If Everything is a (Secondary) Asset, Nothing is Manageable
In InfoSec, we talk a lot about “assets” - but if we don’t define secondary assets clearly, we end up trying to manage everything… and securing nothing well....
This is a space for practical security thinking - grounded in risk, shaped by architecture, and conscious of trade-offs. It’s about moving beyond static controls, bloated frameworks, and checkbox compliance to something more intentional: security that adapts to how systems actually work and where risks actually lie.
These writings explore how we scope controls more intelligently, model threats with clarity, and build feedback loops that make security programs smarter over time - not just louder. It’s for leaders, architects, and hands-on practitioners who believe that good security is less about doing everything, and more about doing the right things - for the right reasons, in the right places.
If that sounds like your kind of thinking, welcome.
Recent posts
Threat Ontologies Over Threat Lists – Less ‘Listicle’, More Logic
In risk management, we rightly focus on impact. But we often gloss over threats - or treat them as vague narratives.
Not All Controls, for All Assets, All the Time: Smarter Scoping Starts with Asset Properties
One of the most practical ways to reduce InfoSec “process friction” is right-sizing requirements.
Why InfoSec Inventories Need Layers — and How to Link Them
Conflating what we protect with what we run on creates blind spots. Distinguish the two to build lean, actionable inventories.
Not every incident causes damage. But that doesn’t mean it’s not worth talking about.
We’ve gotten (reasonably) good at tracking Security Incidents - the ones that “count,” that cause damage, that trigger IR playbooks and postmortems.
Security incident frequency stats are (mostly) useless.
Security incident frequency stats are (mostly) useless. Unless we agree on - or know - what a security incident actually is.