Insights on IT & Cybersecurity

Time is Brain

Time is Brain

I’ve spent the better part of my career walking into companies that are struggling. Downtime they can’t explain. Security incidents they didn’t see coming. Infrastructure held together with the IT equivalent of duct tape and good intentions. I come in, assess what’s broken, fix it, and show the results in graphs and charts — because people have short memories, and numbers don’t lie.

In almost every one of those engagements, the root cause wasn’t technical. It was a belief.

The belief that IT is a necessary evil — a cost center to be managed down, a department to be tolerated, a line item to be cut when margins get tight. Not a strategic function. Not a risk management discipline. Certainly not something that deserves a seat at the table when the real decisions get made.

Time is Brain Read Post »

Laughing Horse

It’s An AI World, We Just Live In It

I’m an IT and Security professional. I’ve spent my career helping organizations protect their data, manage their risk, and make sensible decisions about the technology they adopt. I have also, in that same career, watched AI do things that genuinely impressed me — and watched it create problems that genuinely alarmed me.

Sometimes on the same afternoon.

I am not anti-AI. I want to be clear about that, because this blog covers a lot of AI risk and it would be easy to read that as opposition. It isn’t. What I am is someone who has sat on both sides of the table — the side trying to harness AI’s capabilities and the side trying to prevent those capabilities from becoming a liability — and I’ve found that both sides have a point.

It’s An AI World, We Just Live In It Read Post »

private business meeting scene

The Conference Room With a Window

When people say a platform is “encrypted,” they almost always mean transport encryption — data is scrambled while it travels between your device and the platform’s servers. Think of it like a sealed envelope moving through the postal system. The contents are protected in transit. But the post office can still open it.

End-to-end encryption (E2EE) is different. With true E2EE, only the participants hold the keys. The platform itself cannot decrypt the content of your call. Think of it as a conversation in a language only you and the other person speak.

The major platforms — Zoom, Microsoft Teams, Google Meet — all offer E2EE now. But “offer” is doing a lot of work in that sentence. It is almost universally not the default. Teams E2EE only covers one-on-one calls — not group meetings. On Zoom, enabling E2EE turns off cloud recording and phone dial-in. Most organizations haven’t enabled it at all.

The Conference Room With a Window Read Post »

cat, nature, kitten, pet, pets, animals, housecat, feline, animal, sitting, funny, cute, adorable

CMMC – How to Start

standard method is to find the big spreadsheet of controls, and then start marking it up. This approach makes perfect sense, but as you work through, it quickly becomes unwieldy.

Not every control can be completed by the same team.

They request “evidence,” but what in the world do they want to see?

How are we to convert generic controls into actionable requirements?

What does “good” look like?

How do we know if what we’re doing will pass an audit?

If you’re asking yourself these questions, you’re not alone. In fact, what starts as a spreadsheet with a long list of controls, quickly turns into multiple sheets, and additional documents with policies and procedures. And when you dig into what the auditors are looking for, they are looking for multiples things, for each control.

CMMC – How to Start Read Post »

alohasara a 3d animated sea captain looking confused as he fi 006a4eea 8e7e 4d30 9be6 22b3c022f221 0

You Enabled What? The 30-Minute AI Audit Your Business Should Do This Week

If you read my last post about the Workday lawsuit, you probably had one of two reactions.

The first reaction: “Interesting case. Glad that’s not us.”

The second reaction: “Wait. What’s actually running in our stack?”

If you had the first reaction, I’d gently encourage you to read it again. If you had the second — good. That instinct is exactly right, and this post is for you.

The uncomfortable truth is that most small and mid-sized businesses have AI features active in their software that nobody deliberately approved. Not because anyone did anything wrong. Because these features are being added quietly, bundled into updates, tucked behind toggles in admin screens that nobody checks between quarterly reviews.

You Enabled What? The 30-Minute AI Audit Your Business Should Do This Week Read Post »

comical 3d animal pressing red button

Someone Clicked a Button. Now There’s a Lawsuit.

Somewhere in 2022 and 2023, Derek Mobley was doing what a lot of people do when they’re job hunting: applying. A lot. Over 100 applications, by his account, sent to companies that all had one thing in common — they used Workday to manage hiring.

He didn’t get the jobs. What he alleges is that he didn’t get them in part because an AI system was evaluating his applications and filtering him out — based, he claims, on his race, age, and disability status.

What happened next is where it gets interesting for anyone in IT or Security.

He didn’t just sue the companies that rejected him. He sued Workday.

Someone Clicked a Button. Now There’s a Lawsuit. Read Post »

dog, pug, nature, animal, pet, puppy, funny, cute, canine, funny dog, doggy, small, adorable, funny animals

The Art of Social Engineering

The warmth is the setup. The ask is the payload. Every social engineer worth their salt knows you don’t lead with the thing you want — you lead with connection. A shared laugh about a dog, a commiserating comment about kids, a moment of genuine-feeling human warmth. By the time the ask comes, you’re not talking to a stranger anymore. You’re talking to Dave.

When someone creates urgency and rapport in the same phone call, that combination should set off a quiet alarm in the back of your head.

The rule is simple: if someone calls you, hang up and call back on a number you find yourself. Your bank’s number is on the back of your card. Apple’s is on their website. The IRS doesn’t call you — they write letters, like it’s 1987, because that’s apparently still how they do things.

The Art of Social Engineering Read Post »

Cute otter sitting among vibrant foliage in England. Perfect for wildlife and nature themes.

I’m Not in IT or Security – Why Should I Care?

Big companies have security teams, monitoring tools, incident response plans, and lawyers. You have the same password you’ve been using since 2014 and a router you’ve never logged into.

I’m not saying that to make you feel bad. I’m saying it because it’s the single most important thing to understand about modern cybercrime: scale beats sophistication every time. Why spend weeks trying to break into a bank when you can send a convincing text message to a million people and wait for a few thousand of them to click?

You are not too small to matter. You are too easy to resist.

I’m Not in IT or Security – Why Should I Care? Read Post »

fish tank

The Fish Did It!

The lobby aquarium had an internet-connected thermometer — so staff could monitor the water temperature remotely, presumably from the couch, as one does. Attackers found it, used it to pivot onto the network, located the High Roller database, and walked out with 10GB of data. Through. The. Fish. Tank.

Now here’s the part that should actually keep you up at night: that thermometer is basically your printer.

And your smart refrigerator. And your kid’s drone. And the Star Wars toy that connects to the internet for reasons nobody fully explained. And the microwave that plays Spotify, because apparently we decided ovens needed WiFi now.

The Fish Did It! Read Post »

Scroll to Top