Articles

Writing on security training, incident response, and reaching the infosec community. The regulation pieces map NIS2, DORA, CMMC and the FAR CUI rule to what a game or a tabletop actually gives you. The rest is mostly about marketing security to people who distrust marketing.

CUI protection is about to stop being a defense-only problem.

CUI protection is about to stop being a defense-only problem.

For years, protecting Controlled Unclassified Information to the NIST 800-171 standard has mostly meant one audience: defense contractors, and the CMMC program built to enforce it. The proposed FAR CUI rule changes who's on the hook. It would extend NIST SP 800-171 to...

CMMC does not just want an IR plan. It wants you to test it.

CMMC does not just want an IR plan. It wants you to test it.

CMMC certification is how a company stays eligible for US Department of Defense contracts, and it asks for more than a binder of policies. To reach Level 2 you have to meet the practices in NIST SP 800-171, and two of them are about your people, not your paperwork....

DORA says test your resilience. A document is not a test.

DORA says test your resilience. A document is not a test.

DORA made operational resilience testing a legal duty for financial entities across the EU, not an internal best practice. It expects a real testing programme and business-continuity arrangements that actually work. Plenty of firms are handling that with a documented...

NIS2 says train your board. A slide deck will not do it.

NIS2 says train your board. A slide deck will not do it.

NIS2 turned board-level security training into a legal obligation, not a nice-to-have. Article 20 puts accountability for cyber risk on the management body itself, and Article 20(2) requires those same people to be trained. Most organisations are dealing with that by...

Stop Running Boring Incident Response Tabletop Exercises

Stop Running Boring Incident Response Tabletop Exercises

I have seen this scene too many times.A group of people in a meeting room. Coffee on the table. Laptops open. A slide deck on the screen. The title says something like Ransomware Scenario Q2.Someone from security reads the scenario. People nod. A few people answer...

No cookies here

Notice there’s no cookie banner here.
That’s intentional and the site is still GDPR-compliant. I chose to avoid cookies and stick to basic, privacy-friendly stats.
My analytics are cookieless: self-hosted Plausible (EU) and PostHog in cookieless mode, with your IP anonymized. No cross-site tracking, nothing that identifies you.
The one cookie I can set does the opposite of every other cookie: it tells my stats to ignore you completely, and you only get it if you ask.

Everybody wins.