My Writing

I write about security leadership and technology, sharing strategies, practical frameworks, and field notes. My goal is to capture what I've learned and contribute to conversations in our community.

• Product Management Designing Security Products for Humans and AI Agents
  AI agents are quickly joining humans as personas that use enterprise security products. Vendors who understand how to support all their users, from analysts to agents, will build products that fit...
• Training Awareness Training Won't Protect Employees from Their Own AI Tools
  When an AI tool influences an employee's decision, audit logs record the human's action and miss the AI's role. Addressing that blind spot requires escalation procedures and engineering controls that...
• Leadership Security Governance at the Speed of Vibe Coding
  Employees who've never written code now build production apps using AI, without security review, dependency scanning, or enterprise oversight. The SaaS and DevOps transitions give security teams a...
• Assessments Scope Security Assessments for Attack Paths, Not Org Charts
  When assessment scope follows organizational lines, gaps open where team boundaries meet and real attackers don't stop. Pulling adjacent teams into the scoping conversation and following attack logic...
• Risk Management Understand the Reality of the SOC 2 Checkbox
  SOC 2 standardized security reporting, but it left the vendor in control of the system boundary and auditor selection. Understanding that structural gap helps vendors and buyers get the most value...
• Product Management Most Cybersecurity Products Aren't Platforms and It's OK
  The test for a genuine platform is whether each new addition makes everything else more valuable, not just whether products share a brand or console. Let's draw a distinction between a platform and a...