group dynamics
-
Modern Risk Management – Presentable, Not Useful
Risk management stopped being about understanding how things fail somewhere around the time it became more important to demonstrate that a process was followed. We now have popular artefacts hiding shallow thinking.
-
Controls Without Consequence: The Organizational Roots of Security Theater
Most security programs have a number of controls. The hard question rarely asked though is whether those controls would hold against an adversary actually trying to get through. The gap isn’t primarily a technical problem. It’s what happens when the systems used to evaluate security are the same ones optimized to avoid uncomfortable truths about…
-
The Inherent Risk Fallacy
The traditional idea of inherent risk rests on imaginary scenarios and binary assumptions about controls. This piece unpacks where the concept falls apart and why better tools already exist.
-
Beyond the Checklist: What Cybersecurity Can Learn from Occupational Safety
Cybersecurity has become obsessed with proving compliance rather than understanding risk. The Law of the Instrument reminds us that when all you have is a hammer, everything looks like a nail and our hammer has become the checklist. Until we move from box-ticking to real risk thinking, we’ll keep mistaking activity for assurance.
-
The Problem with Oversimplified Cybersecurity Advice
Simplification matters. It allows us to reach a wider audience. But if we’re not careful, we run the risk of misleading the people we’re hoping to help.
-
What MITRE’s Funding Scare Can Teach Us About Systemic Risk
It is in our collective interest to think a bit more clearly about institutional issues such as the dangers of governance and funding failures and the MITRE funding scare gives us an ideal opportunity to do just that.