top of page
Search
AI Consequence and Intent - Second Order Risks
There is a lot of good discussion and emerging methods to manage the risks of AI in various forms from training data protection, model...
Jul 1, 20233 min read
1,309
Work / Life Balance
I have always struggled to balance work and life. Many years ago I realized I wasn’t so much struggling to achieve an effective balance,...
Jun 17, 202319 min read
9,050
Delivering Security at Scale: From Artisanal to Industrial
Maturing a security program in any type of organization is not just to increase specific control effectiveness but also to increase its...
Jun 3, 20238 min read
7,282
You Only Get 3 Metrics - Which Ones Would You Pick?
Just over a year ago I put out this blog post on the 10 fundamental (but really hard) security metrics. Since then I’ve discussed this...
May 20, 202310 min read
9,227
The Illusion of Choice : A Review
In the last post we talked about the challenges and opportunities of using individual and organizational incentives to ensure effective...
May 7, 202313 min read
3,714
People and Security Incentives
Force 6 : People, organizations and AI respond to incentives and inherent biases but not always the ones we think are rational. //...
Apr 22, 20238 min read
1,681
Handling Complexity
Force 5 : Complex Systems break in Unpredictable Ways // Central Idea: While component level simplicity is vital, seeking to eliminate...
Apr 7, 20238 min read
2,537
Fighting Security Entropy
Force 4 : Entropy is King // Central Idea: Adopting a control reliability engineering mindset by continuous control monitoring is...
Mar 25, 20237 min read
2,441
Attack Surface Management
Force 3 : Services want to be on // Central Idea: Take architectural steps to inherently reduce your attack surface - don’t just rely...
Mar 12, 20239 min read
3,452
Software Security is More than Vulnerabilities
Force 2 : Code wants to be wrong // Central Idea: Shift from a pure focus on only reducing security vulnerabilities towards increasing...
Feb 25, 20238 min read
2,132
Data Security and Data Governance
Force 1: Information wants to be free // Central Idea: Shift from perimeter based surveillance and tactical blocking to data governance...
Feb 11, 20238 min read
1,968
The 6 Fundamental Forces of Information Security Risk
I first posted this as a Twitter thread in 2019. These forces still seem very much current - perhaps even more so. It is interesting to...
Jan 28, 20232 min read
4,708
bottom of page