Hi — I'm Jonathan.

I'm a creative technologist who likes to understand how systems work. I specialize in helping startups ship secure software.

Blog posts

Ask for confidence levels
Spend more time on the out breath
How to manage vendor risk
Avoid shared service accounts
Prevention is not enough
Principals make the rules
Backing up passwords
Grow with repetition
Bad rules create more problems
Threat is not vulnerability is not risk
You have free money in the cloud
How much to protect a sandwich
Use business goals to scope your program
How much should you spend?
You don't store the key in the vault
3 metrics cyber insurers appreciate
Remove some noise
This is what you have to do
How to stay on top of so many security projects
How to get to SOC 2 faster
What you found is not risk
Prioritize these vulnerabilities
Show me you care
4 features to help you close enterprise clients
Rapid third-party risk check
What HIPAA says you should do
Cost of ownership
Hidden assumptions
How to fix t-shirt sizing
Play more often
A lot of small things
Protect your insurance
SCIM
The efforts you've made
7 tips to help you document
No time for that
Security postures
Security awareness roadmap
Everything is lava
The hidden budget in your cloud bill
A reasonable rate
Develop capabilities
Permission as a function of responsibility
Identification
Blank side
Repetitions
Detection with decoys
Fail forward
We want better apps
Not yours, not your problem
Things customers ask for
Unblocking change requests
The price of inaction
Don't let security slow you down
Test your assumptions
A basic cyber risk matrix
You have enough stuff
A primer on HIPAA for startups
Lost time and productivity tax
Information assurance
Hiring for cultural fit
How to red team on a shoestring
Composing faulty assumptions
Recommendations from the Cyber Centre
Common DeFi vulnerabilities from 2021
Get the build automated
The real cost of custom systems
TIL about PCMLTFA
Take one step
See == download
That one integration
Smart contract risk is not your only risk
How this website works
Bringing information systems under management
Frameworks help you avoid getting fancy
Measure things
Separation of duties
Minimizing exploitability
Using both risk control levers
Protect the fun
On counting
Adopting practices instead of rules
You're not ready for a bug bounty program
Notes on using Kanban
Controls when you don't have control
How to adjust the scope of your security program
Getting started with an asset inventory
Advice for entry-level cybersecurity resumes
Simple tricks for document control
8 basic security topics to consider early on
Technical controls projects
Default to safe, private and secure
Should you keep an inventory?
ISO27K in short
How to classify incident severity
7 organizational controls