Hello —

I'm Jonathan. I help technology executives protect profits and maximize investments through security by design.

Subscribe below to get actionable insights on security strategy.

Most recent posts

May 19 2022	Principals make the rules
May 18 2022	Backing up passwords
May 17 2022	Grow with repetition
May 16 2022	Bad rules create more problems
May 12 2022	Threat is not vulnerability is not risk
May 11 2022	You have free money in the cloud
May 10 2022	How much to protect a sandwich
May 9 2022	Use business goals to scope your program
May 5 2022	How much should you spend?
May 4 2022	You don't store the key in the vault
May 3 2022	3 metrics cyber insurers appreciate
May 2 2022	Remove some noise
Apr 29 2022	This is what you have to do
Apr 28 2022	How to stay on top of so many security projects
Apr 27 2022	How to get to SOC 2 faster
Apr 26 2022	What you found is not risk
Apr 25 2022	Prioritize these vulnerabilities
Apr 22 2022	Show me you care
Apr 21 2022	4 features to help you close enterprise clients
Apr 20 2022	Rapid third-party risk check
Apr 19 2022	What HIPAA says you should do
Apr 18 2022	Cost of ownership
Apr 15 2022	Hidden assumptions
Apr 14 2022	How to fix t-shirt sizing
Apr 13 2022	Play more often
Apr 12 2022	A lot of small things
Apr 11 2022	Protect your insurance
Apr 9 2022	SCIM
Apr 7 2022	The efforts you've made
Apr 6 2022	7 tips to help you document
Apr 5 2022	No time for that
Apr 4 2022	Security postures
Apr 1 2022	Security awareness roadmap
Mar 31 2022	Everything is lava
Mar 30 2022	The hidden budget in your cloud bill
Mar 29 2022	A reasonable rate
Mar 28 2022	Develop capabilities
Mar 25 2022	Permission as a function of responsibility
Mar 24 2022	Identification
Mar 23 2022	Blank side
Mar 22 2022	Repetitions
Mar 21 2022	Detection with decoys
Mar 18 2022	Fail forward
Mar 17 2022	We want better apps
Mar 16 2022	Not yours, not your problem
Mar 15 2022	Things customers ask for
Mar 14 2022	Unblocking change requests
Mar 11 2022	The price of inaction
Mar 10 2022	Don't let security slow you down
Mar 9 2022	Test your assumptions
Mar 8 2022	A basic cyber risk matrix
Mar 7 2022	You have enough stuff
Mar 4 2022	A primer on HIPAA for startups
Mar 3 2022	Lost time and productivity tax
Mar 2 2022	Information assurance
Mar 1 2022	Hiring for cultural fit
Feb 28 2022	How to red team on a shoestring
Feb 25 2022	Composing faulty assumptions
Feb 24 2022	Recommendations from the Cyber Centre
Feb 23 2022	Common DeFi vulnerabilities from 2021
Feb 22 2022	Get the build automated
Feb 21 2022	The real cost of custom systems
Feb 18 2022	TIL about PCMLTFA
Feb 17 2022	Take one step
Feb 16 2022	See == download
Feb 15 2022	That one integration
Feb 14 2022	Smart contract risk is not your only risk
Feb 11 2022	How this website works
Feb 10 2022	Bringing information systems under management
Feb 9 2022	Frameworks help you avoid getting fancy
Feb 8 2022	Measure things
Feb 7 2022	Separation of duties
Feb 4 2022	Minimizing exploitability
Feb 3 2022	Using both risk control levers
Feb 2 2022	Protect the fun
Feb 1 2022	On counting
Jan 31 2022	Adopting practices instead of rules
Jan 28 2022	You're not ready for a bug bounty program
Jan 27 2022	Notes on using Kanban
Jan 26 2022	Controls when you don't have control
Jan 25 2022	How to adjust the scope of your security program
Jan 24 2022	Getting started with an asset inventory
Jan 18 2022	Advice for entry-level cybersecurity resumes
Jan 17 2022	Simple tricks for document control
Jan 13 2022	8 basic security topics to consider early on
Jan 12 2022	Technical controls projects
Dec 17 2021	Default to safe, private and secure
Dec 15 2021	Should you keep an inventory?
Dec 13 2021	ISO27K in short
Dec 10 2021	How to classify incident severity
Dec 9 2021	7 organizational controls