Notes on data, AI, IT
and security
No marketing fog. The way I think about real problems with founders and managers.
When AI exposes the debt sitting in your codebase
The first numbers from Anthropic's Glasswing project are not a story about a smart model. They are a story about how much old vulnerability lives in code we use every day.
Shadow AI: how the new shadow IT is becoming a security problem
Employees are using AI tools without IT department oversight. The pattern is familiar - but the risks are different from classic shadow IT.
Data, IT, and security cannot be separated
Why splitting these three areas across different teams turns any technology project into a quiet source of hidden risk.
NIS2 simplification package: where compliance becomes less paperwork
What the EU regulatory simplification package around NIS2 means for companies working with European partners or clients.
AI shifts the phishing baseline: what companies need to rethink
Generative models have reduced the cost of producing convincing phishing emails to zero. I break down how this changes the threat model and what needs to change in defence.
The CrowdStrike outage lesson: when protection becomes a single point of failure
The CrowdStrike update incident in July 2024 halted operations at thousands of companies worldwide. What it reveals about resilience architecture.
Zero trust: what it means in practice for a mid-size company
Zero trust has become a buzzword. Behind it is a genuinely useful access model - but getting there requires specific decisions, not just a policy statement.
AI assistants and identity: the new attack surface
When corporate AI assistants gain access to email, documents, and systems, a new class of threats emerges that managers need to understand.
SaaS supply chain attacks: lessons for managers
Incidents from early 2025 show that a company's security perimeter now runs through its SaaS providers. What this means in practice.
2024 in security: what changed and what stayed the same
A brief look at what 2024 added to the information security landscape - for those who make decisions, not just execute them.
Zero trust architecture: what it means in practice for a growing company
A clear explanation of zero trust as an operational security model - what changes, what stays the same, and how to approach adoption without a rewrite of everything.
NIS2: the directive starts living in practice, not just in PDFs
What NIS2 enforcement means for companies operating in the European market: who is covered, what is required, and where to start.