Northwoods Security Notes
Latest thoughts on startup security, vCISO leadership, and risk.
Why Your Incident Response Plan Doesn't Work (Yet)
Tabletop exercises cut breach timelines by 76 days. Here's how to run one that actually changes your security posture.
4/16/2026Read on Substack →
The Plan You Hope You Never Use
Most startup IR plans are compliance artifacts, not decision-making tools. Five pre-made decisions matter more than forty pages of procedures.
4/13/2026Read on Substack →
The SOC 2 Survival Guide: What Founders Get Wrong
SOC 2 engagements grew 49% in three years - but most startup guidance skips the hard parts. Five mistakes from the CISO side of the table.
3/19/2026Read on Substack →
What Enterprise Customers Actually Check in Security Reviews
Most startups treat the 300-question security questionnaire as a compliance exam. It's a risk triage -- and only 20% of those questions decide the deal.
3/13/2026Read on Substack →
When to Hire Your First Full-Time Security Person
In 2019, security was a cost center. In 2026, it's a revenue gate. Five business triggers that tell you when to hire — none involve headcount.
3/9/2026Read on Substack →
Security Debt: Why Seed-Stage Shortcuts Cost 10x
82% of organizations carry security debt. For startups, every shortcut compounds — and the bill arrives at the worst possible moment.
2/27/2026Read on Substack →
Stop Building Higher Walls: Why 2026 Is the Year of Resilience
How to shift the priority away from prevention
1/5/2026Read on Substack →
The AI Paradox: Why Hyper-Efficiency Could Mean More Human Work
How a 19th-century economic theory can inform our thinking about AI and the future of work.
12/2/2025Read on Substack →
When AI Became the Weapon
Lessons from the First Major AI-Powered Cyberattack
11/22/2025Read on Substack →
You already hired your first security leader.
Surprise: they think they’re your DevOps engineer. 🛡️
10/1/2025Read on Substack →
DeepSeek: A cautionary tale
How to separate the hype from the risk around DeepSeek AI
9/15/2025Read on Substack →
The First 10 Security Controls for a Seed-Stage Team
Ten controls you can ship in weeks—not quarters—with clear owners and first steps.
9/14/2025Read on Substack →
Welcome to Northwoods Security Notes
Plain-English security for Seed–Series B teams. Short, pragmatic posts you can act on this week.
9/14/2025Read on Substack →

