. I think a reasonable timeframe is 15 years....

Chesterton's Fence is a cautionary tale to make sure that before you change things you actually understand their purpose. This is...

Risk quantification, in any field, is not an end in itself. It exists to compel some action. That action might be to drive decisions or...

Not all risks are possible to fully mitigate in every context, so you need to record and manage those residual risks. These are often put...

The codebreaking and overall intelligence success of Bletchley Park in World War II is legendary. Ultra, along with broader Allied...

In most organizations you are constantly upgrading your security controls. This is for many reasons, including: New threats induce higher...

It can be irritating to receive e-mails from vendors during a time of crisis, like now, with the spin that their products can help. It is...

In this coming decade there will be 5 major themes that differentiate great security programs, products, features and processes. These...

Everyone is deluged with approaches from product and service vendors, small and large. Even vendors struggle to keep track of who their...

It can be hard to effectively assess, with a suitable degree of rigor, the security of your suppliers, counter-parties or companies you...

It’s that time of year for all the predictions of what to expect for the next year, and now - the next decade. I’m generally not a fan of...

The management of insider threats is a complex and often under-thought process - people who work on it appreciate the subtlety and...

Much focus of risk mitigation is about implementing controls: preventative, detective and reactive. This is necessary in most cases, and...

I was at an event recently where one participant talked passionately about a disaster they had that they have since preserved artifacts...