Notes on data, AI, IT
and security

Security . April 5, 2016

Ransomware in 2016: this is an operational threat, not an IT incident

The ransomware wave in early 2016 shows that encryption attacks have become a business continuity problem, not just a security one.

Read

Security . February 9, 2016

Breach notification delay: the management risk that gets underestimated

Companies discover breaches months after the event. I look at why this is a leadership problem, not just a security team problem.

Read

Security . December 23, 2015

Energy grids and ICS security: the control system is no longer separate from cyber risk

Why attacks on industrial control systems have become a reality for the energy sector, and how managers need to rethink security for OT infrastructure.

Read

Security . October 5, 2015

Patching CVEs is a business decision, not just an IT task

Why vulnerability patching keeps getting delayed, what the real cost of that delay is, and how to frame it so it gets prioritised.

Read

Security . September 8, 2015

Privileged access: the insider threat matters more than the outer perimeter

Why controlling privileged accounts is the most underrated security lever for a manager, and how to set up sensible protection.

Read

Security . May 14, 2015

Password reuse is a corporate risk

How data breaches at third-party services become a threat to corporate accounts.

Read

Security . March 24, 2015

Access rights that outlive the employee

Why revoking permissions at offboarding is not a formality, and how to keep it from falling through the cracks.

Read

Security . December 5, 2014

NIST Cybersecurity Framework as a language between security and management

What the first version of NIST CSF offers and why it is primarily a risk management tool, not a technical standard.

Read

Security . November 24, 2014

Privilege escalation: why access control is an operations problem

Why most serious incidents begin inside the perimeter, and how to think about privilege management as a continuous process rather than a project.

Read

Security . September 29, 2014

Shellshock: when the old foundation becomes an attack surface

What the bash vulnerability says about the risks embedded in long-running infrastructure, and why this is a conversation for management, not only for the security team.

Read

Security . June 5, 2014

After Heartbleed: the audit you actually need to run

Nearly two months have passed since Heartbleed was disclosed. A look at what is worth checking and doing if you have not done it yet.

Read

Security . April 10, 2014

Heartbleed: when someone else's code becomes your problem

The OpenSSL vulnerability showed how much business depends on invisible components that nobody controls and nobody is accountable for.

Read