Giving a talk at ATLSecCon on Thursday April 9 at 3pm.

Giving a talk at ATLSecCon on Thursday April 9 at 3pm. The thesis: cybersecurity is always and everywhere a risk management function.

Frameworks, certs, Bodies of Knowledge — everyone has an answer to how we should do security. But ask "what are we actually trying to accomplish?" and things get quieter.

Rick Howard's formulation: reduce the probability of a material cyber event in the next business cycle. Not perfect security. Not audit compliance. Risk.

Come tell me I'm wrong.

#cybersecurity #riskmanagement #ATLSecCon

Finished "A Vulnerable System" by Andrew Stewart (Cornell, 2021) - a Cybersecurity Canon Hall of Fame selection that traces the history of our field.

What stayed with me: Stewart's challenge to the received wisdom we've built careers on. The CIA triad, defense in depth, "no security through obscurity" - who decided these are best practices, and has anyone verified they actually work? His core argument is that security remains an economic and psychological problem. We keep engineering technical solutions for human ones.

https://www.goodreads.com/review/show/8386873192
https://amazon.ca/dp/1501758942