Risk Analysis (vs / and / or) Threat Modelling

Lately I’ve been having loads of conversations with both GRC and Engineering folks about both Risk Analysis (RA) and Threat Modelling (TM). Opinions diverge on the usefulness and scope of each, and the risk-inclined often reference they achieve the same outcomes of TM with their RA, and the engineering-inclined tend to say that their TM’s […]

Infosec governance and structure misalignments and what to do about them

As I start a new job in a few days, I’m revisiting a classic in management and leadership transition that I’d recommend all my readers to get as well. “The first 90 days” by Richard Watkins. Something that in my consulting experience I’ve came across quite often and helped clients navigate through is governance and […]

Decluttering your security management system

If your security function has been operating for more than a few months, it’s likely that you’ve put some management system in place to enable and support evidencing that your organisation manages their security programme and outcomes in a consistent, documented fashion. As security professionals, namely in Governance, Risk Management and Compliance, that’s expected of […]

Minimum Viable Security Knowledge and Team Topologies for Security

I’ve mentioned an idea that I’ve been using in speech but never actually wrote down, about what I consider to be something that security teams should be aiming for as part of their “awareness” approaches when supporting Engineering and/or Development teams, and it’s this idea of “Minimum Viable Security Knowledge”. To understand this idea, we […]

Improving the flow of work

I believe that generally, Infosec as an industry missed out on all of the good things that LEAN had to teach us regarding how to do a better job at managing work. Most of us, probably went straight from Waterfall to “DevSecOps”, kind of missing a lot of the ideas that supported the development and […]

Bureaucratic Entrepreneurialism in Infosec GRC

We just need to go into any organisation, namely big ones that have been growing and maturing their Infosec practices for the last 10-20 years, or if you’re a startup in the B2B space (which many of the clients I’m Fractional CISO for are) and trying to sell to big corporates to face the ever […]

The Causality Credo in Infosec and how to leave the club

This post is very much inspired and follows from Hollnagel’s work in “Safety-1 and Safety-2” book, which I’d recommend everyone read. A challenge we have in Infosec, namely in the disciplines of Risk Management and Compliance, is something Hollnagel termed the “causality credo”. Causality credo is the “unspoken assumption that outcomes can be understood as […]

The future of Infosec is interdisciplinary and integrated

One of the themes you may have noticed from this blog and my talks, is the fact I tend to reference to mostly frameworks that sit outside of the traditional ones we tend to consider in Infosec literature and training. Examples being Systems Thinking, Safety Science, Resilience Engineering, Wardley mapping, Team Topologies, Complexity and others. […]

The missing dimension of security process development: protecting our employees

A quick post today on something that’s been on my mind lately. I made a quick Twitter post about it here, but will expand a bit on this blog post If you’re not following me on Twitter, you probably should. It’s where I’m most active on social media, don’t really enjoy the dynamics of the […]

Research-informed Policy design – not the wishful thinking type

I’ve had this blog post floating in my head since I came back from RSAC 2022, as I related two pieces of content I was recently exposed to. One of them is Ricardo Ferreira’s book “Policy Design in the Age of Digital adoption” (full disclosure: a friend who asked me to review his book and […]

Defeating factors in Security controls

As anyone following me for a while knows, I’m a big fan of David Provan’s work on Safety and Safety Management. In his latest book “The Field Guide to Safety Professional Practice” he talks about a construct that I believe is very useful for us in Information Security as well, namely those of us tasked […]

“Compliance is not Security”, but not like that

It’s been a while since I blogged, but as everyone following me on Twitter, I’ve been in the books doing my own research on Safety Science and Resilience engineering literature. In inspiration for this post, I’d particularly highlight Sidney Dekker’s “The Safety Anarchist: relying on human expertise and innovation, reducing bureaucracy and compliance”, which I’m […]

Infosec Reporting lines seen from Complex Adaptive Systems characteristics

It’s 2nd time in last 24 hours that the subject of “Reporting lines”, also prompted by this article (https://humanisticsystems.com/2019/07/04/the-organisational-homelessness-of-human-factors/) relating to Human Factors, but I think to an extent it affects #Infosec as well, has come up so thought I’d put some quick thoughts down on the subject. Where should #Infosec report ? COO ? […]

Rasmussen’s Systemic Risk Modelling and Cyber Security

I first became acquainted with Rasmussen’s work at the beginning of last year by watching Dr. Cook’s talk on Velocity 2013 (links at the bottom). But had to be told about 3-4 months ago to review it to actually click on me, and more than that pique my curiosity to go look for the original […]

Why aren’t we learning from (security) incidents – views from resilience and complexity

It’s been way too long since I last blogged, and this particular post has been on my mind for weeks now so decided today was the day to get it out. I’m privileged to be part of a community of Safety and Resilience Engineering experts from whom I learn a lot, and as some of […]