Blog

Most recent posts

May 19 2022   Principals make the rules
May 18 2022   Backing up passwords
May 17 2022   Grow with repetition
May 16 2022   Bad rules create more problems
May 12 2022   Threat is not vulnerability is not risk
May 11 2022   You have free money in the cloud
May 10 2022   How much to protect a sandwich
May 9 2022   Use business goals to scope your program
May 5 2022   How much should you spend?
May 4 2022   You don't store the key in the vault
May 3 2022   3 metrics cyber insurers appreciate
May 2 2022   Remove some noise
Apr 29 2022   This is what you have to do
Apr 28 2022   How to stay on top of so many security projects
Apr 27 2022   How to get to SOC 2 faster
Apr 26 2022   What you found is not risk
Apr 25 2022   Prioritize these vulnerabilities
Apr 22 2022   Show me you care
Apr 21 2022   4 features to help you close enterprise clients
Apr 20 2022   Rapid third-party risk check
Apr 19 2022   What HIPAA says you should do
Apr 18 2022   Cost of ownership
Apr 15 2022   Hidden assumptions
Apr 14 2022   How to fix t-shirt sizing
Apr 13 2022   Play more often
Apr 12 2022   A lot of small things
Apr 11 2022   Protect your insurance
Apr 9 2022   SCIM
Apr 7 2022   The efforts you've made
Apr 6 2022   7 tips to help you document
Apr 5 2022   No time for that
Apr 4 2022   Security postures
Apr 1 2022   Security awareness roadmap
Mar 31 2022   Everything is lava
Mar 30 2022   The hidden budget in your cloud bill
Mar 29 2022   A reasonable rate
Mar 28 2022   Develop capabilities
Mar 25 2022   Permission as a function of responsibility
Mar 24 2022   Identification
Mar 23 2022   Blank side
Mar 22 2022   Repetitions
Mar 21 2022   Detection with decoys
Mar 18 2022   Fail forward
Mar 17 2022   We want better apps
Mar 16 2022   Not yours, not your problem
Mar 15 2022   Things customers ask for
Mar 14 2022   Unblocking change requests
Mar 11 2022   The price of inaction
Mar 10 2022   Don't let security slow you down
Mar 9 2022   Test your assumptions
Mar 8 2022   A basic cyber risk matrix
Mar 7 2022   You have enough stuff
Mar 4 2022   A primer on HIPAA for startups
Mar 3 2022   Lost time and productivity tax
Mar 2 2022   Information assurance
Mar 1 2022   Hiring for cultural fit
Feb 28 2022   How to red team on a shoestring
Feb 25 2022   Composing faulty assumptions
Feb 24 2022   Recommendations from the Cyber Centre
Feb 23 2022   Common DeFi vulnerabilities from 2021
Feb 22 2022   Get the build automated
Feb 21 2022   The real cost of custom systems
Feb 18 2022   TIL about PCMLTFA
Feb 17 2022   Take one step
Feb 16 2022   See == download
Feb 15 2022   That one integration
Feb 14 2022   Smart contract risk is not your only risk
Feb 11 2022   How this website works
Feb 10 2022   Bringing information systems under management
Feb 9 2022   Frameworks help you avoid getting fancy
Feb 8 2022   Measure things
Feb 7 2022   Separation of duties
Feb 4 2022   Minimizing exploitability
Feb 3 2022   Using both risk control levers
Feb 2 2022   Protect the fun
Feb 1 2022   On counting
Jan 31 2022   Adopting practices instead of rules
Jan 28 2022   You're not ready for a bug bounty program
Jan 27 2022   Notes on using Kanban
Jan 26 2022   Controls when you don't have control
Jan 25 2022   How to adjust the scope of your security program
Jan 24 2022   Getting started with an asset inventory
Jan 18 2022   Advice for entry-level cybersecurity resumes
Jan 17 2022   Simple tricks for document control
Jan 13 2022   8 basic security topics to consider early on
Jan 12 2022   Technical controls projects
Dec 17 2021   Default to safe, private and secure
Dec 15 2021   Should you keep an inventory?
Dec 13 2021   ISO27K in short
Dec 10 2021   How to classify incident severity
Dec 9 2021   7 organizational controls