I think about GRC, security, and data — and write down the parts that work.
I work in GRC, security, and data — currently focused on how strategy, risk, and AI change the way security programs are designed and run. This is where I think out loud: essays, small tools, and the things I'd want a younger version of me to read.
A practitioner — strategy, risk, and the parts of compliance worth keeping.
I work in GRC, security, and data security. Day to day, I think about how strategy, risk management, and smart compliance meet the technology decisions teams actually have to make — and how to keep the program defensible without burying it in paperwork.
I'm increasingly interested in how AI changes both sides of that equation: the threat surface, and the way GRC programs themselves are built and run. This site is where I write about what works, ship small tools to test ideas, and keep notes worth re-reading.
Read the full bio →Notes on doing GRC deliberately — and using AI where it actually earns its keep.
All writing →The DBIR 2026: three findings that deserve immediate attention
Vulnerabilities overtake credentials as the top initial access vector, third-party involvement doubles again, and AI's first impact is industrialization — not innovation.
ReadFrom heat maps to decisions
Heatmaps destroy the information your security stack is already generating. The fix is Decision Quality, three data sources, and a curve instead of a colour. Companion to my V2 Security 2026 talk.
ReadThe timeline is collapsing faster than defenses can adapt
Median time-to-exploit dropped from 771 days in 2018 to under 1 day in 2026 — AI removed the compute bottleneck. Five moves defenders should make now.
ReadConcrete artefacts I've built — tools, models, frameworks, and the writeups behind them.
All projects →Where I've been talking about strategy, risk, and AI in security.
All talks & press →Got a question, or something to share?
I read everything. Especially happy to hear from people working on GRC, data security, or AI policy in the real world — push-back, references, and good papers welcome.