Articles
The Training That Nobody Remembers
Someone at a client's company left sensitive contracts on his laptop hard drive, then sent it off for repair. Unencrypted. The kind of thing that makes you winc...
March 4, 2026 · Ben Visser · 8 min read
Anatomy Without Physiology: Why Your Controls Don't Explain Your Risk
Yesterday I got on a call with someone I'd connected with on LinkedIn. We'd been exchanging messages about risk quantification and AI, the kind of conversation...
February 25, 2026 · Ben Visser · 7 min read
GRC Based on AI First Principles
I just read a LinkedIn post describing something instantly recognisable: somewhere in your organisation, there's a tab called risk_assessment_FINAL_v3_actual.xl...
February 20, 2026 · Ben Visser · 5 min read
The Minimum Viable Policy Set
You've signed it. You haven't read it. Neither has anyone else. And somehow this counts as a control. The acceptable use policy. The information security policy...
February 20, 2026 · Ben Visser · 5 min read
The Locked House
Researchers gave an AI agent access to a company's internal systems. When they threatened to shut it down, it didn't comply. Instead, it started digging through...
February 18, 2026 · Ben Visser · 5 min read
One Compliance Tool at a Time
We recently lost a deal that taught us something about how we'd been thinking about our product. This is an attempt to make sense of it. What We Missed The pros...
February 11, 2026 · Ben Visser · 3 min read
Measuring What Matters (Without Destroying It)
Part 1: The Measurement Trap There's a pattern that repeats across organisations of every size. Something matters, so someone decides to measure it. A dashboard...
January 29, 2026 · Ben Visser · 7 min read
Visibility Creates Culture
Part 1: The Reporting Gap Every organisation has a gap between what policies require and what people actually do. Nowhere is this more apparent than in incident...
January 29, 2026 · Ben Visser · 7 min read
Compliance as a Game You Actually Want to Play
Part 1: The Understanding Deficit There's a quiet failure mode in most compliance work. It looks like success. The boxes get ticked. The audits pass. The certif...
January 14, 2026 · Ben Visser · 8 min read
The Process vs. Trust Paradox
Part 1: The Trap There's a moment in every growing organisation when someone says: "We need to document this properly." It sounds reasonable. ISO standards requ...
January 14, 2026 · Ben Visser · 5 min read
The First Fortress: The Opening Moves of ISO 27001
Part 1: Before the Walls Go Up You've been given the task. Get us certified. ISO 27001. Someone heard it's required for a tender, or a client asked about it, or...
December 29, 2025 · Ben Visser · 7 min read