Notes on data, AI, IT
and security

Security . July 19, 2024

CrowdStrike: how one content update tears the global operational fabric

A breakdown of the July 2024 incident and what it reveals about business operational resilience.

Read

Security . June 10, 2024

Shadow AI tools: managing risk without banning everything

How companies can manage the risks from employees' unsanctioned use of AI tools - without making a blanket ban the only answer.

Read

Security . March 29, 2024

The xz backdoor: open source supply chain security is a topic for architects, not lawyers

A breakdown of the xz utils incident and why attacks on the open source supply chain change architectural requirements - not legal ones.

Read

Security . February 26, 2024

NIST Cybersecurity Framework 2.0: the framework gets broader and closer to business

What changed in the new version of NIST CSF and why the update matters not only to security teams but to executives who are responsible for risk management.

Read

Security . October 23, 2023

The Okta breach: what happens when your identity provider is compromised

A look at the Okta incident in October 2023 and practical conclusions for companies that rely on centralised authentication.

Read

Security . October 16, 2023

Zero trust networking: a practical starting point for non-security teams

Zero trust is talked about constantly but implemented rarely. Here is a grounded explanation of what it means in practice and where a company with limited security resources should actually start.

Read

Security . August 21, 2023

AI API keys are becoming the new security perimeter

Why connecting to language models through an API creates a new class of risks and what to do about it now, before the keys have spread across the entire infrastructure.

Read

Security . April 20, 2023

Software supply chain attacks: when the vulnerability arrives with an update

An attack delivered through a trusted software vendor is one of the hardest threat vectors to defend against. I look at how it works and what businesses can actually do.

Read

Security . February 22, 2023

LastPass and the lesson in secrets management: what happened and what it means

The 2022 LastPass breach became one of the most discussed incidents in credential management. I look at what happened and what conclusions matter for business.

Read

Security . October 28, 2022

Identity after the perimeter: what zero trust is and why founders need to understand it

The corporate perimeter has ceased to exist. A breakdown of what this means for security and what practical steps follow from this logic.

Read

Security . October 18, 2022

SSO and SaaS sprawl: why identity architecture matters before the breach

How the accumulation of SaaS tools creates an identity problem that security tools alone cannot fix - and what to do about it before something goes wrong.

Read

Security . July 25, 2022

Ransomware in 2022: operational continuity matters more than antivirus

What the LockBit wave says about how companies should think about protection - not as a technical task but as an operational one.

Read