Northwoods Security Notes
Latest thoughts on startup security, vCISO leadership, and risk.
Resilience is Key to Startup Survival
So treat recovery measures like your business life depends on them - because it does.
6/4/2026Read on Substack →
The Credentials Nobody's Managing
Non-human identities outnumber employees 82-to-1, and 91% survive off-boarding. A four-step audit to find the ghost credentials in your stack.
5/28/2026Read on Substack →
The Biggest Breach Study of the Year Has a Startup Problem
Verizon's annual breach study analyzed 22,000 incidents. Three findings hit startups harder - and the commentary skips them.
5/21/2026Read on Substack →
Fractional CISO vs. Full-Time CISO: Which Does Your Startup Need?
Small/midmarket CISOs average $415K in total comp. Fractional runs $5K-$15K/month. But the real question isn't cost - it's stage.
5/18/2026Read on Substack →
Put Away Your Hammer - That AI Vendor is Not a Nail
Your SOC 2 checklist was built for something entirely different. If you don't want to wind up like the 97% of AI breach victims who lacked proper AI controls, here are the tools you need.
5/7/2026Read on Substack →
What Your Board Will Ask About AI Security
AI moved from pilot to board agenda faster than most founders expected. Three questions are coming - and the answers reveal more than you think.
4/23/2026Read on Substack →
Why Your Incident Response Plan Doesn't Work (Yet)
Tabletop exercises cut breach timelines by 76 days. Here's how to run one that actually changes your security posture.
4/16/2026Read on Substack →
The Plan You Hope You Never Use
Most startup IR plans are compliance artifacts, not decision-making tools. Five pre-made decisions matter more than forty pages of procedures.
4/13/2026Read on Substack →
The SOC 2 Survival Guide: What Founders Get Wrong
SOC 2 engagements grew 49% in three years - but most startup guidance skips the hard parts. Five mistakes from the CISO side of the table.
3/19/2026Read on Substack →
What Enterprise Customers Actually Check in Security Reviews
Most startups treat the 300-question security questionnaire as a compliance exam. It's a risk triage -- and only 20% of those questions decide the deal.
3/13/2026Read on Substack →
When to Hire Your First Full-Time Security Person
In 2019, security was a cost center. In 2026, it's a revenue gate. Five business triggers that tell you when to hire — none involve headcount.
3/9/2026Read on Substack →
Security Debt: Why Seed-Stage Shortcuts Cost 10x
82% of organizations carry security debt. For startups, every shortcut compounds — and the bill arrives at the worst possible moment.
2/27/2026Read on Substack →
Stop Building Higher Walls: Why 2026 Is the Year of Resilience
How to shift the priority away from prevention
1/5/2026Read on Substack →
The AI Paradox: Why Hyper-Efficiency Could Mean More Human Work
How a 19th-century economic theory can inform our thinking about AI and the future of work.
12/2/2025Read on Substack →
When AI Became the Weapon
Lessons from the First Major AI-Powered Cyberattack
11/22/2025Read on Substack →
You already hired your first security leader.
Surprise: they think they’re your DevOps engineer. 🛡️
10/1/2025Read on Substack →
DeepSeek: A cautionary tale
How to separate the hype from the risk around DeepSeek AI
9/15/2025Read on Substack →
The First 10 Security Controls for a Seed-Stage Team
Ten controls you can ship in weeks—not quarters—with clear owners and first steps.
9/14/2025Read on Substack →
Welcome to Northwoods Security Notes
Plain-English security for Seed–Series B teams. Short, pragmatic posts you can act on this week.
9/14/2025Read on Substack →