Did you know? AI hallucinations aren’t bugs—they’re a side effect of probabilistic prediction.
Security Isn’t Academic: Lessons from Those Who’ve Been There
I can see the shovel on the left which looks shiny, but I trust the dirty one on the right that is still solid after obviously working hard digging a trench.
I want to start with a nod to Brian Prince, who makes a spot-on distinction between talking about it and actually doing it. I couldn’t agree more. The real world is messy, constrained, and far harder than academics or theory often suggest. That’s why I gravitate toward learning from people who’ve truly served in the trenches.
Richard Bird is one of those leaders, and his newsletter is absolutely worth following.
Roy Luongo is another—don’t miss him presenting at Baltimore Futurecon.
Which brings me to a book I just finished—written by yet another “been there, done that” practitioner who understands the gap between theory and reality.
For Your Bookshelf: Unsecurity by Evan Francen
Unsecurity stands out because it doesn’t try to overwhelm the reader with frameworks or false certainty. Instead, it reads like guidance from someone who has spent real time in the trenches and learned the hard lessons. It’s less about tools and more about how to think about building an effective information security capability.
One of the book’s strongest themes is language. Francen argues that many security failures start with how we communicate—especially with leadership and the business. Security too often speaks in its own jargon and expects others to adapt. The book reinforces a critical point: security must learn to speak the business’s language if it expects to influence decisions and reduce risk.
Francen’s use of analogies is particularly effective. He compares security to building a house: you need a blueprint (strategy), a permit (leadership approval of the roadmap), and a solid foundation—followed by simplification to gain efficiency. It’s a practical way to explain why piling on controls without intention leads to fragility, not maturity.
The book also takes a clear-eyed view of risk and compliance, challenging approaches that create a false sense of security. Francen draws a sharp distinction between blind compliance and controls that actually reduce risk, reminding readers that “looking secure” is not the same as being secure
Quick Insightful Reads
🔗 Scattered Spider Infrastructure Insights: Here's a fascinating article that is a thorough examination of Scattered Spider's infrastructure, not their attack chain per se. Approach this analysis from two perspectives: first, gain a high-level understanding of how a threat actor operates. Then, delve into the specifics to learn how to actively hunt for indicators of them targeting you.
🔗 Microsoft Zero Day: When Microsoft releases emergency out of band patches pay close attention. Unlike other articles that jump to FUD this one does a nice job to understand the risk and more importantly provides additional impactful countermeasures if you can’t patch now
And just a PSA — while you may be completely Office 365, check your inventories as it’s not uncommon to have a hodgepodge of locally installed Office software for a plethora of reasons
In the News
NIST held another workshop to refine the Cyber AI Profile – here’s a quick synopsis of results that contains link to the public recording.
Help us keep sharing real stories
▶ Know someone who’d love this? Forward it their way.
▶ Did you receive this newsletter? Click here to subscribe.
Views expressed are informational only and not official advice. No warranties are made; readers assume all risk and should consult authoritative sources before acting.