Here’s What You Should Do Today About All These Outages: Nothing
Smart leaders don't react, they respond. Now is not the time to wax poetic about the world we left behind, or follow the reactionists backwards towards a demonstrably worse risk position.
What England’s Underwhelming Team of Football All-Stars Can Teach Us About Cybersecurity
If you want to understand the platform vs best-of-breed debate, look no further than England's football team.
How to Build a Thriving Career in Cybersecurity (and beyond)…Without Burning Out
I've learned most of these lessons the hard way. Here's 6 key things to consider.
Security and Compliance Aren’t the Same—But They Both Have the Same Objective
Two lenses, same objective: risk management.
The Fish, the Fishbowl, and All the Things We Thought We Knew
The fishbowl distorts perception, but in a way which confirms our biases. How does this hurt us in security and transformation, and what should we do about it?
Business Leaders: How to Help the Technologists to Help You
We all sometimes need to be reminded that security risk is not the only risk, and sometimes not even the most important risk, that a business faces.
It’s Time to Retire “Attackers Only Have to be Right Once; Defenders Have to be Right 100% of the Time”, and Here’s Why
Along with "people are the weakest link", this phrase has been shaping unhealthy cultures in security for years. It's time to stop saying it, and here's why.
G before RC
The order of the letters in "GRC" is not arbitrary. If you don't Govern your environment well, you cannot manage Risk and Compliance well.
What Moves the Cyber Resilience Needle the Most? It’s Probably Not What You Think
It's simple, but it's not easy: if you change the tech but not the culture, none of the gains you realize in the short term will be sustainable in the long term.
The Objective of Securing Privileged Access? To Protect the Business from the Admins
The most common privileged security gaps that attackers exploit come from sacrificing effective privileged admin security on the altar of operational convenience.
The True Scope of Posture Management
What's the true scope of posture management? You'll know you're on the right path when the security org is more focused on Prevention Engineering than on Detection (and Response) Engineering.
Growth that Builds, Growth that Breaks
You've probably heard it said that "healthy things grow". That's not true. Cancer also grows. What we can say for sure is that alive (or dynamic) things grow; whether that growth is beneficial or destructive is a different question.
The Now-and-Not-Yet Tension in our Careers
Remember the medieval quarry worker’s creed: “We who cut mere stones must always be envisioning cathedrals.” You're both the quarry worker, and the stones. The question is, what are you building?
AI Risks: Net-New or Amplifier?
Track the risks. Just make sure that the risks are the actual risks, so that the problems you fix are the actual problems.
How Focusing on Strategy Perpetuates the Problem
Strategy is easy. Execution is where the wheels come off.
Cybersecurity is a System
China found out the hard way that no one escapes the interdependencies of complex systems. We make the same mistakes in cybersecurity today.
You Can Be Profound, or You Can Be Effective—Pick One
The pressure to be profound is such a stumbling block in our industry. It emphasises the sophisticated over…
From the Recorded Future Podcast: A Conversation with CISO Jason Steer About Identity Security
From my conversation with Recorded Future, two short, essential videos about identity security: how we got here, why it matters, and why it's so hard to do well.