Risk Management

How security failures learned to sound reasonable

The most useful phrases in a modern security programme are the ones that cannot be argued with. “The platform gives us coverage.”, “We have visibility.”, “The tool supports MFA.” Each one is calm, professional, and technically defensible. Each one can also be doing something quietly different from what the room hears. How the grammar works Three small grammatical moves do most of the heavy lifting. The first is capability standing in for implementation: “The platform supports MFA”, “Defender has ransomware protection”, “Our firewall can do segmentation”. ...

A boardroom with no walls, floating in calm white space. Six figures in identical grey suits sit around a long polished table, each with a smooth mirrored orb where their head should be, nodding politely at a single document hovering above the table

How some ideas outlast their own evidence

Across many mature organisations, the same phrases seem to keep coming back, like “Aligned with best practice”, “The control is in place”, and “We followed the framework”. They survive failure. They survive scandal. They survive the people who used them last time. The question worth asking is perhaps not whether they are accurate, but why they are so robust. The usual explanations cover bureaucratic inertia, regulatory capture, and the well-documented limits of organisational learning. These are real, but they are not the most interesting part. The more interesting possibility is that these phrases are doing useful work. Just not the work they appear to be doing. ...

Is your threat model already behind?

Most organisations think they have a threat model. What they usually have is a historical artefact: a snapshot of how the environment looked on the day several people sat in a room with diagrams, coffee, and varying levels of optimism. The session happens. Assets are mapped. Threats are identified. Risks are scored. A document is produced. The document is reviewed, approved, uploaded somewhere nobody voluntarily visits, and occasionally resurrected during audits or post-incident archaeology. ...

Architecture reviews that approve instead of challenge

Architecture reviews exist to catch problems before they become expensive. In practice, most reviews catch a different set of problems from the ones they were designed to find, and miss a different set from the ones that will eventually cause trouble. This is not because the reviewers lack competence. It is because most architecture reviews are not designed to produce understanding. They are designed to produce alignment and distribute accountability. Once that is the function, the outcome is predictable. ...

A massive, exhausted turtle trudging through a surreal European city, carrying a towering heap of audit checklists, sticky notes, and cybersecurity manuals on its shell. Tiny overworked auditors run around frantically.

NIS2 compliance: The Kafkaesque burden on Europe’s companies

Europe mandates hundreds of thousands of companies to meet stringent cybersecurity standards, yet the auditor pool is woefully small.