Hi, I’m Tony.

I’m here to make cybersecurity less about fear and more about rational decision-making.

That starts with risk, economics, and cutting through the noise.

I’m less interested in frameworks and more interested in outcomes. Less “best practice,” more actual practice. I believe security should be measurable, risk should inform decisions, and that compliance theater is wasting everyone’s time.

I cover topics like quantitative risk, security economics, and the psychology of bad choices — because behind every breach is a human, a budget, and a spreadsheet that no one believed.

Latest Essays

Featured
Why Ransomware Isn’t Just a Technology Problem (It’s Worse)
Why Ransomware Isn’t Just a Technology Problem (It’s Worse)

Ransomware isn’t a tech failure - it’s a market failure. If you think the hardest part is getting hacked, wait until the lawyers, insurers, and PR firms show up.

Vendor Sales Tactics: The Good, The Bad, and the Bathroom
Vendor Sales Tactics: The Good, The Bad, and the Bathroom

Most security vendors are great — but a few cross the line from persistent to downright creepy, sometimes in ways you won’t believe. With RSA Conference looming, here’s a behind-the-scenes look at the worst sales tactics I’ve ever seen (yes, even in the bathroom).

What the Great Hanoi Rat Massacre of 1902 and Modern Risk Practices Have in Common
What the Great Hanoi Rat Massacre of 1902 and Modern Risk Practices Have in Common

When the French tried to solve Hanoi’s rat problem, they accidentally made it worse , and today’s cyber risk management is making the same mistake. Beneath the polished audits and colorful risk charts, a hidden system of perverse incentives is quietly breeding more problems than it solves.

Zines, Blogs, Bots: A Love Story
Zines, Blogs, Bots: A Love Story

After a quiet stretch spent baking bread and relearning balance, I started wondering—has blogging joined zines in the graveyard of formats displaced by tech? With AI now mimicking human voices, I’m asking a bigger question: what does it mean to write now, and why does it still matter?

The CISO’s White Whale: Measuring the Effectiveness of Security Awareness Training
The CISO’s White Whale: Measuring the Effectiveness of Security Awareness Training

Most CISOs secretly wonder: does security awareness training actually reduce risk, or just check a compliance box? This post breaks down the metrics that don’t work—and offers a practical framework for ones that do.