Originally published on LinkedIn · March 12, 2024. Monthly converged security newsletter.
94°F in Dallas-Fort Worth. Just visited Texas A&M Engineering Extension Service (TEEX) in College Station — Disaster City and the Fire School are exceptional training resources. Upcoming travel to Florida to support courses and spend family time. Recent podcast appearances with Simon Osamoh and Mark Ledlow. Published pieces this month on executive protection, church security metrics, and supply chain security.
Leadership & Governance
Working with PhD candidates on cybersecurity research this month — which led to productive challenges around foundational concepts. How do you define “cyber security” precisely? What is the actual distinction between “safety vs. security vs. safe”? These are not semantic questions — the answers shape entire program architectures.
Metric of the Month: Percentage of leadership meetings held at local colleges to mentor emerging security professionals.
Insider Threat
Why do security teams allocate 80% of their effort toward external threats — which account for roughly 20% of incidents — rather than insider threats, which account for 80%? You can’t shoot, fire, or discipline an IP address. Insider threats are human problems that require human solutions: programs, training, and tabletop exercises.
Metric of the Month: Percentage of security budget allocated to insider threat programs vs. external threat programs.
M&A / Divestiture Security
Starting a post-close acquisition with a gap assessment is starting too late. Comprehensive integration planning must begin immediately after Close Day — with security embedded in every workstream from that day forward, not reviewed as a separate track weeks later.
Key Metric: Percentage of M&A deals with an identified Project Integration Officer, Crisis Manager, and Incident Commander on Close Day.
Getting a Seat at the Table
Triangular communication frameworks — the CIA triad, the Fraud Triangle, Prevention/Detection/Response — are useful tools for translating security priorities into language that business stakeholders can act on. My son James created visual tools using LEGO concepts to make these frameworks accessible to non-technical leadership. Simple works.
Metric of the Month: Percentage of security presentations to leadership that use visual frameworks vs. text-heavy slides.
Supply Chain Security
Published in Security Middle East magazine this month on supply chain scope inventory gathering (Step 3 of my supply chain security framework). Step 1 is leadership buy-in. Step 2 is scope determination — which is almost always larger than organizations assume. Step 3 is the inventory: every supplier, every connection, every dependency.
Metric of the Month: Percentage of financial transactions with suppliers processed through fraud detection before payment.
Physical Security / CPTED
Many 2024 facilities still lack minimum physical security controls for active shooter scenarios and basic visitor management. Organizations that have undergone M&A, rapid expansion, or significant reorganization in recent years frequently have facilities that were never assessed post-change.
Metric of the Month: Percentage of capital budget allocated for physical security mitigation with locked quotes and implementation plans.
Crisis Response
LinkedIn polling on Q1 2024 tabletop exercises revealed concerning results: 44% of respondents reported no completion or scheduling — with 20 days left in the quarter. 22% said “I don’t know” or acknowledged insufficient knowledge. Organizations that do not exercise their plans do not have working plans — they have documents.
Metric of the Month: Percentage of customers and suppliers requiring tabletop exercises in their contracts.
Honor — Barbara Thomas
Honoring Barbara Thomas, my sign language mentor at a Florida church — and the junior high sign language teacher whose name I have sadly forgotten but whose impact I have not. The next time you see a sign language interpreter at an event — thank them. They are an often invisible but essential bridge.