Articles on Risk Management

Below are my perspectives on Risk Management, drawn from my work as a security leader and practitioner.

• Malware Analysis Six Signals for Threat Attribution
  Intelligence analysts weigh six signals together to build defensible attribution to a threat actor. For each one, they use a disciplined methodology we can cite and stress-test.
• Artificial Intelligence Making Sense of Security for AI: The AI Defense Matrix
  The AI Defense Matrix maps eight AI asset classes to NIST CSF functions, giving security leaders one grid to assign ownership, find gaps, and select controls. Sounil Yu and I co-authored it as the...
• Risk Management Trust Boundary of SaaS Will Include Customers' AI Agents
  SaaS vendors should assess whether their trust boundary includes customers' AI agents. Liability has pushed banks toward securing the customer's device four times, and the fifth wave is forming...
• Artificial Intelligence What to Make of AIUC-1, a New AI Agent Certification
  New certifications start as claims and earn credibility through cycles of scrutiny. AIUC-1, a compliance framework for AI agent vendors, is at that starting point. How its structure, governance, and...
• Leadership When Executives Reject Your Security Recommendations
  A rejected security recommendation feels personal, but it often reflects competing demands the security team doesn't fully see. Knowing how to act on that reality helps the CISO become someone the...
• Risk Management Understand the Reality of the SOC 2 Checkbox
  SOC 2 standardized security reporting, but it left the vendor in control of the system boundary and auditor selection. Understanding that structural gap helps vendors and buyers get the most value...