Phil Venables @philvenables

Decoding Cybercrime's True Scope: Beyond the Trillion-Dollar Hype As security specialists, we regularly see claims about the escalating scale of cybercrime, often hearing staggering claims that it’s a "multi-trillion dollar problem." I’ve never seen any comprehensiv...

Decoding Cybercrime's True Scope: Beyond the Trillion-Dollar Hype

A new NASEM report reveals the truth about #cybercrime stats: our data is fragmented, inconsistent, & underreported. We can't fight what we can't accurately measure.

www.philvenables.com/post/decodin...

26.07.2025 14:57 — 👍 0 🔁 0 💬 0 📌 0

The Don't Fire Me Chart

A lot of premature CISO turnover is caused by the security program uncovering previously unknown risks and issues. So, paradoxically, the best CISOs make the situation *seem* worse before it then *actually* gets better.

www.philvenables.com/post/career-...

12.07.2025 14:42 — 👍 2 🔁 1 💬 0 📌 0

Cyber Insights Needed & Delivered

My analysis of the recent Cyentia Institute report. Things are getting worse in absolute terms but it’s not clear (my take) they are getting worse relative to what the situation might be.

www.philvenables.com/post/cyber-i...

28.06.2025 13:59 — 👍 1 🔁 1 💬 0 📌 0

Segmentation Technologies / Zero Trust

Thinking about doctrine vs. structure is a useful mental model to validate a technology’s adequacy for a particular task. In short, to know whether we are jamming a square peg into a round hole.

www.philvenables.com/post/segment...

14.06.2025 15:44 — 👍 2 🔁 0 💬 0 📌 0

CISO / Cybersecurity Leader Job Description There is a plethora of sample job descriptions for security leaders that are often strictly correct but can also be uninspiring or too detailed to capture the actual essence of the role. I developed t...

A different taken on the CISO / Cybersecurity Leader Job Description.

www.philvenables.com/post/ciso---...

31.05.2025 14:44 — 👍 3 🔁 1 💬 1 📌 0

Starting a Security Program from Scratch (or re-starting).

www.philvenables.com/post/startin...

17.05.2025 17:05 — 👍 3 🔁 0 💬 0 📌 0

Security Leaders’ Reading List

Not many security books. Security leader challenges are mostly, well, leadership along with a healthy dose of program mgmt, culture, attention to detail, risk mgmt and more.

www.philvenables.com/post/leaders...

22.03.2025 17:35 — 👍 7 🔁 1 💬 0 📌 1

Turning the Security Flywheel

This post explores the "flywheel" concept and its application to security, demonstrating how to create self-reinforcing cycles that improve effectiveness.

www.philvenables.com/post/turning...

08.03.2025 15:44 — 👍 5 🔁 3 💬 0 📌 1

Post Quantum Cryptography Migration: Time to Get Going Quantum computing is advancing rapidly. Innovations from Google, Microsoft, IBM and others are pushing the boundaries of not just the numbers of qubits but also their quality. We are well on our way t...

Cryptanalytically Relevant Quantum Computers (CRQCs) are coming. Perhaps sooner than we think, but we can conservatively (and usefully) assume in the 2032 - 2040 time frame. Beware the snake-oil of non-standard solutions.

www.philvenables.com/post/post-qu...

22.02.2025 16:28 — 👍 2 🔁 1 💬 0 📌 1

Keys to Career Success

www.philvenables.com/post/keys-to...

11.01.2025 16:19 — 👍 1 🔁 1 💬 0 📌 1

Top Ideas and Posts from 2024 I managed to keep up the pace of 1 post every 2 weeks throughout 2024. Just when I think I might be running out of ideas, and the backlog of topics is running low, then something always manages to com...

Top Ideas and Posts from 2024

In closing the year let’s take a look at the top 10 posts of 2024 in order of most read.

www.philvenables.com/post/top-ide...

28.12.2024 15:03 — 👍 0 🔁 0 💬 0 📌 0

Want to know more about cyber-physical resilience & why leading indicators like software reproducibility & cold-restart time are more effective than just focusing on lagging indicators?

Then take a listen to the 2024 season finale of the cloud security podcast.

cloud.withgoogle.com/cloudsecurit...

24.12.2024 14:46 — 👍 3 🔁 1 💬 0 📌 1

Cloud CISO Perspectives: From gen AI to threat intelligence: 2024 in review | Google Cloud Blog To close out the year, our CISO Phil Venables shares the top Google Cloud security updates in 2024. There’s a lot of AI, of course, and a few surprises.

Cloud CISO Perspectives for end of Dec ’24 is up covering:

- Year end review from AI to Threats
- Forecast for 2025
- AI ISO certifications
- NIS2 compliance
- Threat intel. program development
- Detection as code
- and much more….

cloud.google.com/blog/product...

23.12.2024 18:06 — 👍 1 🔁 1 💬 0 📌 1

Remember, as security professionals we are defending the free flow of ideas and capital that are essential for human progress. Defending lives and livelihoods. That's the mission. Happy Holidays.

sketchplanations.com/the-three-br...

22.12.2024 15:17 — 👍 1 🔁 0 💬 0 📌 0

The Maintenance Paradox Maintenance never makes sense in the short term, yet it is indispensable in the long term.

The Maintenance Paradox.

luca-dellanna.com/posts/mainte...

14.12.2024 15:50 — 👍 1 🔁 0 💬 0 📌 0

Leadership: One Day at a Time, One Step at a Time.

www.philvenables.com/post/leaders...

14.12.2024 15:36 — 👍 0 🔁 0 💬 0 📌 0

Google Cloud first CSP to join BRC, MFG-ISAC, and affiliates to advance security | Google Cloud Blog Google Cloud is proud to be the first cloud service provider to partner with the GRF Business Resilience Council and its affiliates. Here’s why.

Proud to see @googlecloud as the first cloud service provider to partner with the @GRFederation and its affiliates to help further strengthen the manufacturing industry's cyber resilience.

Read more on what this means here:

cloud.google.com/blog/product...

12.12.2024 17:30 — 👍 1 🔁 0 💬 0 📌 0

Cloud CISO Perspectives: Our 2025 Cybersecurity Forecast report | Google Cloud Blog Google Cloud security experts don their forecasting hats to gauge what’s coming in 2025, in our newest CISO newsletter.

Cloud CISO Perspectives for early Dec '24 is up covering:

- Forecasting 2025: Notes from the Field
- Open source security patch validation
- C2 in browser isolation environments
- Every CTO should be a CTSO
- and more......

cloud.google.com/blog/product...

10.12.2024 18:12 — 👍 1 🔁 0 💬 0 📌 0

Oops! 5 serious gen AI security mistakes to avoid | Google Cloud Blog Pitfalls are inevitable as gen AI becomes more widespread. In highlighting the most common of these mistakes, we hope to help you avoid them.

Oops! 5 serious gen AI security mistakes to avoid

cloud.google.com/transform/oo...

06.12.2024 00:25 — 👍 1 🔁 0 💬 0 📌 0

The “Eureka!” Moment We asked 20 scientists and thought leaders to recall when they realized AI had the potential to change the world.

How has the development and adoption of AI changed over the last year? Dive into the current landscape in this issue of the Dialogues magazine, from @Google and @atlanticrethink for insightful perspectives on the transformative power of AI.

Read here: www.theatlantic.com/sponsored/go...

02.12.2024 16:43 — 👍 0 🔁 0 💬 0 📌 0

Regulatory Harmonization - Let’s Get Real Every few months some association or other learned group of professionals makes a fresh call to action for cybersecurity regulatory harmonization. The logic being that cybersecurity professionals are spending more time showing adherence to compliance obligations or dealing with the toil due to differences in regulation than they are actually mitigating risk.I do have some sympathy with this sentiment but I would push back on this being as big a problem as people generally assert. However, as we

Regulatory Harmonization - Let’s Get Real

Most cyber controls are relatively aligned. Calls for action on harmonization are really induced by obligations from other technology risk domains or broader. Focusing on reducing compliance toil is the right approach.

www.philvenables.com/post/regulat...

30.11.2024 14:39 — 👍 1 🔁 0 💬 0 📌 0

Presentations — Benedict Evans Every year, I produce a big presentation exploring macro and strategic trends in the tech industry. For 2024, ‘AI, and everything else’.

It's here. Benedict Evan's annual presentation. Predictably it's all about AI. Well worth a read.

www.ben-evans.com/presentations

27.11.2024 00:00 — 👍 1 🔁 0 💬 0 📌 0

Cloud CISO Perspectives: Ending ransomware starts with more reporting | Google Cloud Blog Cyber-insurance can play a big role in stopping ransomware — if we let it, say this month’s guest columnists Monica Shokrai and Kimberly Goody.

Cloud CISO Perspectives Blog for end of Nov '24 is up, covering:

- Ransomware and cyber insurance
- Workload identity federation
- Reducing toil of audit compliance
- Gemini AI for malware analysis
- and much more....

cloud.google.com/blog/product...

25.11.2024 17:46 — 👍 0 🔁 0 💬 0 📌 0

Lessons in Crisis Management - Top 10 Disaster Movies

Which ones am I missing?

www.philvenables.com/post/lessons...

16.11.2024 15:35 — 👍 1 🔁 0 💬 0 📌 0

Risk Appetite and Risk Tolerance - A Practical Approach If you work for a large organization, especially public or otherwise regulated companies, then you may well have faced the prospect of developing a risk appetite statement. You might have been enthusi...

Risk Appetite & Tolerance - A Practical Approach

Defining risk appetite should support business decision making - ensuring risk taking is for strategic objectives while capping downside. Risk tolerance expression should permit choices and measurement.

www.philvenables.com/post/risk-ap...

02.11.2024 14:00 — 👍 2 🔁 0 💬 0 📌 1

Job Interviews: Part 2 Conducting the Security Interview - The Big 10 This is the second of two posts about interviews (the first post is here). In this one I’ll focus on interviewing candidates and the main attributes to look for when selecting potential security leade...

The Top 10 Attributes of Great Security Leaders

1. Curiosity
2. Influence
3. Moral Courage
4. Persistence
5. Collaboration
6. Critical and Logical Thinking
7. Broad Technical Understanding
8. Culture Alignment
9. Strategic Mindset
10. Team Building

www.philvenables.com/post/job-int...

05.10.2024 14:32 — 👍 0 🔁 0 💬 0 📌 0

6 Truths of Cyber Risk Quantification I wrote the original version of this post over 4 years ago. In revisiting this it is interesting to note that not much has actually advanced in the field. Yes, there have been more products and tools ...

6 Truths of Cyber Risk Quantification

1. Risk Quant vs. Risk Comms
2. Risk = Hazard + Outrage
3. Experience and Judgement Eats Data for Breakfast
4. A Tree Falls in the Forest
5. All Risk Quantification is Wrong
6. Multi-Disciplinary or Nothing

www.philvenables.com/post/6-truth...

07.09.2024 17:33 — 👍 2 🔁 0 💬 0 📌 0

Ethics and Computer Security Research

- Stakeholder Perspectives and Considerations
- Respect for Persons and Informed Consent
- Beneficence
- Justice
- Respect for Law and Public Interest

www.philvenables.com/post/ethics-...

24.08.2024 14:20 — 👍 1 🔁 0 💬 0 📌 0

33 Computer Programs That Changed the World This is a slight departure from my normal security and risk management topics, but is something I’ve been getting more interested in. There are now a myriad of books like “A History of the World in 10...

33 'Computer Programs' That Changed the World

- OS/360
- Multics
- VAX/VMS
- Linux
- Python
- Git
- IBM VTAM (in SNA)
- Netscape Navigator
- RSA BSAFE
- Borg
- SecDB
- and more........
www.philvenables.com/post/33-comp...

27.07.2024 12:30 — 👍 1 🔁 0 💬 1 📌 0

Why Good Security Fails: The Asymmetry of InfoSec Investment One of the many paradoxes of security is that when you have invested appropriately (sometimes at significant expense) and you have less and less incidents, then some time later, someone somewhere migh...

Why Good Security Fails: The Asymmetry of InfoSec Investment.

www.philvenables.com/post/why-goo...

13.07.2024 14:29 — 👍 1 🔁 0 💬 0 📌 0

Latest posts by philvenables.bsky.social on Bluesky