RISK & CYBERSECURITY

A critical measure of success for most security roles is the ability to influence. I’ve often found people think influence skills are...

The management of insider threats is a complex and often under-thought process - people who work on it appreciate the subtlety and...

Much focus of risk mitigation is about implementing controls: preventative, detective and reactive. This is necessary in most cases, and...

Over the years I made note of what behaviors I’ve seen from successful people. By success, I mean getting results, increase span of...

I was at an event recently where one participant talked passionately about a disaster they had that they have since preserved artifacts...

To fix anything sustainably requires long term action. This is especially true in technology risk and cybersecurity. The trouble is this...

It seems most risk and security programs, and instruction on how to run risk and security programs, focus exclusively on assessing risk,...

A few months ago there was this whole thing about the stress of security roles, CISOs self-medicating, and a whole range of burn-out...

Cybersecurity is not the only technology risk, in fact, when you total up actual losses it is likely not even the biggest risk. Although...

When starting or reinvigorating a security program, focus on a small number of meta-objectives that can have sustained outsize effects -...

I don’t see much written on vulnerability management in more holistic terms vs. patch/bug fixing. This might be ok given a lot of...

I see a lot of commentary on the need to “treat cyber/info-security as a business issue not an IT issue”. The problem is it implies that...