Practical risk management for teams without a playbook

Working notes from building security and compliance programs at organizations where you can't just throw resources at the problem.

I've spent a long time in technology — development, project management, and eventually security, compliance, and IT operations, usually all at once. Most guidance assumes resources smaller organizations don't have, and assumes failures are people problems when they're nearly always system problems.

This site is the working alternative: to the point, honest about trade-offs, and built around a simple conviction — you can't fix what you can't see. Everything here is free. No email walls, no upsell, no pretending I've never gotten any of this wrong.

Find your situation

Startups

Before the questionnaire arrives

Security debt compounds like the technical kind — and the interest comes due mid-deal.

US Government

FCI, CUI, and the CMMC clock

Two questions price everything, and the certification queue can't be expedited.

India

Three clocks already running

DPDP deadlines, CERT-In's six-hour rule, and ISO 27001 showing up in tenders.

ISO & Mgmt Systems

Certify the system, not the heroics

What the certificate attests to, and the 9001/CMMI head start most teams waste.

Start with these

Foundations · 4-part series

You're the security team now. Start here.

The 80/20 of SMB security: the five controls that close the doors attackers actually use — with playbooks, a 90-day plan, and the numbers that prove it's working.

Leadership

Talking to leadership about risk: bring decisions, not dashboards

The three-sentence rule, calendar-language likelihood, and why documented risk acceptance is your best friend.

Risk Library

37 risks, written the way a register entry should be

Event, cause, impact — in a sortable, filterable table with suggested scores, first controls, and the evidence that proves them.

All articles →

Templates that actually get used

Working documents — a risk register, a CIS IG1 gap assessment workbook, a one-page leadership briefing, a three-policy starter set, and the risk library workbook. Each comes with a short guide explaining why it's built the way it is, because the reasoning is the part that transfers.

Excel

Practical risk management for teams without a playbook

Find your situation

Before the questionnaire arrives

FCI, CUI, and the CMMC clock

Three clocks already running

Certify the system, not the heroics

Start with these

You're the security team now. Start here.

Talking to leadership about risk: bring decisions, not dashboards

37 risks, written the way a register entry should be

Templates that actually get used

Risk Register

Gap Assessment — CIS IG1

Leadership Risk Briefing

Policy Starter Set

Practical risk management for teams without a playbook

Find your situation

Before the questionnaire arrives

FCI, CUI, and the CMMC clock

Three clocks already running

Certify the system, not the heroics

Start with these

You're the security team now. Start here.

Talking to leadership about risk: bring decisions, not dashboards

37 risks, written the way a register entry should be

Templates that actually get used

Risk Register

Gap Assessment — CIS IG1

Leadership Risk Briefing

Policy Starter Set

Want to know when something new lands?