Insights

From the Field

Writing about enterprise cybersecurity, quantitative risk, AI operations, and leadership at scale.

April 2, 20266 min read

What Change Management Looks Like When Nobody Can Follow You

Kotter's eight steps assume you have a coalition to build. Here's what leading change teaches you when you're completely alone.

leadershipchange managementresilience

April 1, 20266 min read

The Federated Board Deck: Presenting Portfolio Risk When Your Enterprise Is Actually Dozens of Enterprises

A State CISO can't use a single risk arrow on a board slide. Here's how to present federated agency risk without lying to the people who need the truth.

risk managementboard communicationpublic sector security

March 31, 20264 min read

Your Blog Posts Are an Adversary's Briefing Book

How individually reasonable security leadership posts can aggregate into a reconnaissance package for anyone targeting your environment.

opsecleadership communicationrisk management

March 25, 20265 min read

When You Can't Measure First: What the Military Taught Me About Risk Leadership

Risk frameworks assume you have time to measure before you act. Military operations, and real adversarial environments, prove that assumption wrong.

risk managementleadershipcybersecurity

March 24, 20266 min read

Your Attack Surface Is a FAIR Input, Not a To-Do List

How State CISOs can feed continuous ASM telemetry into FAIR's Loss Event Frequency component to quantify risk across a multi-agency environment in real time.

risk quantificationattack surface managementFAIR

March 23, 20265 min read

When You Can't Measure Before You Move

Risk frameworks assume you have time to measure before you act. Operational experience taught me that assumption breaks exactly when leadership matters most.

risk managementleadershipcybersecurity

March 22, 20266 min read

The 72-Hour Tax: What Your Logging Architecture Is Really Costing You

A State CISO breaks down why logging is a risk quantification problem, not a storage problem, and what FAIR analysis reveals about detection latency costs.

cybersecurityrisk quantificationlogging

March 21, 20266 min read

CVSS Is Not a Risk Score (And Building Remediation Queues Like It Is Will Get You Burned)

A State CISO and FAIR researcher explains why CVSS measures threat capability, not risk, and what that means for prioritizing vulnerabilities across a multi-agency environment.

vulnerability managementrisk quantificationFAIR

March 20, 20266 min read

The MFA ROI Problem: Quantifying Identity Risk Across a Multi-Agency Environment

How to use FAIR's TEF and Vulnerability components to build a defensible ROI case for accelerating MFA rollout across a large state enterprise.

identity securityrisk quantificationFAIR framework

March 19, 20266 min read

Your Relationships Are a Risk Control (And You Can Prove It)

A State CISO applies FAIR risk quantification to relationship-building, proving that connection capital with agency heads is a measurable risk-reduction lever.

risk quantificationCISO leadershipFAIR framework

March 14, 20267 min read

Your Second Brain Is a Library No One Else Can Read

Most knowledge systems optimize for capture and retrieval. If you want to build a public profile, you need a distribution layer that treats every insight as a draft publication.

knowledge managementpersonal brandingsecond brain

March 13, 20266 min read

FAIR Isn't a Risk Model. It's a Translation Layer.

Why the most important thing FAIR does is not quantify risk. It translates technical risk language into the financial terms that move budgets.

Risk ManagementFAIRCybersecurity LeadershipPublic SectorDissertation

March 12, 20265 min read

Your Folder Structure Is a Mental Model

Why organizing files around how you think, not how tools sync, is the difference between a system you use and one you fight.

Knowledge ManagementSecond BrainObsidianSystems

March 11, 20265 min read

Lead With the Gap, Not the Label

Why funding gap percentage is a more actionable security metric than risk level ratings, and how it changes the budget conversation.

Cybersecurity LeadershipRisk ManagementPublic SectorCISO

March 10, 20267 min read

When Five Scripts Disagree About What a 'Work Task' Means

The trigger for shared module extraction is not duplicate code. It is when multiple consumers of the same data produce different answers to the same question.

data architectureplatform engineeringcode quality

March 8, 20266 min read

AI Agents Destroy What They Don't Understand

When AI agents clean up your systems, they delete what they can't contextualize. The result looks like a gap that needs filling, not damage that needs undoing.

AI operationsagent reliabilitysystem management

March 7, 20264 min read

The Task Is Never the Point

Why outcome-driven execution beats task completion. An operating principle from building systems that actually work.

LeadershipFrameworkOperations

February 21, 20267 min read

The Case for Graduated Agent Execution

Why starting solo and escalating to teams beats launching full swarms. A framework from building AI-augmented operations at enterprise scale.

AI OperationsFrameworkMulti-Agent Systems

February 20, 20267 min read

CLAUDE.md as Guardrails: Compressing AI Context

Reducing AI instruction sets by 55% without losing capability. Lessons from engineering a personal operating system.

AI EngineeringProductivityContext Engineering

February 19, 20267 min read

AI Permission Sprawl as Security Debt

When AI tools accumulate access faster than you can audit it, you have a security problem. Here is how to fix it.

SecurityAI GovernanceDevSecOps

Invalid Date9 min read

The Gap Between "Exists" and "Connected"

In complex AI agent systems, the most dangerous failures are not in what breaks. They are in what was never wired.

ai-engineeringsystems-designagent-architecture