top of page
Search
Prioritizing Security Improvements - A Deceptively Simple Way
In most organizations you are constantly upgrading your security controls. This is for many reasons, including: New threats induce higher...
Apr 5, 20203 min read
Cybersecurity Macro Themes for the 2020's
In this coming decade there will be 5 major themes that differentiate great security programs, products, features and processes. These...
Mar 1, 20203 min read
Risk : Mega Trends
I've been thinking more about mega trends applied to risk, specifically operational risk (people, process, technology & external events)....
Feb 9, 20203 min read
The Leading Indicators of a Great Info/Cybersecurity Program
It can be hard to effectively assess, with a suitable degree of rigor, the security of your suppliers, counter-parties or companies you...
Jan 24, 20202 min read
Operational Resilience
The Bank of England has recently released a sequence of consultation papers, after an earlier discussion paper, laying out a framework...
Jan 19, 20204 min read
Predictions and Calls to Action
It’s that time of year for all the predictions of what to expect for the next year, and now - the next decade. I’m generally not a fan of...
Jan 1, 20203 min read
Non-Technical Books. Recommended List
For some reason, first at a TAG_Cyber event and then coincidentally at 2 other events, the question of what books security people should...
Dec 15, 20191 min read
Insider Threat Risk - Blast Radius Perspective
The management of insider threats is a complex and often under-thought process - people who work on it appreciate the subtlety and...
Dec 1, 20193 min read
Alternative Risk Management Strategies.
Much focus of risk mitigation is about implementing controls: preventative, detective and reactive. This is necessary in most cases, and...
Nov 24, 20192 min read
Shrines of Failure
I was at an event recently where one participant talked passionately about a disaster they had that they have since preserved artifacts...
Nov 10, 20191 min read
Career Longevity & "The Don't Fire Me Chart"
To fix anything sustainably requires long term action. This is especially true in technology risk and cybersecurity. The trouble is this...
Oct 26, 20191 min read
Risk Management is not only about Reducing Risk
It seems most risk and security programs, and instruction on how to run risk and security programs, focus exclusively on assessing risk,...
Oct 20, 20192 min read
Cybersecurity is not the only Technology Risk
Cybersecurity is not the only technology risk, in fact, when you total up actual losses it is likely not even the biggest risk. Although...
Sep 29, 20193 min read
Security Program Tactics
When starting or reinvigorating a security program, focus on a small number of meta-objectives that can have sustained outsize effects -...
Sep 15, 20193 min read
Cybersecurity as a First Class Business Risk
I see a lot of commentary on the need to “treat cyber/info-security as a business issue not an IT issue”. The problem is it implies that...
Aug 17, 20192 min read
Fundamental Drivers of Information Security Risk
As I get older and (hopefully) wiser it has become ever more apparent that all the issues and risks we face arise from a small number of...
Jul 21, 20192 min read
bottom of page