Notes on data, AI, IT
and security
No marketing fog. The way I think about real problems with founders and managers.
GDPR data inventory is not a legal task
Why the personal data register that GDPR requires is operationally useful - and how to build it properly before the regulation comes into force.
Meltdown and Spectre: when the CPU layer became a security problem
What processor vulnerabilities mean for executives, and why they change the conversation about security at the infrastructure level.
GDPR takes effect in six months: what companies with EU exposure need to do
The European data protection regulation goes live in May 2018. Companies with European customers or offices are required to comply, regardless of where they are based.
The Equifax breach: lessons for any company holding customer data
A breakdown of the Equifax incident and practical takeaways for executives whose companies collect and store personal data.
Russia's 187-FZ: critical infrastructure security as a separate agenda
What the new critical information infrastructure law means for companies in regulated industries, and why this is not just another compliance exercise.
NotPetya: the lesson that a cyberattack can become pure operational loss
What the NotPetya attack reveals about the nature of modern cyber incidents and why this is not just an IT problem but a risk to a company's ability to operate.
WannaCry: a lesson for any company with an aging estate and weak recovery
What the WannaCry attack reveals about the real state of patch management and recovery readiness in most organisations.
Forgotten accounts: the quiet debt in access management
Why access audits are not a one-off check but a continuous process, and how former employees and contractors stay as entry points into systems.
How architecture changes after large breaches and trust failures
Yahoo, LinkedIn, Dropbox - 2016 showed that breaches happen to everyone. Here is what this changes in how companies should think about trust architecture.
The enterprise case for a password manager, made simply
After another year of major credential breaches, the argument for a corporate password manager is no longer mainly technical. It is an operational risk argument.
An encrypted backup is not a backup: what ransomware changed
Ransomware made the standard backup scheme insufficient. Here is exactly what to check.
Security incident response: who makes the decisions
During an incident there is no time to build a command chain on the fly. I look at what needs to be defined in advance and why this is a management question, not a technical one.