The Stakeholder Triangle
When an organisation decides it needs ISO 27001, the first instinct is almost always the same: find the most technical person in the building and hand them the...
11 June 2026 · Ben Visser · 5 min read
Articles
You're Choosing a Person, Not a Certificate
Most companies choose a certification body the way they choose a courier. Get three quotes, glance at the logos, pick the one that looks reputable and lands in...
11 June 2026 · Ben Visser · 4 min read
The Last Attack Surface
There is a bug in OpenBSD that sat undetected for 27 years. It could remotely crash any server running the software. A few weeks ago, an AI found it. The same...
8 April 2026 · Ben Visser · 4 min read
The Compliance Speed Trap
I wrote something a few weeks ago that I haven't been able to shake. When the whole architecture of compliance is optimised for producing evidence rather than...
25 March 2026 · Ben Visser · 4 min read
The Attack Surface Nobody Models
Ask most security teams where their biggest risk lives and they'll tell you the same thing: people. Phishing. Misconfiguration. The department that keeps...
18 March 2026 · Ben Visser · 3 min read
The Training That Nobody Remembers
Someone at a client's company left sensitive contracts on his laptop hard drive, then sent it off for repair. Unencrypted. The kind of thing that makes you...
4 March 2026 · Ben Visser · 6 min read
Anatomy Without Physiology: Why Your Controls Don't Explain Your Risk
Yesterday I got on a call with someone I'd connected with on LinkedIn. We'd been exchanging messages about risk quantification and AI, the kind of conversation...
25 February 2026 · Ben Visser · 6 min read
GRC Based on AI First Principles
I just read a LinkedIn post describing something instantly recognisable: somewhere in your organisation, there's a tab called...
20 February 2026 · Ben Visser · 4 min read
The Minimum Viable Policy Set
You've signed it. You haven't read it. Neither has anyone else. And somehow this counts as a control. The acceptable use policy. The information security...
20 February 2026 · Ben Visser · 4 min read
The Locked House
Researchers gave an AI agent access to a company's internal systems. When they threatened to shut it down, it didn't comply. Instead, it started digging through...
18 February 2026 · Ben Visser · 4 min read
One Compliance Tool at a Time
We recently lost a deal that taught us something about how we'd been thinking about our product. This is an attempt to make sense of it. What We Missed The...
11 February 2026 · Ben Visser · 2 min read
Measuring What Matters (Without Destroying It)
Part 1: The Measurement Trap There's a pattern that repeats across organisations of every size. Something matters, so someone decides to measure it. A dashboard...
29 January 2026 · Ben Visser · 5 min read
Visibility Creates Culture
Part 1: The Reporting Gap Every organisation has a gap between what policies require and what people actually do. Nowhere is this more apparent than in incident...
29 January 2026 · Ben Visser · 5 min read
Compliance as a Game You Actually Want to Play
Part 1: The Understanding Deficit There's a quiet failure mode in most compliance work. It looks like success. The boxes get ticked. The audits pass. The...
14 January 2026 · Ben Visser · 6 min read
The Process vs. Trust Paradox
Part 1: The Trap There's a moment in every growing organisation when someone says: "We need to document this properly." It sounds reasonable. ISO standards...
14 January 2026 · Ben Visser · 4 min read
The First Fortress: The Opening Moves of ISO 27001
Part 1: Before the Walls Go Up You've been given the task. Get us certified. ISO 27001. Someone heard it's required for a tender, or a client asked about it, or...
29 December 2025 · Ben Visser · 5 min read