Meaning in the Signal

Meaning in the Signal

Writing on security, leadership, AI, and the search for signal in the noise.

5 min read

Attack Paths, Not Attack Surfaces

The attack surface management industry optimised for the wrong question. Attackers don't think in surfaces — they think in paths. Until defenders do the same, billions in ASM investment will produce signal without meaning.

The attack surface management market will be worth several billion dollars by the time you read this. Dozens of vendors, a wave of acquisitions, a category that went from niche to mainstream in less time than most security programmes take to complete a risk assessment. The...

securityattack surface managementattack pathsexposure managementsignalinvestment
Read more
7 min read

Crown Jewels Are a Strategy Problem, Not a Security Problem

Most organisations identify their critical assets badly, once, or not at all. Crown jewel analysis is a strategy exercise masquerading as a security exercise — and getting it wrong means every downstream decision is built on sand.

There is an exercise that most security programmes conduct at some point, usually early in a maturity uplift or in the aftermath of a breach that concentrated minds. Someone, typically the CISO or a consulting partner, gathers the relevant stakeholders into a room and asks a...

securitystrategycrown jewelsVRINcompetitive advantageprioritisation
Read more
5 min read

The Constraint Moved and Nobody Noticed

The cybersecurity industry solved for detection. The constraint is now comprehension — and most organisations haven't redirected their investment accordingly.

Eliyahu Goldratt had a gift for stating things that sound obvious in retrospect but are, in practice, almost universally ignored. His Theory of Constraints (Goldratt, 1984) rests on a single deceptively simple observation: in any system, there is always one constraint that...

securitytheory of constraintsvulnerability managementcomprehensioninvestment
Read more
9 min read

Meaning In the Signal: What Five Talks at [un]Prompted Taught Me About the Future of Cybersecurity

Five uncoordinated presentations at a new AI security conference converged on the same question — and revealed the defining challenge of modern cybersecurity.

[un]Prompted is a brand new AI security practitioners conference, and its inaugural edition, held in San Francisco on the 3rd and 4th of March 2026, announced itself as something rather different from the events that typically populate the cybersecurity calendar. No vendor...

securityAIunpromptedvulnerability managementthreat intelligence
Read more