The “Agent Rule of Two” — Designing Safer AI Agents Through Limitation
When Meta released its Agent Rule of Two framework, it clicked for me immediately.Not because it was revolutionary in concept — but because it gave language to something most of us have already been trying to do in practice: limit the blast radius of automation. If you’ve ever built bots, workflows, or automation jobs that can read data, act on it, and then go tell the world about it… you’ve probably felt that quiet sense of “hmm, maybe we gave this thing a little too much power.” That’s exactly what the Rule of Two addresses. It’s a straightforward principle for building or reviewing agents in a way that keeps you out of the “one bad input away from a data breach” category. The Core Idea The Agent Rule of Two says that an AI agent (or automation process) should never have all three of these abilities in a single session:…
Why GRC is Like a Speed Limit Sign Before a Sharp Turn
One of the hardest parts of explaining Governance, Risk, and Compliance (GRC) to people outside of security is that it can sound abstract. Controls, frameworks, risk registers… it’s a lot of jargon if you don’t live in this space.
So here’s a simple analogy I’ve been using: GRC is the speed limit sign before a sharp turn.
Shifting from Reactive to Proactive Security
Moving from reactive to proactive isn’t about flipping a switch. It’s about asking, “What could we do today that helps us avoid tomorrow’s fire?” And then carving out just enough time to do it.
Cybersecurity Metrics: Measuring What Really Matters
I often remind myself, “Don’t mistake motion for progress.” Just because you have data doesn’t mean it’s useful. Metrics should clearly highlight issues, enabling you to make proactive, informed decisions.
Training can be the best bang for the buck!
Investing in cybersecurity training yields higher ROI than any tech stack. Learn why training matters, how to build a champion network, run phishing simulations, and measure success.
Getting the Basics Right: Core Security Technologies That Actually Matter
Before chasing the next shiny cybersecurity tool, let’s get the basics right. From MFA and email hardening to open-source tools that punch above their weight—here’s how to build a solid foundation for your security program.
Risk Assessments for Beginners: Simple, Practical, and Actionable
Think of it like this: telling a kid not to run with scissors isn’t just a rule—it’s risk management. You’re not just saying “no” to be annoying. You’re identifying a risk (injury), a threat actor (a wild 6-year-old), and possible mitigations: walk carefully, use child-safe scissors, store them in a high drawer, maybe even add some blunt tip training wheels.
Start Simple: The Policies You Can’t Skip When Building a Cybersecurity Program
This post walks through the foundational cybersecurity policies needed to operationalize your security program without overburdening the business. Learn how to create short, actionable, risk-based policies that reflect leadership intent, align with business capability, and drive real risk reduction—not just compliance. Includes free templates and guidance on policy governance.
Building a Cybersecurity from Scratch: The First Critical Hires and Partnerships
Starting a cybersecurity program from scratch sounds exciting… until it’s you sitting in the chair deciding where to begin. Let’s talk about your first critical hires!
How to Choose the Right Cybersecurity Framework (Without Losing Your Mind)
When you’re starting to build a cybersecurity program from scratch, one of the first real decision points you’ll hit is: “What framework should we use?”