My three-step framework for Securing Critical National Infrastructure
Visibility, remediation, detection: A 17-year practitioner’s guide to building national cybersecurity capacity, from government to enterprise.
You cannot fix what you cannot see
Before you assess risk or buy tools, you need to know what you actually have, what it's connected to, and what it's doing — not what procurement says you have.
Map the political and institutional landscape first. The political landscape shapes the technical landscape.
Fixing what you can now see
Once you can see your state, you fix it. People and processes matter as much as any tool.
A vulnerability report nobody acts on has not improved your security posture. Accountability, timelines, and tracking are the actual work.
The transition state: the window nobody is watching
During change, risk goes up. Systems are partially configured, partially connected, partially secured. That window is when breaches happen. Continuous monitoring is essential.
Earned, not bought
Detection and response depends entirely on the quality of the first two steps.
Automating detection and response, and increasingly using AI, is the right direction — but automation on a bad foundation produces bad outcomes faster.
Map and understand your true surface.
Remediate and harden with people and process.
Detect and respond on a strong foundation.
These are the force multipliers that make security real.