From Reactive Security to Threat-Informed Defense: My Research Journey on Risk-Based Cybersecurity Prioritisation

After months of research, adversary emulation, lab building, testing, and validation, I’m pleased to share that my cybersecurity research paper, “A Risk-Based Framework for Prioritising Cybersecurity Controls Using MITRE ATT&CK with Empirical Validation via Adversary Emulation,” has now been published on ResearchGate and Zenodo. This research was driven by a simple but important question: Are... Continue Reading →

0

Post 2 — Proving Risk Reduction: How to Quantify Zero-Day Exposure When Patching Is Not Possible

In Part 1, we established a hard truth: when patching is not possible, risk does not disappear, it just simply shifts. The vulnerability remains. Business dependency remains. The threat remains. What changes is how disciplined your response becomes. This is where many organizations fall short. They deploy compensatory controls, such an IPS signature here, a... Continue Reading →

1

Post 1 — When Patching Is Not an Option: Managing Zero-Day Risk Without Breaking the Business

1. Introduction: the day the patch answer fails There’s a moment every experienced security team eventually faces. A zero-day is disclosed. The exploit is real. The system is exposed. And then someone asks the question that sounds routine—but isn’t: “When can we patch?” You pause. Because this time, patching isn’t possible. The application is legacy... Continue Reading →

2

Part 2 – Why Compliance ≠ Security

In the previous post, we saw how compliance brings structure, accountability, and trust to cybersecurity. It sets the stage for order in a chaotic landscape. But here’s where the story turns — and where many organizations stumble. After the certificates are framed and the audit reports are filed, there’s often a quiet assumption that “we’re... Continue Reading →

1

Part 1 – Why Compliance Matters

Every great security program begins with structure — and that structure often comes from compliance. In today’s interconnected world, organizations navigate a growing maze of standards and regulations: ISO 27001, NIST Cybersecurity Framework (CSF), PCI-DSS, HIPAA, GDPR, Qatar CSF, and Australia’s ASD Information Security Manual (ISM) and Essential Eight Maturity Model. These frameworks are no... Continue Reading →

0

Security, Convenience and the Battle for Balance

Introduction In today's digital landscape, organizations and individuals constantly grapple with the delicate balance between security and convenience. While users demand seamless and efficient experiences, security professionals must ensure robust protection against ever-evolving threats. However, security and convenience do not always go hand in hand. Stricter security measures often introduce friction, while overly convenient solutions... Continue Reading →

0

Managing Security Risk: The Importance of KRIs and KPIs

Introduction In the bustling realm of cybersecurity, where threats advance as quickly as technology itself, organizations must navigate a risky landscape filled with potential vulnerabilities. To effectively manage these risks, it's essential to employ a structured framework that incorporates Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs). Let’s dive you into my personal experience... Continue Reading →

0

Part 4: Information Security Risk Management Approach

In the previous parts of our series (Part 1, Part 2 and Part 3), we explored the foundational elements of the risk management lifecycle, the risk assessment process, and risk treatment strategies. Now, we delve into the final phase: Risk Monitoring and Review. This phase involves continuously monitoring the effectiveness of risk management activities and... Continue Reading →

0

Blog at WordPress.com.

Up ↑