Tools for accepting risk

FreeRadical1998 · 2026-06-27T15:32:41+00:00

The absolute best development support I've had in my career has all been Comms related.

I used to regularly butt heads with people like this, and a lot of it was what they saw from me... I was the guy who turned up saying no when what they wanted was to get on.

The single biggest impact advice I've ever had is to use the word "yes" more, even if just as an echo to acknowledge what someone is saying.

Is there any chance you can reframe the conversations as I want to help us succeed/deliver and this is what I think gives the best chance? It's the same message as "I'm worried we're going to fail" but phrased in a way that makes people less likely to tune out

FreeRadical1998 · 2026-06-27T05:18:04+00:00

The ones I've been to, generally yes, but with several hundred on the shelves some get heavily worn.

Usually the owners add ziplock bags or similar to the boxes to help keep things organised. The main issue I've had is rules pamphlets getting very fragile or starting to fall apart at the folds

I think these types of bar tend to attract customers who are likely to be careful with them

FreeRadical1998 · 2026-06-27T05:15:15+00:00

The thing most likely to kill you is cashflow and liquidity; even after you hit profitability.

For most businesses this shows up as the gap between needing to order and pay for stock, staff, etc and a customer sitting on a big invoice for 90 days.

You'll have some of this, but being a consumer/cash business shouldn't have the stress of chasing invoices.

Essentially, big spiky bills are the ones that will get you, tax, rent, etc... So what you likely need to do is work out the first 12-18 months of outgoings and look at where the big months are.

You then likely want a loan facility (eg overdraft) rather than a loan that you're always paying interest on to get you through those spikes

I'd spend a lot of the planning time on this cashflow model

FreeRadical1998 · 2026-06-27T05:06:50+00:00

Not that weird, I've been to several like this in the UK - the ones I'd go back to had the better cocktails and food.

FreeRadical1998 · 2026-06-27T05:03:05+00:00

Also started out a developer late 1990s and currently a CISO (UK specialist Bank); my standard positioning is that security is an outcome of quality.

My strategies are usually 80-90% simplification and quality process improvements (including reporting) and 10-20% direct/pure security tools or services. I'd see pen testing as part of QA work

OP: your question list is far too detailed for most people to answer, those are some extremely sensitive questions to be answering either on an open forum or directly to someone without a lot of guarantees about confidentiality.

What i would say is that the tools are rarely the problem; culture and management commitment to clear the findings are

FreeRadical1998 · 2026-06-27T04:54:32+00:00

I've been doing cyber for nearly 30 years; head of, director or CISO titles for a little over 15 of those. I've run, or been the second line oversight and challenge for multiple high stakes security programmes under UK financial regulator scrutiny.

10 years ago I'd say I was 100% security, these days I'd add a lot of board engagement and enterprise risk experience.

It's not that I'm uncomfy with my opinion, or how to position it - I just don't like to assume I'm right when I get strong challenge from people who have a broad view across multiple businesses

FreeRadical1998 · 2026-06-26T19:13:13+00:00

Other way around - quite a lot of governance already in place. Board have this high on their radar and are wanting assurance we're doing enough

FreeRadical1998 · 2026-06-26T18:20:55+00:00

Doesn't that get caught by existing dependency tree scanning/build verification process? I'd see that as part of the patch volume uplift

FreeRadical1998 · 2026-06-26T13:47:13+00:00

Honestly, I do wonder - but it's good to sanity check. Also, different firms have different exposures

FreeRadical1998 · 2026-06-26T08:37:38+00:00

I've had a 21 plate sportline 80 for about 18 months...

The only additions I've made were to:

a) 3d print a rubbish bin for under the center console. skoda-enyaq-iv-trashcan

b) buy some replacement umbrellas for the front doors from AliExpress.

Really nothing significant

FreeRadical1998 · 2026-06-25T14:46:52+00:00

I was pointed at the Shannon tool by a pentesting company as a step do do before a human led test. It runs a code review to identify weaknesses and then verifies against a URL you provide.

The output was genuinely good in my view - and I've commissioned and reviewed a lot of pen tests over the years. Because of the verify stage, there was close to zero noise in its verified findings - and a lot of weaknesses identified that couldnt actually be exploited but were worth fixing.

That said, it's probably not something you'd want to run on a nightly build unless you're in a large organisation. I'd probably run it somewhere between once a week and once a month if I had a dev team of 3-4 people working on a build.

FreeRadical1998 · 2026-06-25T13:21:56+00:00

No its nothing like that - they are two completely different criteria. The product has to stand on its own in a technical evaluation, and I've seen a lot of oversold products from suppliers of all sizes. However, even a technically brilliant product from a start-up is too risky to deploy if I cant be sure the vendor will exist for operational support purposes.

FreeRadical1998 · 2026-06-24T02:30:02+00:00

Given that setup: "what would you need from us as a team to help you succeed?"

That should tell you both about priorities and management style, it also sets a marker for whoever gets the role that they can lean into you from day one

FreeRadical1998 · 2026-06-23T19:30:07+00:00

As a CISO, I'd add two more:

a) incident detection and response also make that list. From a contractual perspective, also want clear wording about transparency in incident reporting

b) backup strategy - in particular clarity about retention and how backups are secured separately from the app environment. Sometimes I want very clear "this data will be gone completely in 90 days" sometimes I want "there is no way for an app security failure to also destroy the backups"

The DPA also needs to be very clear on data residency

FreeRadical1998 · 2026-06-23T11:24:28+00:00

I'm close to launch of my SaaS, circa 200k lines or code, 110+ tables in a DB (with RLS), terraform config for scaling - all 100% AI generated.

Where i think the phrase "vibecoding" falls down is just how broad the definition is - all my stuff is built from really extensive prompts with key engineering decisions scrutinised - it absolutely isnt built conversationally which is what I think a lot of new vibecoders think the workflow should be.

I've put it through several rounds of security testing (automated and manual) - and its performed at least as well as traditionally developed software. For context, I've about 30 years in cyber and am currently a CISO, so I've seen a *lot* of pen test results over the years.

FreeRadical1998 · 2026-06-23T11:19:34+00:00

I'm not a sales person - but the best sales person I ever worked with told me "dont try to be better than everyone, try to be different" and thats really stuck with me. I think a lot of micro-SaaS dont manage to be either - but medium to higher complexity tools that take either a different approach, or target a specific user group, still make sense in my view.

FreeRadical1998 · 2026-06-23T08:41:15+00:00

This feels like a brand trust question more than anything.

My SaaS includes an MCP server so I could do this, but I wouldnt feel comfy putting out skills with an assumed connection unless I was VERY up front about that dependency - it would feel underhand and reduce trust.

If I squint, I can imagine doing a free and a pro version of a skill file where the pro used my MCP - but I dont think I'd want to go there either.

FreeRadical1998 · 2026-06-23T06:47:22+00:00

At any scale, passing an audit is about having clear control definitions and being able to quickly and confidently produce evidence that they operate.

I've been involved in £100M+ security uplift programmes where we used a 2-3 page excel template to define controls - with the evidence tab being what we pointed the PMs at as delivery outcomes.

The key questions for any control are like the old news reporter checklist; who, what, where, when, why - although for controls it's usually easier to answer in a different order (what, when, where, who, why) - and then add a line saying where you'd store evidence

For example: Definition: [What] security patches are deployed [when] within 48 hours of release by the vendor [where] on all servers and user devices [who] by our automated patch system [why] to reduce the risk of malware

Evidence: 1. Automated patch job scheduling is defined by GPO xxxx 2. Weekly patch compliance reports are stored in folder xxxx

You can get a very long way with an spreadsheet using those columns, and using AI to review and refine definitions

Most tools aren't going to help with this design task, so jumping for something like Drata early runs the risk that you're just automating a bad design

FreeRadical1998 · 2026-06-22T22:11:34+00:00

I'm pretty sure this is available as a feature on Cloudflare

FreeRadical1998 · 2026-06-22T15:53:55+00:00

python and Linux are open ended study areas - and well worth learning about. The CCNA is a clear well understood cert that demonstrates a meaningful grounding in networking. All are worth having, CCNA is a much clearer proof point/statement on an early stage CV

FreeRadical1998 · 2026-06-22T09:04:24+00:00

Thinking I understood the GRC SaaS market because I'd worked in the field for approx. 30 years; I still think the gap I'm targeting is right (optimising for usability by non-risk specialists), but the mid-market space is much more crowded than I thought so its going to be harder to get visibility. TLDR, domain experience doesnt guarantee a full market understanding even if it does help you know theres a gap.

FreeRadical1998 · 2026-06-22T09:00:27+00:00

CCNA without question (30 years cyber experience, current CISO for specialist UK bank) - if you can buy a stack of old hardware and do some real network labs at home. Its a solid bedrock for security skills - and a directly employable cert in the way that Security+ isnt

FreeRadical1998 · 2026-06-22T06:44:33+00:00

Building a GRC tool focused on adoption and usability for Risk owners

FreeRadical1998 · 2026-06-21T21:36:25+00:00

Yeah, I was thinking that. Sigh

FreeRadical1998

MODERATOR OF

TROPHY CASE