Smart Contracts

I was interviewed for, and quoted in, this ISACA publication around Smart Contracts.

Upon reflection, what we are really seeing is just a continuation of the concept of Code = Law as pointed out by Lawrence Lessig in his 1999 book, Code and Other Law of Cyberspace.

The Smart Contracts doc is a free download (after registration) and can be found here:


Cyber Deterrence

I was reading up on cyber deterrence today and ran across this little gem in relation to nuclear deterrence:

Because of the value that comes from the ambiguity of what the US may do to an adversary if the acts we seek to deter are carried out, it hurts to portray ourselves as too fully rational and cool-headed. The fact that some elements may appear to be potentially “out of control” can be beneficial to creating and reinforcing fears and doubts within the minds of an adversary’s decision makers. This essential sense of fear is the working force of deterrence. That the US may become irrational and vindictive if its vital interests are attacked should be a part of the national persona we project to all adversaries.

–Essentials of Post Cold War Deterrence (1995)



Interesting Times

In my latest column I wanted to call out some of the dichotomy that exists in the cyber world today. There are so many exciting new technologies in the world, and so much more risk inherent in them. Working in risk means that you can’t avoid bad things entirely (any more than you can stop the future from becoming the present), but you also have to weigh the risk of NOT participating in the latest new technology. And that is what makes working in cybersecurity and risk so interesting!

You can read my thoughts on this here.


Interviewed on the Juicebox Podcast

I was recently interviewed on the JuiceBox Podcast, a production of the Arden’s Day Blog. This is a Diabetes-heavy conversation which I sometimes talk about on my Blog. About halfway through we do have a little discussion¬†about risk when we talk about how I viewed the having a child that has T1D the same as me.

Anyway, its a light-heated casual conversation. You can listen here. I hope you enjoy.

Risk and Regulation

My latest @ISACA article was published today. In it, I focus on the notion of where our authority comes from in Information Security. Too often, in my opinion, we rely on regulation as a source of “why” when articulating control requirements. I think this is dangerous and counter to the very nature of what an effective risk practitioner is.

Take a read and let me know your thoughts!


Article on Cyber Risk Taxonomy on Risk.Net

I wrote a piece for that discusses techniques for integrating a cyber risk taxonomy with an operational risk taxonomy.

It’s behind a paywall, so apologies for that up front, but they do have a free trial.

Its a great article for those that are struggling with aligning the need for cyber risk granularity with an overall operational risk program.