Skip to main content

Posts

Breaking Into Information Security: The Complete Guide for Beginners

Information security is one of the most in-demand career fields in the world right now, and there is no gatekeeping requirement that says you need a computer science degree or twenty years of IT experience to get in. What the field actually needs — and what it is actively hiring for — is smart, motivated people who are willing to put in the work to build a real foundation. The path is not easy, but it is accessible, and the demand for qualified professionals is not slowing down. I have been in this field for over two decades. I came up through the technical ranks, spent years building and running security programs, and I now serve as a CISO at a publicly traded manufacturing company. Along the way I have hired entry-level analysts, mentored career changers, and reviewed hundreds of resumes from people trying to break in. This guide is the honest, direct version of what I would tell someone today if they sat across from me and asked: “How do I get into InfoSec?” The Honest Truth About B...
Read more
Recent posts

Project Glasswing & Claude Mythos: What CISOs Need to Know Right Now

Anthropic just released the most capable offensive cybersecurity AI ever built, found thousands of previously unknown zero-day vulnerabilities across every major operating system and browser, and then decided the model was too dangerous to release to the public. That is not a hypothetical scenario. That is what happened on April 7, 2026, and every CISO needs to understand the full weight of what it means. The model is called  Claude Mythos Preview . The initiative built around it is called  Project Glasswing . Together, they represent something genuinely different from every AI-in-security announcement that has come before — not because of marketing language, but because of what the model demonstrably did when turned loose on real production software, autonomously, without a human guiding each step. What Claude Mythos Preview Actually Did Anthropic used Claude Mythos Preview over several weeks to conduct autonomous vulnerability research across critical software infrastructure...
Read more

AI Governance Deep Dive: Building the Committee That Actually Governs

The first AI governance committee meeting I ever sat in lasted two hours and accomplished almost nothing. We had twelve people in the room — IT, Legal, HR, a couple of business unit leaders, and a handful of security folks. Everyone had opinions. No one had authority. The agenda was a loose collection of topics someone had jotted down the night before. By the end, we had a list of things to think about and a follow-up meeting scheduled for three weeks out. That meeting was not a failure of technology or even a failure of intent. It was a failure of structure. The wrong people were making decisions, the right people were not in the room, and nobody had a clear mandate for what the governance body was actually supposed to do. I have seen variations of that same meeting play out at organizations of every size and in every industry. And I have seen what happens when it keeps repeating: AI deployments accumulate without oversight, risks go untracked, and eventually something goes wrong that...
Read more

Stop Scanning. Start Managing Exposure: The CISO's Guide to Continuous Threat Exposure Management

Picture this: It is a Tuesday afternoon. Your vulnerability management team pulls up the weekly report. Sixty-three thousand open vulnerabilities across your environment. Your patch team closes out five hundred this week — a solid sprint by any measure. Everyone nods. The meeting ends. You walk out feeling like you are making progress. Three weeks later, an attacker exfiltrates six months of customer data through a misconfigured cloud storage bucket. No CVE assigned. Not on any scan report. Not even on your radar. That gap — the one between what your vulnerability scanner sees and what an attacker actually exploits — is exactly the problem that Continuous Threat Exposure Management is designed to close. And if you are leading a security program today without a CTEM strategy in place, you are managing the wrong list. What CTEM Actually Is (And What It Isn’t) Gartner introduced the term Continuous Threat Exposure Management in 2022, and the security industry has been both energized and c...
Read more