Articles
Writing on security training, incident response, and reaching the infosec community. The regulation pieces map NIS2, DORA, CMMC and the FAR CUI rule to what a game or a tabletop actually gives you. The rest is mostly about marketing security to people who distrust marketing.
CUI protection is about to stop being a defense-only problem.
For years, protecting Controlled Unclassified Information to the NIST 800-171 standard has mostly meant one audience: defense contractors, and the CMMC program built to enforce it. The proposed FAR CUI rule changes who's on the hook. It would extend NIST SP 800-171 to...
CMMC does not just want an IR plan. It wants you to test it.
CMMC certification is how a company stays eligible for US Department of Defense contracts, and it asks for more than a binder of policies. To reach Level 2 you have to meet the practices in NIST SP 800-171, and two of them are about your people, not your paperwork....
DORA says test your resilience. A document is not a test.
DORA made operational resilience testing a legal duty for financial entities across the EU, not an internal best practice. It expects a real testing programme and business-continuity arrangements that actually work. Plenty of firms are handling that with a documented...
NIS2 says train your board. A slide deck will not do it.
NIS2 turned board-level security training into a legal obligation, not a nice-to-have. Article 20 puts accountability for cyber risk on the management body itself, and Article 20(2) requires those same people to be trained. Most organisations are dealing with that by...
Stop Running Boring Incident Response Tabletop Exercises
I have seen this scene too many times.A group of people in a meeting room. Coffee on the table. Laptops open. A slide deck on the screen. The title says something like Ransomware Scenario Q2.Someone from security reads the scenario. People nod. A few people answer...
Want commercial success in infosec? Stop doing marketing! (like everyone else)
In the rapidly evolving digital landscape, traditional marketing strategies no longer suffice in the InfoSec sector. This article explores a transformative approach based on deep community engagement, demonstrating how genuine support and understanding of the InfoSec...
Got problems attracting infosec talent? It’s time for your organization to learn geek!
Embracing the infosec community and people in it is important if you want to attract the talent you need. Learning to understand geeks and geek subculture is an important skill here. Read on and understand why both your HR and marketing departments need to learn geek....
Employer Branding: Why Anthropology matters in your efforts to hire cyber security talent
There’s a lack of talent in cybersecurity. Nobody seems to be able to hire enough qualified specialists. Nothing’s new in that. What’s really strange when speaking of this lack of talent is that no one seems to do anything about that and their situation. While you...







