// BLOG
All posts.
Field notes from 20+ years in security. Plus the occasional detour into life, work, and whatever else is on my mind.
The CISO Who Buries Bad News Isn't Wrong. The System Is.
95% of CISOs feel pressured to suppress compliance findings. The industry response is that they need more backbone. That's the wrong read.
Finding a Mentor Is Good Advice. Finding a Sponsor Is the Advice Nobody Gives You.
Mentors give you guidance. Sponsors spend their capital on you. Most career conversations focus on the first one. The second one is what actually moves careers.
Your Incident Response Plan Is Modeling the Wrong Threat Actor
LockBit dominated tabletops for years. The ransomware ecosystem has rotated. The groups hitting organizations right now are not the ones your IR team practiced against, and that gap has consequences.
Your AI Agent Has a Supply Chain. Did You Audit It?
One in four MCP servers expose AI agents to remote code execution. Most teams deploying agents do not know what an MCP server is. That is a supply chain problem disguised as an AI launch.
"We Have an AI Policy" Is the New "We Passed the Audit"
OpenAI just admitted prompt injection isn't getting solved, and companies are wiring AI agents into production anyway. A policy document is not a control.
Your no-code MVP can't legally hold the data it was built for
No-code and AI app builders are great for prototypes, but they won't sign the agreement that lets you legally handle regulated data. Here's the line every founder needs to know before real data shows up.
Your Ransomware Negotiator Might Be Playing Both Sides
The DigitalMint conviction proves your IR vendor pre-vetting is part of your security program, not an afterthought. Here is what to ask before the next incident, not during it.
We Used to Have Pockets. Then Someone Took Them
A choir practice rant about why women's clothing has no real pockets, how that happened, and why a missing pocket was never really about the pocket.
The AI Questionnaire Your Vendors Aren't Ready For
Your vendors' employees are using AI tools. That means your data is flowing to model providers you've never assessed. Here are the questions to start asking.
Your Tabletop Exercise Isn't Testing What You Think It Is
Most tabletop exercises are scripted theater that confirm what people already believe. Here's what actually breaks during a real incident, and how to design an exercise that finds it before someone else does.