RISK & CYBERSECURITY

I first wrote the original of this post over 4 years ago. Having seen a new spurt of discussion about organization politics in various on-line and in-person forums I thought it was time for an update.  At every stage in your career and in every part of your role you are going to have to deal with organizational politics. People often construe such politics as inherently negative. Yes, there are some organizations that have toxic cultures where organizational politics looks mo

As we talked about in the last post , a world going through a massive AI-driven transition means speed becomes vital. This is the speed of adapting to change and the speed of dealing with a world of threats, who are themselves moving ever faster.  It’s easy to say go faster but this has to be more than just wishful thinking or a line in a strategy document. You actually have to go do some things. You also have to push back against some of the defeatism that permeates a lot of

It’s not often that a force appears that totally re-orients everything in security. This is what we are facing with AI.  12 months ago I had an incrementalist view of the cybersecurity impact of AI. Specifically, that it will be very significant but things will change progressively and we’ll adapt to adversarial use while also using it to improve defenses.  Now, I’m coming to a view that this will have a bigger negative impact than even our worst assumptions. But at the same

The most read posts in 2025 coalesced around the concept that successful cybersecurity is fundamentally a function of business leadership, strategic design, and sustainable execution . The unifying themes across the top posts emphasize shifting security from an artisanal, reactive craft to an industrial-scale, proactive capability focused on building scalable, self-reinforcing systems (flywheels). Transformation requires leaders to manage stakeholder expectations carefully, p

Apparently what Mike Tyson actually said in a 1987 interview was, " Everybody has plans until they get hit for the first time". In any...

One of the more common patterns of security program success vs. failure is how much leadership is prepared to stick with the work over...

I thought I’d try something different and share some thoughts on the Cyentia Institute’s latest report, the Information Risk Insights...

There is a plethora of sample job descriptions for security leaders that are often strictly correct but can also be uninspiring or too...

For many years I’ve observed the same pattern of failure in projects, programs, issue mitigation and indeed anything that requires more...

I have a regular set of go to books both for myself and what I recommend to others at all stages in their career. Here they all are with...

Operational resilience is a concept that has gained even further traction. It first came to prominence from financial regulators, in...

I managed to keep up the pace of 1 post every 2 weeks throughout 2024. Just when I think I might be running out of ideas, and the backlog...

Every few months some association or other learned group of professionals makes a fresh call to action for cybersecurity regulatory...

I’ve previously posted about some of the best security movies made  but I have to confess I’m not a big fan of the genre. They tend not...

If you work for a large organization, especially public or otherwise regulated companies, then you may well have faced the prospect of...

I wrote the original version of this post over 4 years ago. In revisiting this it is interesting to note that not much has actually...

Security training is often considered a bit of a waste of time. Maybe this is unfair, but unsurprising in the face of the worst forms of...

One of the many paradoxes of security is that when you have invested appropriately (sometimes at significant expense) and you have less...

Several years after writing the first version of this blog I still see a repeated pattern of problematic events attributed to human...

A major success marker of great security leaders and their teams is one simple prioritization technique: the ability to know what needs...