Most organisations are carrying more security debt than they realise. It’s not just old severs and unpatched systems, but years of shortcuts,exceptions and 'temporary' decisions that never quite got unwound. On paper controls exist. In reality, there are seams, overlaps, and blind spots that only become visible when something goes wrong. Security debt is the … Continue reading Living with Security Debt
Most security teams are busy. That's a given. There is always another project, audit or incident competing for attention. In that environment, it is dangerously easy to confuse activity with impact. Everyone is working hard, but it is not always clear whether the organisation is genuinely safer or simply more exhausted. A high‑impact security team … Continue reading From Firefighting to Forward‑Looking: Building a High‑Impact Security Team
Let's talk about people. Much of the conversation around cyber security and STEM focuses on technical controls, tooling, frameworks and policies. These discussions are necessary, they form the backbone of effective security and innovation. But they are not the whole picture. For this post, I will be stepping away from technology and process and discussion … Continue reading Why Representation Matters in STEM Careers
Modern security environments are built on shared responsibility. Cloud providers, third-parties, internal teams, and business leaders all play a role in managing risk. In theory, this model enables scale and flexibility. In practice, it often creates gaps. Many security failures are not caused by a lack of controls or awareness, but by uncertainty over who … Continue reading When Shared Responsibility Means No Responsibility
The events of 2025 have challenged long-held assumptions about cloud resilience. Many organisations have implemented widely accepted best practices, multi-availability zone architectures, multi-region deployments, and cloud-native backup solutions, yet still experienced prolonged disruption. In each case, the underlying issue was not a failure of compute or storage. Instead, failures occurred in control-plane services such as … Continue reading Cloud Resilience Lessons from 2025 Outages
AI has moved from hype to daily reality within security operations, and attackers are adopting it just as quick as - or in some cases faster than - defenders. For security leaders, the question is no longer “if” AI matters, but how to harness it without introducing new risks. How Attackers are Using AI Attackers … Continue reading AI at the Gate: How Attackers & Defenders Are Using AI in 2025
The UK’s new Cyber Security and Resilience (Network & Information Systems) Bill is the biggest shake-up of cyber regulation since the original NIS directive in 2018. It is designed to make the essential and digital services people rely on every day more resilient to both cyber criminals and state backed threats. Why This Bill Exists … Continue reading What the UK Cyber Security & Resilience Bill Really Means for Your Organisation
Threat actors are not a single, uniform group. They range from financially motivated gangs to state-linked operators and loosely structured criminal ecosystems, each with different objectives and levels of sophistication. Understanding a few prominent examples can assist teams in thinking more clearly about how attackers operate. This helps identify where defences are likely to be … Continue reading Understanding Modern Threat Actors: Perspectives & Strategies
Security teams are often seen as the function that slows work down, adds extra steps, or blocks ideas at the last minute. That perception does not just impact team relationships; it directly affect how early people involve security and how willing they are to act on advice. Shifting security from "blocker" to "business enabler" is … Continue reading Transforming Security: From Blocker to Business Enabler
When a security incident occurs, technical response often becomes the immediate focus - isolating systems, analysing logs, restoring services. However, the effectiveness of an incident response also depends on how well teams communicate under time pressure and uncertainty. Clear, structured communication helps people understand priorities, coordinate activity, and avoidable delays. Communication will not remove risk … Continue reading Enhancing Incident Response Through Effective Communication
The Security Brief 