I’ve been in security long enough to have not had grey hair when I started. I sometimes work with technology, I sometimes write policy, I deal with risk and occasionally I build stuff; I have opinions about all of that.

I write because it helps me improve my communication skills on a complex topic; always happy for feedback if you care to send my way via LinkedIn or Twitter.

I value the following:

  • Risk Pragmatism - I strongly believe that there is a risk appetite for everything, but it can be hard to find it, but we should still try. Also, we need to understand how risks become real; sometimes the thing we worry about is at the end of many other things going wrong first. That necessitates Clarity on origin of risk, most risk comes out of our own actions, not some lurking evil. That lurking evil, the outside threat, is just the actor that instantiates the risk we caused. “The evolving threat landscape” is a way to externalize our own risky actions. Understanding risk also requires a working knowledge of technology; a strong and fundamental understanding of the medium of which risks occur in, for information security or technology risk one needs to understand technology properly, not as an academic matter, but a practical working knowledge that evolves as technology evolves.
  • Risk Management at Scale while given enough effort a risk can be determined but how do we do that consistently for hundreds or thousands of systems or cases? or across the whole internet? We need clear decision processes supported by Measurement and Statistics. We need to make risk elements measurable and those measurements need to be actionable; rely on the fact that we live in a universe that follows distributions (be they normal or otherwise). Measurements must be supported by Provability, how do we know that this thing is true?
  • Time and Meaning - our most finite resource is time, so if you ask people to spend it then it should be on something valuable that they also understand is valuable for them to do. Which means you need Complete systems - there are many amazing widget/process/things but it doesn’t work without a complete system around it to provide inputs, sustainment and handle outputs. Nothing is self-contained so if I don’t understand how to integrate something into my existing world then it’s not useful. Not only does there need to meaning for the practitioners but also the non-practitioners who want Understandable outcomes. Do non-practitioners understand what the outcomes could be and why they might be that before going into a risk process? I think it’s often that people assume a risk process is just a check mark when really it might result in “no”.

Way back in the day I wrote stuff for liquidmatrix and have an old blog.