This is a space for practical security thinking - grounded in risk, shaped by architecture, and conscious of trade-offs. It’s about moving beyond static controls, bloated frameworks, and checkbox compliance to something more intentional: security that adapts to how systems actually work and where risks actually lie.

These writings explore how we scope controls more intelligently, model threats with clarity, and build feedback loops that make security programs smarter over time - not just louder. It’s for leaders, architects, and hands-on practitioners who believe that good security is less about doing everything, and more about doing the right things - for the right reasons, in the right places.

If that sounds like your kind of thinking, welcome.

OPTIMIZING THIRD PARTY DUE DILIGENCE FOR BUSINESS IMPACT

Last week, we covered how to assess vendor impact and identify inherent risk factors. Now: how to turn that insight into proportionate due diligence. Too often, a payment processor gets the same enterprise grade security deep dive as the digital signage for your cafeteria. That’s proportionality for you, I guess. Your impact assessment should drive both the depth and focus of your due diligence. Different impact levels need different approaches:

Read more
Thu, Jul 10, 2025 controlsrisk-managmentthird-party-risk

THIRD PARTY RISK: FOCUS ON IMPACT, NOT QUESTIONNAIRES

The 47-page vendor questionnaire strikes again. HR wants a new applicant tracking system to handle candidate personal data and sync with job boards. InfoSec sends the standard security assessment - the same one used for office supplies, marketing tools, and cloud storage. Three weeks later: the vendor’s frustrated, procurement’s delayed, and no one knows if the system can even meet GDPR or secure candidate data. Sound familiar? We’re doing due diligence backwards.

Read more
Wed, Jul 2, 2025 risk-managmentthird-party-risk

STREAMLINING THIRD PARTY RISK GOVERNANCE IN INFOSEC

The fastest way to kill effective third party risk management? Make InfoSec the bottleneck for every vendor decision. Yet that’s exactly what most organizations do. Every new supplier, contract renewal, minor service change gets routed through 2nd LoD InfoSec for “approval.” The result? Procurement grinds to a halt, business units find workarounds, and actual risk decisions get made in spreadsheets and email chains. This isn’t governance - it’s gridlock. When InfoSec becomes a mandatory gate, decision-making stalls and risk quality degrades:

Read more
Thu, Jun 26, 2025 governancerisk-managmentthird-party-risk

THIRD PARTY RISK MANAGEMENT: BEYOND VENDOR QUESTIONNAIRES

Most organizations are drowning in third party risk “management” that doesn’t actually manage risk. It just creates overhead. Most third party risk programs revolve around compliance rituals: 47-page questionnaires, spreadsheet based risk ratings without clear criteria, annual refresh cycles - none of which change how vendors are actually used or governed. Sound familiar? This isn’t risk management - it’s security theater. The problem? We’ve confused activity with effectiveness. We’re managing paperwork, not risk.

Read more
Thu, Jun 19, 2025 risk-managmentthird-party-risk

OPERATIONAL ARTIFACTS: MANAGING GOVERNANCE BLIND SPOTS

So far in this series, we’ve zeroed in on secondary assets - tangible technical units subject to risk management. But what about all the other things floating around your environment? Small apps on an endpoint (remember 7zip?), SharePoint sites, custom dashboards - none of these fit neatly as secondary assets. Yet ignoring them isn’t an option either. They’re not traditional assets, and managing each like one would would stretch operational resources fast.

Read more
Wed, Jun 11, 2025 asset-inventoriesrisk-managmentassets

SCALING GOVERNANCE: BEYOND SECONDARY ASSETS

In the first two posts of this series, we defined what secondary assets are and how we can meaningfully group them to support risk management. We explored how broad or narrow those slices can be - and where that structure provides value.

Read more
Thu, Jun 5, 2025 assetsrisk-managmentcontrols

SLICING SECONDARY ASSETS TO BROADLY OR TO NARROW UNDERMINES RISK MANAGEMENT

Last week, we tackled what makes a good secondary asset definition - why slicing too broadly or narrowly undermines effective risk management. Now, the real work begins: how do you actually slice secondary assets so risk becomes manageable, not a free-for-all?

Read more
Thu, May 29, 2025 assetscontrolsrisk-managmentthreats

IF EVERYTHING IS A (SECONDARY) ASSET, NOTHING IS MANAGEABLE

In InfoSec, we talk a lot about “assets” - but if we don’t define secondary assets clearly, we end up trying to manage everything… and securing nothing well.

Read more
Thu, May 22, 2025 assetsinfosec

THREAT ONTOLOGIES OVER THREAT LISTS – LESS 'LISTICLE', MORE LOGIC

In risk management, we rightly focus on impact. But we often gloss over threats - or treat them as vague narratives.

Read more
Thu, May 15, 2025 threatsrisksinfosec

NOT ALL CONTROLS, FOR ALL ASSETS, ALL THE TIME: SMARTER SCOPING STARTS WITH ASSET PROPERTIES

One of the most practical ways to reduce InfoSec “process friction” is right-sizing requirements.

Read more
Fri, May 9, 2025 infoseccontrolsrisksrisk-managment