Originally published on LinkedIn · February 7, 2024. Monthly converged security newsletter.
My professional heart is to provide a perspective that turns into YOUR solutions to YOUR pain points. This edition covers updates across my core security domains, with reflection questions for each.
Personal Updates
Working toward completion of 10,000 words on a Supply Chain Security book. Participated in multiple podcasts on executive protection and organizational security metrics. My wife Diane continues growing her DFW real estate business; son James is expanding his 3PL and Amazon marketplace operations.
Leadership & Governance
Measuring the percentage of meetings focused on building leadership capabilities — not just operations — is one of the most underused metrics in security program management. Faith-based decision-making in leadership is not soft; it is a structural approach to accountability that most secular frameworks are still trying to replicate.
Metric of the Month: Percentage of leadership meetings focused on building leadership capabilities vs. operational updates only.
Insider Threat
Converged security integration across cyber and physical domains is where insider threat programs actually work. Siloed programs — cyber-only or physical-only — miss the majority of indicators. The threat moves between domains; your detection must too.
Metric of the Month: Percentage of insider threat indicators that crossed both cyber and physical domains before detection.
M&A / Divestiture Security
Security teams often learn too late about strategic decisions — after the press release, after close, sometimes after integration is underway. The result is reactive security on an acquisition that required proactive planning from Ideation. This is fixable with a single policy change: security representation on the M&A committee from Day 1.
Supply Chain Security
The supply chain security industry needs to mature its approach to scope. Most organizations define their supply chain as the vendors they pay directly. The actual risk scope — every entity with data, access, or operational dependency — is almost always several times larger. You cannot secure a supply chain you have not fully mapped.
Physical Security / CPTED
New work with Texas School Safety Center this quarter. Physical security vulnerability discovery in schools — and in organizations generally — requires consistent, documented assessment processes. Findings that are not documented do not get fixed. Findings that are not tracked do not get verified.
Executive Protection
Regulatory and compliance improvements in the EP space are overdue. Licensing requirements, reciprocity standards, and documented governance models lag the threat environment. Organizations building EP programs should not wait for the regulation — build the governance model now.
Security Operations Centers
Post-COVID SOC operational models — particularly 100% remote arrangements — deserve scrutiny. The question is not whether remote work is possible. The question is whether the collaboration, escalation, and crisis response capabilities of a fully remote SOC have been tested. Most have not.
A Note on Foreign Dependencies
“I am a Foreign National” — meaning: if you handle data for any company that offshores work, you are, in a practical sense, operating in a foreign national risk environment. That realization changes how you think about data governance, access controls, and due diligence on offshore operations.