top of page
Search
Cyber Insights Needed & Delivered
I thought I’d try something different and share some thoughts on the Cyentia Institute’s latest report, the Information Risk Insights...
Jun 284 min read
CISO / Cybersecurity Leader Job Description
There is a plethora of sample job descriptions for security leaders that are often strictly correct but can also be uninspiring or too...
May 313 min read
Why Stuff Fails (“The Thermocline of Truth”)
For many years I’ve observed the same pattern of failure in projects, programs, issue mitigation and indeed anything that requires more...
Apr 195 min read
Security Leaders’ Reading List
I have a regular set of go to books both for myself and what I recommend to others at all stages in their career. Here they all are with...
Mar 226 min read
Stressed Testing: Practical Operational Resilience
Operational resilience is a concept that has gained even further traction. It first came to prominence from financial regulators, in...
Feb 813 min read
Top Ideas and Posts from 2024
I managed to keep up the pace of 1 post every 2 weeks throughout 2024. Just when I think I might be running out of ideas, and the backlog...
Dec 28, 20246 min read
Regulatory Harmonization - Let’s Get Real
Every few months some association or other learned group of professionals makes a fresh call to action for cybersecurity regulatory...
Nov 30, 20247 min read
Lessons in Crisis Management - Top 10 Disaster Movies
I’ve previously posted about some of the best security movies made but I have to confess I’m not a big fan of the genre. They tend not...
Nov 16, 20243 min read
Risk Appetite and Risk Tolerance - A Practical Approach
If you work for a large organization, especially public or otherwise regulated companies, then you may well have faced the prospect of...
Nov 2, 202413 min read
6 Truths of Cyber Risk Quantification
I wrote the original version of this post over 4 years ago. In revisiting this it is interesting to note that not much has actually...
Sep 7, 20248 min read
Security Training & Awareness - 10 Essential Techniques
Security training is often considered a bit of a waste of time. Maybe this is unfair, but unsurprising in the face of the worst forms of...
Aug 10, 202416 min read
Why Good Security Fails: The Asymmetry of InfoSec Investment
One of the many paradoxes of security is that when you have invested appropriately (sometimes at significant expense) and you have less...
Jul 13, 20245 min read
Human Error
Several years after writing the first version of this blog I still see a repeated pattern of problematic events attributed to human...
Jun 29, 202410 min read
The Crucial Test of Security Leadership: A-grades vs. Pass/Fail
A major success marker of great security leaders and their teams is one simple prioritization technique: the ability to know what needs...
May 18, 20244 min read
Where the Wild Things Are: Second Order Risks of AI
Every major technological change is heralded with claims of significant, even apocalyptic, risks. These almost never turn out to be...
May 4, 202410 min read
DevOps and Security
Each year, DevOps Research and Assessment (DORA) within Google Cloud publishes the excellent State of DevOps report. The 2023 report...
Mar 9, 20246 min read
The 80 / 20 Principle
Ever since I first became familiar with the 80/20 principle, and other circumstances marked by Pareto distributions, I began to see...
Feb 10, 20245 min read
Top Ideas and Posts from 2023
Thankfully I managed to keep up the pace of 1 post every 2 weeks throughout 2023. Just when I think I might be running out of ideas, and...
Dec 30, 20235 min read
Career Development: 13 Formative Moments (Part 2)
The skills for your role and your leadership style build up throughout your career. But I’ve found, personally and in talking to others,...
Oct 21, 202312 min read
Is Complexity the Enemy of Security?
Since the last post about leverage points in managing complex systems I thought it would be good to revisit and update a post from a few...
Sep 23, 20237 min read
bottom of page