Insights
Writing from the field.
Practitioner-researcher essays on cybersecurity at scale, quantitative risk, AI in operations, and the structural problems no one wants to name.
More writing
Public-Sector CISO
The Safe Choice Is the Riskiest Choice You Can Make
Enterprise vendor selection feels like risk management. It isn't. Here's what most CISOs get wrong before the contract is even signed.
Public-Sector CISO
The Audit Report Is a Photograph of a Fire
Point-in-time compliance audits tell you where the fire was, not where it is. Here's why that distinction costs organizations everything.
AI in Operations
Page count is not a design constraint
AI assistance imports invisible defaults and optimizes against them as if they were user requirements. The fix is to surface the default before acting on it.
AI in Operations
Parallel Agents Are a Voice Problem, Not a Research Pattern
Five agents, fifty five posts, three minutes. The job worked because the prompt encoded the author's taste, not because parallelism is magic.
AI in Operations
When the ledger becomes the inbox
If your review-counter accumulates instead of clearing, it has stopped being a gate and started being a guilt counter. Redesign it.
Method
When the Watchdog Doesn't Bark
Silence in a monitoring system is indistinguishable from health, and the system is structured so that you only test the alert path during the exact event you are trying to detect.
Public-Sector CISO
AI Governance Is a Security Problem, Not a Policy Exercise
Most states treat AI governance as a compliance checkbox. Here's why that framing guarantees failure - and what the security-first approach looks like.
AI in Operations
Prepare to Lead, Not Present
A status report is for someone reading alone. A chair is leading a room. The two artifacts have different jobs and should have different shapes.
Method
When Iterative Review Saturates, Expand Scope Rather Than Terminate
Convergence within a review scope does not mean ready. It means the scope is exhausted. The next move is to expand scope, not to declare done.
AI in Operations
Four Hallucinations in One Session: Grep-Verify Is the Cheap Counter
When parallel sub-agents touch many similar files, plausible-sounding but wrong quotes are the dominant failure mode. The cheapest counter is a discipline rule, not a model upgrade.
Risk Quantification
Measuring the Multiplier: What an AI-Augmented Strategic Plan Actually Costs
Three to seven cents on the consulting dollar is the headline. The real story is what makes the multiplier work, and what makes it collapse.
Public-Sector CISO
Risk Measurement Is Not Risk Management
Most cyber risk programs are built to produce reports, not decisions. Here's why that distinction matters more now than ever.
AI in Operations
When Benchmarks Describe Rather Than Aspire
Survey instruments that sequence descriptive and normative questions produce answers that echo current state, not strategic intent. Here is what to do about it.
Risk Quantification
Comfort Equals Depth Deficit
I declared a high-stakes briefing 'done' four times. Each push for another pass found a new load-bearing error. The fix isn't more passes; it's different lenses.
Public-Sector CISO
The Confidence Trap: Why AI Sounds Right Even When It's Wrong
AI confidence isn't a feature. It's a design choice that security leaders need to understand before they trust the output.
Public-Sector CISO
The Transformation Trap: Why 'Chief' Titles Without Mandate Are Theater
State governments keep creating transformation roles that sound powerful. Here is why most of them fail before the first budget cycle ends.
AI in Operations
Automated Systems Encode Their Author's Default Posture
When you automate a report, you don't automate intelligence. You automate the author's judgment, frozen at the moment the template was written.
AI in Operations
Map Before You Adopt
Most people respond to a 'new pattern' the wrong way twice: they dismiss it, or they adopt the whole thing. There is a third move that beats both.
Public-Sector CISO
Pilots That Only Prove What You Already Believe
Government AI pilots are designed to succeed, not to learn. Here's why that's the wrong architecture and what a real test looks like.
Method
The Highest-Leverage Comment in a Review Is Rarely a Number
One structural reveal beats ten numerical corrections. The comment that re-frames your assumptions is worth more than ten that tighten your numbers.
AI in Operations
When a Reader Asks 'What Does That Mean?', Sweep the Whole Document
A single clarification question is the surfaceable evidence of a deeper authorship blind spot. The cost of treating it as a one-off is silent erosion of recipient confidence in the rest of the document.
AI in Operations
Can Versus Should: The Permission Gap in Agentic AI
Granting an AI agent access to your shell isn't a safety decision. It's a capability decision. Most people don't know the difference.
Public-Sector CISO
Full Tank, Wrong Fuel
A SIEM with eight figures of budget but trimmed data sources will still miss the breach. The dangerous moment is when your instruments look healthy.
Risk Quantification
Confidence Is Not a Security Control
State CISOs are losing confidence, and that might be exactly right. Here's why calibrated uncertainty beats false confidence in cybersecurity leadership.
Method
Dashboards Don't Audit Themselves
Aggregated dashboards inherit every silent failure in the import pipeline beneath them. The headline number can be confidently wrong unless you periodically walk it backward.
Risk Quantification
One Reviewer Is Three Bugs Away From Done
Why splitting review across three independent specialists with non-overlapping mandates catches classes of bugs that a single combined reviewer collapses into a generic findings list.
Risk Quantification
If You Found One Fake Citation, Look for the Others
When AI scaffolds produce a fabricated citation, the fix is not to remove it. The fix is to grep every other document in the project for the same fabrication signature.
Public-Sector CISO
The Structural Leak Test
High earners with low net worth almost always have an architectural problem, not a discipline problem. Here is how to find the real drain.
Risk Quantification
Preflight Doesn't Ask If It Will Rain
Consequence-first risk thinking isn't a FAIR innovation. Any pilot or Marine could tell you: you plan for the failure before it happens.
Method
Methodology Before Cohort
Comparative analysis that names entities before declaring criteria is vulnerable to disruption the moment the criteria are finally applied.