Posts
Talks
2025
OPTIMIZING THIRD PARTY DUE DILIGENCE FOR BUSINESS IMPACT
Jul 10
THIRD PARTY RISK: FOCUS ON IMPACT, NOT QUESTIONNAIRES
Jul 2
STREAMLINING THIRD PARTY RISK GOVERNANCE IN INFOSEC
Jun 26
THIRD PARTY RISK MANAGEMENT: BEYOND VENDOR QUESTIONNAIRES
Jun 19
OPERATIONAL ARTIFACTS: MANAGING GOVERNANCE BLIND SPOTS
Jun 11
SCALING GOVERNANCE: BEYOND SECONDARY ASSETS
Jun 5
SLICING SECONDARY ASSETS TO BROADLY OR TO NARROW UNDERMINES RISK MANAGEMENT
May 29
IF EVERYTHING IS A (SECONDARY) ASSET, NOTHING IS MANAGEABLE
May 22
THREAT ONTOLOGIES OVER THREAT LISTS – LESS 'LISTICLE', MORE LOGIC
May 15
NOT ALL CONTROLS, FOR ALL ASSETS, ALL THE TIME: SMARTER SCOPING STARTS WITH ASSET PROPERTIES
May 9
WHY INFOSEC INVENTORIES NEED LAYERS — AND HOW TO LINK THEM
May 2
NOT EVERY INCIDENT CAUSES DAMAGE. BUT THAT DOESN’T MEAN IT’S NOT WORTH TALKING ABOUT.
Apr 24
SECURITY INCIDENT FREQUENCY STATS ARE (MOSTLY) USELESS.
Apr 17