Postmodern Security

When I started this blog over a decade ago, my understanding of postmodernism arose from my college studies of art history and aesthetics. Like Camille Paglia, I was not a fan of the movement or the result: the soul-crushing commoditization of art. I used the title as a pretentious insider joke to highlight the deplorable

Recently a colleague asked for my help in understanding why he was seeing a specific security alert on a dashboard. The message said that his database instance was “exposed to a broad public IP range.” He disagreed with this assessment because it misrepresented the configuration context. While the database had a public IP, only one

I’m releasing new video series on the interpersonal challenges in cybersecurity and how this issue becomes the biggest hurdle to reducing risk in an organization. According to the 2023 Verizon Data Breach Investigations Report (DBIR) 74% of all breaches include a human element. For this reason, I think it’s time we start to address how

Recently, I’ve written about the dangers posed by technology fallacies and one of the most frustrating for me involves discussions of “best in class.” In my experience, this mindset causes technology teams to get themselves wrapped up in too many pointless discussions followed by never-ending proof-of-concept work all in search of that non-existent perfect tool.

After a working in tech at several large companies over a couple of decades, I’ve observed some of the worst fallacies that cause damage to organizations. They don’t arise from malice, but from a scarcity of professional reflection in our field. Technologists often jump to problem solving before spending sufficient time on problem setting, which

Can we collectively agree that the supply chain security discussion has grown tiresome? Ten years ago, I couldn’t get anyone to pay attention to the supply chain outside of the federal government crowd, but now it continues to be the security topic du jour. And while this might seem like a good thing, it’s increasingly

Earlier this week someone reached out to me on LinkedIn after listening to a podcast episode I was on where I discussed security architecture and cloud migration. He had been thinking about moving into architecture from security engineering and wanted some suggestions about making that transition successful. Specifically, he wanted to know what I thought

Why do I assert most programs are failing? Because it’s not getting any better. Just look at the 2021 holiday gift that was Log4J. Could the problem be with our approach? Some treat Information Security programs as a finite linear progression from an imperfect current state to a future improved state, or worse, a Sisyphean

In engineering, a common approach to security concerns is to address those requirements after delivery. This is inefficient for the following reasons: To improve individual and team accountability, it is recommended to borrow a key concept from Restorative Justice, Conflicts as Property. This idea asserts that the disempowerment of individuals in Western criminal justice systems is

BECAUSE us girls crave respect and authority in our chosen field of Information Security. BECAUSE we wanna make it easier for girls to see/hear each other’s work so that we can share strategies and criticize-applaud each other. BECAUSE we must infiltrate the Infosec field in order to create our own destiny. BECAUSE I am not