This is a space for practical security thinking - grounded in risk, shaped by architecture, and conscious of trade-offs. It’s about moving beyond static controls, bloated frameworks, and checkbox compliance to something more intentional: security that adapts to how systems actually work and where risks actually lie.

These writings explore how we scope controls more intelligently, model threats with clarity, and build feedback loops that make security programs smarter over time - not just louder. It’s for leaders, architects, and hands-on practitioners who believe that good security is less about doing everything, and more about doing the right things - for the right reasons, in the right places.

If that sounds like your kind of thinking, welcome.

WHY INFOSEC INVENTORIES NEED LAYERS — AND HOW TO LINK THEM

Conflating what we protect with what we run on creates blind spots. Distinguish the two to build lean, actionable inventories.

Read more
Fri, May 2, 2025 infosecasset-inventories

NOT EVERY INCIDENT CAUSES DAMAGE. BUT THAT DOESN’T MEAN IT’S NOT WORTH TALKING ABOUT.

We’ve gotten (reasonably) good at tracking Security Incidents - the ones that “count,” that cause damage, that trigger IR playbooks and postmortems.

Read more
Thu, Apr 24, 2025 infosecsecurity-incidentsnear-misses

SECURITY INCIDENT FREQUENCY STATS ARE (MOSTLY) USELESS.

Security incident frequency stats are (mostly) useless. Unless we agree on - or know - what a security incident actually is.

Read more
Thu, Apr 17, 2025 infosecsecurity-incidentsstatistics