You're Not Paid To Think

“You’re not paid to think.” I’m sure this phrase will spark fond memories if you’re ex-military. It was a joke… or was it. I would hear this said as ‘banter’ after a baffling decision had come down the chain of command, from some lofty heights. Or traded as a knowing joke between people who knew better but didn’t dare say so. Sometimes it wasn’t a joke at all, but an excuse not to override an order they knew was sub-optimal or downright wrong, through fear of discipline… or simply because leadership was weak. ...

May 28, 2026 · 8 min · Ben Griffiths

Your SOC Metrics Aren't Measuring Security

Keeping the status quo was a mistake. I was building a SOC, in-housing all the outsourced capabilities from a Managed Security Services Provider (MSSP), and I had been asked to provide some specific metrics for an internal governance board. The same metrics the MSSP had been reporting. I provided them without questioning whether they were still appropriate, or whether they’d be the right ones for us going forward. They were not. ...

March 30, 2026 · 9 min · Ben Griffiths

The CrowdStrike Lesson: Security vs Operational Risk

What the world doesn’t need right now is another CrowdStrike hot take… so here’s mine. I’m not here to throw any more at CrowdStrike. They’ve had enough. There was a mistake with big impact.1 It happens. There is a lesson to be learnt though: every security control carries a tradeoff, and in this case it’s operational risk. But this recent event serves to remind us. We cannot just blindly push security controls; there are tradeoffs which must be understood. ...

July 22, 2024 · 3 min · Ben Griffiths