top of page
  • Phil Venables

3 Year Review

I’ve been doing this blog for around 3 years, largely succeeding in posting every 2 weeks. I have learnt a lot in this process and I fully endorse that the act of writing things down for other people does dramatically help your own clarity of thinking. What has been most interesting and actually quite amusing is how off the mark I am in predicting what will be the most popular posts vs. the posts I am most happy with. So, at this three year mark here are the Top 5 posts by popularity and my own Top 5 personal favorites.

Reader's Top 5

This was a very popular post largely I think because most people are frustrated by the polarization of many subjects, often driven by media / social media. We live in a world of nuance, we all generally appreciate that. But each day we are presented with binary choices and views.

A lot of the resonance with this centered on our collective need to find leading not lagging indicators/metrics for security. I got some negative feedback on this which essentially boiled down to these metrics are really hard. Yes, I even said that in the title. Ultimately I think the effort will be worth it because of the beneficial outcome of hitting targets associated with those metrics but, mainly, also because the mere act of trying to measure these will also improve the security situation even if you can never actually get to the goal.

Surprisingly this one was more popular than the Part 2 which followed it, which had a lot more practical detail on running a security program.

Written at the beginning of the Covid-19 pandemic, I posted this because I was starting to see a lot of unfortunate sales tactics seeming to exploit the crisis.

Board and Risk engagement has been a thread across many posts and this topic it seems is always interesting for CISOs and other security professionals alike.

Phil’s Top 5

It surprises me more people didn’t react to this, I see this type of uncanny valley everywhere. I think it is at the core of pretty of much every problem we have. Perhaps I need to explore and write about it more to further develop the idea.

One of my rare attempts at trying to write something with a bit of humor. I still think it is funny. But, like accounting itself, perhaps it’s not a laughing matter.

This is a great summary of the essential points across many other posts. One of the posts I often refer to for reference.

I enjoyed writing this one as it gave me a great excuse to bring together a number of ideas I’d been thinking about for quite a while - many of which I am seeing pressure tested in real organizations. Interestingly this is the only post on both lists.

One of my favorite topics. Enough said.

3,229 views0 comments

Recent Posts

See All

A Letter from the Future

A few weeks ago The White House published our PCAST report on cyber-physical resilience. Thank you for all the positive reactions to this. There is already much work going on behind the scenes in publ

InfoSec Hard Problems

We still have plenty of open problems in information and cybersecurity (InfoSec). Many of these problems are what could easily be classed as “hard” problems by any measure. Despite progress, more rese

DevOps and Security

Each year, DevOps Research and Assessment (DORA) within Google Cloud publishes the excellent State of DevOps report. The 2023 report published in Q4 was as good as ever and in particular documented so


Commenting has been turned off.
bottom of page