Notes on data, AI, IT
and security
No marketing fog. The way I think about real problems with founders and managers.
Cross-border cloud: where your data physically is and how to verify it
Trust in a cloud provider requires concrete answers: where is the data stored physically, who has access to it, and how is that confirmed in practice.
BYOD stops being an IT question and becomes a management one
When employees' personal devices enter the corporate access perimeter, this is no longer a problem for the IT team - it is a decision the leadership has to make.
SIEM without maturity is an expensive noise machine
A good SOC starts with solid telemetry and defined scenarios, not with buying a platform.
Personal data protection done properly: it starts with a data flow model
Without a map of data flows you cannot honestly build either security controls or compliance - you are just patching random holes.
Passwords, managers, SSO: what actually reduces risk
Why access management without convenience does not scale - and how to find the balance between security and what people will actually use.
Critical infrastructure security as a leadership agenda, not an admin task
Protection of critical infrastructure is moving to the risk management level. Why this decision can no longer be delegated to system administrators.
Flame and trust in updates: when the delivery channel becomes part of the attack
The Flame malware used forged Microsoft certificates to spread via Windows Update. Code signing and trusted software supply chains are now a management topic.
Privacy by design for normal people: design for minimisation, not for excuses
Collecting data you do not need creates both a security risk and operational complexity. Why data minimisation is an engineering decision, not a legal one.
Remote contractors as a second risk perimeter
External engineers and integrators require just as much access discipline as full-time staff - often more.
Security metrics for executives: why virus counts are a bad KPI
How to talk about information security in terms of risk and resilience, rather than technical counters that tell a manager nothing meaningful.
Personal data: map the flows before adding controls
Why protecting personal data starts not with encryption or policies, but with understanding what data the company actually collects and why.
Patching industrial control systems is hard, but no update regime is worse
How to bring operations engineers and security teams to a shared testing and maintenance scheme - without illusions and without paralysis.