You Can Be Profound, or You Can Be Effective—Pick One
The pressure to be profound is such a stumbling block in our industry. It emphasises the sophisticated over…
Here’s What You Should Do Today About All These Outages: Nothing
Smart leaders don't react, they respond. Now is not the time to wax poetic about the world we left behind, or follow the reactionists backwards towards a demonstrably worse risk position.
Security and Compliance Aren’t the Same—But They Both Have the Same Objective
Two lenses, same objective: risk management.
The Fish, the Fishbowl, and All the Things We Thought We Knew
The fishbowl distorts perception, but in a way which confirms our biases. How does this hurt us in security and transformation, and what should we do about it?
Business Leaders: How to Help the Technologists to Help You
We all sometimes need to be reminded that security risk is not the only risk, and sometimes not even the most important risk, that a business faces.
It’s Time to Retire “Attackers Only Have to be Right Once; Defenders Have to be Right 100% of the Time”, and Here’s Why
Along with "people are the weakest link", this phrase has been shaping unhealthy cultures in security for years. It's time to stop saying it, and here's why.
G before RC
The order of the letters in "GRC" is not arbitrary. If you don't Govern your environment well, you cannot manage Risk and Compliance well.
What Moves the Cyber Resilience Needle the Most? It’s Probably Not What You Think
It's simple, but it's not easy: if you change the tech but not the culture, none of the gains you realize in the short term will be sustainable in the long term.
When To Say No To A Good Opportunity
Sometimes an opportunity looks and feels right, but it isn't. Here's how you can tell the difference.
The Objective of Securing Privileged Access? To Protect the Business from the Admins
The most common privileged security gaps that attackers exploit come from sacrificing effective privileged admin security on the altar of operational convenience.
Honest Self-Reflection for Security Leaders, Post-Breach: 3 Important Questions to Ask Yourself
There's never just one reason why a breach occurs, but leaders have a unique responsibility because they own budget, strategy, and prioritisation. Here are 3 questions to consider carefully.
The Identity Lesson You Must Learn From Midnight Blizzard
Endpoint security is not the fulcrum around which you should be building. You'll miss a lot if you do.
Vulnerability Management: Reactionary Security FUD At Its Worst
There's no such thing as a critical vulnerability, generically. There's only a critical vulnerability that can be exploited in your environment, specifically.
The Missing Key To Understanding How the Midnight Blizzard Attack Worked
How does compromising an app in one tenant get you into another tenant? There is a key piece of info that will help you to understand.
“Materiality” Relies on Risk Quantification—Which Is Why Many Businesses Struggle to Understand It
The ambiguity of "materiality" is an invitation to risk management maturity.
Understanding the Evolution of “Tier 0” in Modern Access Control Models
Does "Tier 0" still matter? Yes and no. Yes, as a principle; No, as an access control model. Here's what to do instead.
Why CISOs Don’t Want Tool Jockeys…And What They Want Instead
What skills do CISOs want, more than technical skills? What should you prioritize, to stand out from the crowd?
Interacting With CISOs: 4 Tips for Security People
Authenticity doesn't guarantee success, but the lack of authenticity guarantees failure. Here's a few things to consider.