I make security strategy practical by demystifying common security misconceptions to IT and developer teams. Each can be adapted to fill a slot between thirty and sixty minutes long. Custom topics and setups are available upon request.

Ready? Book engagements here. Want ideas for a different audience? Go here for an overview.


Cop vs Lawyer: the Evolving Mindset of Security Leaders

At many organizations, the security team because synonymous with the word “no”. Progress was made in spite of security, not because of it. Today, some security teams have overcome that legacy and are building value through partnerships with technical, product, and even marketing teams. We talk about how your security department can do the same.

The Most Secure Platform is the one People Use

The world is full of examples where people bypass elaborate edifices designed by smart, well-meaning experts. Security teams love technically perfect solutions, but often spend too little time on how people will actually experience them. We discuss the basics of UI/UX design and how to select security features that enhance the value of a product instead of reducing it.

The Hidden Curse of Control Frameworks

To a GRC analyst, a control framework seems like a no-brainer. They organize and track compliance to countless different requirements, and combining them into a central, organized structure seems like an obvious solution to all their problems. Unfortunately, putting such an edifice at the foundation of your overall strategy harms goals outside that GRC bubble. We discuss how this can happen, how you can avoid them, and how to keep your GRC folks happy through the entire process.

How to Gauge a Cloud Platform’s Security Strength in 20 Minutes

There is a huge difference in resiliency between cloud products. We walk through top indicators that a product was built well. This is a practical talk, where we apply the principles to platforms suggested by the audiences.

The Trouble with TPRM

You will never have much control over a vendor’s work, including in security. Yet many audit frameworks expect you to apply substantial oversight through them through Third Party Risk Management programs. We talk through what TPRM is good at, what they are not, and key indicators of a healthy program.

Securing your Cloud: Three Objectives you Must get Right

Traditional, datacenter-centric approaches to security do not translate well to cloud-native design. We talk through the datacenter realities that led to the traditional security approach, the new threats and risks in a cloud environment, and how teams can best avoid them.

Cloud: When is it Right?

For 30 years, “Lift and Shift” has been a popular approach in IT to consolidating systems onto existing infrastructure, allowing significant cost-savings without the disruption of moving operations teams onto new systems. This approach rarely works for cloud: costs usually increase, security plummets, and older designs cannot take advantage of the biggest advantages. We discuss the types of projects that most benefit from the cloud, and which should stay in the datacenter.