From Reactive Security to Threat-Informed Defense: My Research Journey on Risk-Based Cybersecurity Prioritisation

After months of research, adversary emulation, lab building, testing, and validation, I’m pleased to share that my cybersecurity research paper, “A Risk-Based Framework for Prioritising Cybersecurity Controls Using MITRE ATT&CK with Empirical Validation via Adversary Emulation,” has now been published on ResearchGate and Zenodo. This research was driven by a simple but important question: Are... Continue Reading →

May 18, 2026 0

Post 3 — Beyond IT: Applying the Same Zero-Day Risk Strategy to OT and Critical Infrastructure

In Part 1, we addressed the uncomfortable reality that patching is not always possible.In Part 2, we showed that compensatory controls only matter if their effectiveness can be measured. Now comes the part many organizations overlook: The same risk logic does not stop at IT. In fact, it becomes even more critical in OT and... Continue Reading →

April 18, 2026 0

Post 2 — Proving Risk Reduction: How to Quantify Zero-Day Exposure When Patching Is Not Possible

In Part 1, we established a hard truth: when patching is not possible, risk does not disappear, it just simply shifts. The vulnerability remains. Business dependency remains. The threat remains. What changes is how disciplined your response becomes. This is where many organizations fall short. They deploy compensatory controls, such an IPS signature here, a... Continue Reading →

April 18, 2026 1

Part 3 – Bridging the Gap: From Compliance to Security

In our journey so far, we’ve seen how compliance brings order to cybersecurity (Part 1), and how over-reliance on it can create blind spots (Part 2).Now, we turn to the most critical part of the story — how organizations bridge that gap and turn compliance into real, measurable security resilience. Compliance sets the minimum standard;... Continue Reading →

November 4, 2025 1

Part 2 – Why Compliance ≠ Security

In the previous post, we saw how compliance brings structure, accountability, and trust to cybersecurity. It sets the stage for order in a chaotic landscape. But here’s where the story turns — and where many organizations stumble. After the certificates are framed and the audit reports are filed, there’s often a quiet assumption that “we’re... Continue Reading →

November 4, 2025 1

Part 1 – Why Compliance Matters

Every great security program begins with structure — and that structure often comes from compliance. In today’s interconnected world, organizations navigate a growing maze of standards and regulations: ISO 27001, NIST Cybersecurity Framework (CSF), PCI-DSS, HIPAA, GDPR, Qatar CSF, and Australia’s ASD Information Security Manual (ISM) and Essential Eight Maturity Model. These frameworks are no... Continue Reading →

November 4, 2025 0

Security, Convenience and the Battle for Balance

Introduction In today's digital landscape, organizations and individuals constantly grapple with the delicate balance between security and convenience. While users demand seamless and efficient experiences, security professionals must ensure robust protection against ever-evolving threats. However, security and convenience do not always go hand in hand. Stricter security measures often introduce friction, while overly convenient solutions... Continue Reading →

March 18, 2025 0

Part 4: Information Security Risk Management Approach

In the previous parts of our series (Part 1, Part 2 and Part 3), we explored the foundational elements of the risk management lifecycle, the risk assessment process, and risk treatment strategies. Now, we delve into the final phase: Risk Monitoring and Review. This phase involves continuously monitoring the effectiveness of risk management activities and... Continue Reading →

May 20, 2024 0

Part 3: Information Security Risk Management Approach

In Part 1 and Part 2 of our series, we explored the fundamentals of the risk management lifecycle and the detailed process of risk assessment. Now, we delve into the critical phase of Risk Treatment. This phase involves selecting and implementing measures to mitigate, transfer, avoid, or accept identified risks. 1. Selecting Risk Treatment Options:... Continue Reading →

May 15, 2024 1

Part 2: Information Security Risk Management Approach

In the first part of this series, we explored the foundational elements of the risk management lifecycle as outlined by ISO 27000 series of standards. We will now delve into the second phase: Risk Assessment. This critical step involves identifying, analysing, and evaluating risks to your organization's information assets. 1. Identifying Assets: The initial step... Continue Reading →

May 7, 2024 2

Blog at WordPress.com.

Up ↑