RISK & CYBERSECURITY

In most organizations you are constantly upgrading your security controls. This is for many reasons, including: New threats induce higher risk exposure and r...

In this coming decade there will be 5 major themes that differentiate great security programs, products, features and processes. These are different from ove...

I've been thinking more about mega trends applied to risk, specifically operational risk (people, process, technology & external events). Planning for these ...

It can be hard to effectively assess, with a suitable degree of rigor, the security of your suppliers, counter-parties or companies you are about to invest i...

The Bank of England has recently released a sequence of consultation papers, after an earlier discussion paper, laying out a framework for operational resil...

It’s that time of year for all the predictions of what to expect for the next year, and now - the next decade. I’m generally not a fan of these - they’re eit...

For some reason, first at a TAG_Cyber event and then coincidentally at 2 other events, the question of what books security people should read to develop thei...

The management of insider threats is a complex and often under-thought process - people who work on it appreciate the subtlety and difficult trade-offs. Some...

Much focus of risk mitigation is about implementing controls: preventative, detective and reactive. This is necessary in most cases, and continuous sustainme...

I was at an event recently where one participant talked passionately about a disaster they had that they have since preserved artifacts from in a physical sp...

To fix anything sustainably requires long term action. This is especially true in technology risk and cybersecurity. The trouble is this is also a space wher...

It seems most risk and security programs, and instruction on how to run risk and security programs, focus exclusively on assessing risk, to then implement co...

Cybersecurity is not the only technology risk, in fact, when you total up actual losses it is likely not even the biggest risk. Although I think it is the ri...

When starting or reinvigorating a security program, focus on a small number of meta-objectives that can have sustained outsize effects - as well as diving in...

I see a lot of commentary on the need to “treat cyber/info-security as a business issue not an IT issue”. The problem is it implies that this is not still al...

As I get older and (hopefully) wiser it has become ever more apparent that all the issues and risks we face arise from a small number of basic “forces”. Thes...