All Posts

As a security practitioner, it can be hard to see a light at the end of the tunnel right now. We are watching the threat landscape evolve at a blistering pace, and it often feels like the bad guys are constantly two steps ahead. But with Anthropic’s recent announcement of Claude Mythos Preview and the formation of Project Glasswing, I actually find myself genuinely excited. We are standing at a pivotal crossroads in global cybersecurity, and what we are seeing is just the tip

In the rush to adopt agentic AI, the industry has reached a collective, comfortable consensus: we will keep a “Human-in-the-Loop” (HITL). We treat this human gatekeeper as the ultimate fail safe, the adult in the room who will catch the hallucination, block the prompt injection, and stop the rogue API call. But as a CISO looking at the intersection of machine speed and human psychology, I’m convinced we are being sold a dangerous form of security theater. We are treating the

I want to play Devil's Advocate for a minute. If you read the latest industry articles or listen to the loudest voices in the room, there is a constant, almost dogmatic drumbeat: The CISO must report directly to the CEO.  But after a career spent reporting across the entire C-suite, from the CIO and COO to the CFO, and General Counsel. I recently presented on a HMG Advisory Board meeting on the topic. I'll give you my personal experience on why that direct reporting line is n

A playbook for escaping the weeds, empowering your leaders, and building a high-retention security culture. It is incredibly common to see CISOs get trapped in the weeds. They spend their days reviewing SIEM alerts, approving minor architecture changes, and acting as the final escalation point for every operational hiccup. But a CISO who lives in the tactical day-to-day cannot do their actual job. A successful CISO must be a strategist, a relationship builder, and, frankly, a

If you pay attention to the headlines, the tech and cybersecurity industries are facing a massive talent shortage. Yet, if you talk to students at university career fairs, you hear a completely different story: an impenetrable wall of rejection, silent employers, and a seemingly nonexistent entry-level job market. So, what is actually going on? The truth is, we are facing an "entry-level paradox." As an industry, we created a structural bottleneck that is locking out new grad

A recent CSOonline article by Evan Schuman brought a sobering statistic to light: 69% of CISOs are open to leaving their roles , with many looking to exit the publicly traded enterprise space entirely. According to the IANS Research and Artico Search survey cited in the piece, security leaders are exhausted by "role design failure,” carrying outsized responsibility without the budget or authority to match. The CSOonline piece correctly identifies the panic, but if you ask vet

No Employee Left Behind will Fail We are standing at the edge of a technological precipice that makes the shift from on-premise to cloud look like a minor upgrade. The era of "Chatbot AI", where we ask a bot to write an email or summarize a PDF, is ending. We are entering the era of Agentic AI : digital employees that don't just talk, but act . Consider a simple, high-value use case: Invoicing. In the old world, a human reviews an invoice against a contract. In the Generativ

From the Boardroom to the Battleground. No professional sports team takes the field without practice. They don’t just read the playbook; they run the drills until the movement is instinctual. They build muscle memory . Yet, in cybersecurity, we often expect our organizations to perform perfectly during a crisis with nothing more than a paper plan and a once-a-year generic drill. I’ve run tabletop exercises (TTX) across various organizations, from technical deep dives to board

It started with a question in the boardroom, one of those questions that stops the room cold. A board member looked at me and asked, "How are adversaries using 'genetic' AI against us, and what are we doing to combat it?" He meant Agentic AI , but the slip of the tongue was almost poetic. "Genetic" implies evolution, something built into the DNA of the threat. And he was right. The threat landscape has evolved. We are no longer fighting static scripts; we are fighting autonom

How to Shift the Board Conversation from "Target Scores" to Strategic Resilience Early in my tenure at a previous organization, I found myself in a familiar cycle. We had just finished an annual risk assessment. Naturally, the Board asked the question that every Director is conditioned to ask: "Okay, we are at a 2.5 today. What is the target score for next year? Should we be a 3.5? A 4.0?" They were treating cybersecurity maturity like a sales forecast, pick a number, hit the

How we moved the Board from asking "Are we safe?" to understanding "How we are managed." At a previous organization, I walked into a boardroom that was on edge. We were just emerging from the pandemic, which meant our reliance on VPNs and remote infrastructure was at an all-time high. Simultaneously, the headlines were dominated by the "boogeymen" of the industry: the Equifax breach was still fresh, the chaos of Log4j was unfolding, and a constant stream of VPN zero-days was

The Day the Infrastructure Turned: A CISO's Post-Mortem of the Cuba Siege In the world of cyber resilience, there is a distinct difference between a "security event" and a "material crisis." As a CISO, you live with the quiet knowledge that it isn't a matter of if, but when. My first major encounter with a material ransomware event was against the Cuba ransomware variant  (linked to the Russian-aligned Tropical Scorpius group). It was an incident that didn't just test our tec

In late 2022, during the Global Resilience Federation (GRF) Summit , a group of us from the Consumer Packaged Goods CPG)  sector formed a working group to confront a shared reality. While our peers in Finance or Tech were managing digital assets, we were managing a physical-digital hybrid: a sprawling ecosystem where a cyber incident at a tier-one logistics provider or a "mom-and-pop" tomato farmer could equally halt our operations. By 2022, 85% of businesses  viewed Third-Pa