This pillar is where I break down the strategic side of cyber: the architecture, the frameworks, the governance, and the decisions that actually shape how security works inside an organisation.
It’s not just theory, it’s the practical thinking behind building secure systems, aligning with business goals, and making risk‑based decisions that matter.
If you want to understand the “why” behind the “how,” you’re in the right place.
Whenever I run a tabletop exercise, the first thing I do is set the tone for the room. I tell everyone that this is not a test and it’s not about catching anyone out. It’s a safe space to walk through our policies, procedures, and decision‑making as a team. The goal is to explore how we work, not judge how anyone performs.
A good tabletop lives or dies on facilitation. A script doesn’t remove spontaneity, it creates psychological safety. It gives the facilitator a structure to fall back on, keeps the room aligned, and ensures the exercise stays focused on process rather than personalities. This script is written so that even a first‑time facilitator can run the scenario confidently while still leaving space for natural discussion and team dynamics.
An After‑Action Report is where a tabletop exercise turns into something real. It’s the moment where the conversation becomes clarity, and clarity becomes improvement. This AAR captures not just what happened in the scenario, but how the team thought, reacted, hesitated, and learned, because that’s where the real value sits.
A participant handout sets the tone for the entire exercise. It gives everyone the same starting point, removes uncertainty, and helps people focus on the scenario rather than trying to remember process details. This one is designed to be read in under two minutes, just enough to orient the room without overwhelming it.
A PIR isn’t just paperwork. It’s where the real learning happens. It’s the document that turns an incident into improvement. To show you what a mature, well‑structured PIR looks like in practice, here’s a full example based on a realistic MFA fatigue and OAuth compromise scenario.
This article isn’t just a guide, it’s a complete, modern Incident Response Plan aligned to NIST CSF 2.0. A full, real‑world IRP you can use as a reference, benchmark, or starting point for your own organisation.
Most organisations have an IRP. Most discover it doesn’t work the moment they actually need it. Not because the document is wrong, but because it was written for the organisation they used to be, not the one responding to an incident today. Incidents in 2026 are cloud‑distributed, identity‑driven, SaaS‑entangled, and business‑impacting. Modern incident response is… Read more: How to Write a Modern Incident Response Plan (IRP) Using NIST CSF 2.0
For years, cybersecurity teams followed the traditional NIST Incident Response Process: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. This model shaped how organisations built response capabilities and how students learned incident handling. The threat landscape has shifted dramatically, with cloud‑identity attacks defying linear phases, ransomware spreading before containment can begin, and supply‑chain compromises blurring… Read more: The Evolution of Incident Response: Updating the Classic NIST IRP to the 2026 Framework
If you work in Australia, you’ve probably heard someone mention the ACSC Essential 8 in a meeting, usually right before everyone nods like they understand what’s going on. Spoiler: most people don’t. The Essential 8 is Australia’s baseline cyber security framework, a minimum and a voluntary baseline standard organisations can adopt to meet their cyber… Read more: The Essential 8 Explained Like You’re New to Cyber (But Want to Actually Understand It)
Whenever I run a tabletop exercise, the first thing I do is set the tone for the room. I tell everyone that this is not a test and it’s not about catching anyone out. It’s a safe space to walk through our policies, procedures, and decision‑making as a team. The goal is to explore how we work, not judge how anyone performs.
A PIR isn’t just paperwork. It’s where the real learning happens. It’s the document that turns an incident into improvement. To show you what a mature, well‑structured PIR looks like in practice, here’s a full example based on a realistic MFA fatigue and OAuth compromise scenario.
This article isn’t just a guide, it’s a complete, modern Incident Response Plan aligned to NIST CSF 2.0. A full, real‑world IRP you can use as a reference, benchmark, or starting point for your own organisation.
Most organisations have an IRP. Most discover it doesn’t work the moment they actually need it. Not because the document is wrong, but because it was written for the organisation they used to be, not the one responding to an incident today. Incidents in 2026 are cloud‑distributed, identity‑driven, SaaS‑entangled, and business‑impacting. Modern incident response is… Read more: How to Write a Modern Incident Response Plan (IRP) Using NIST CSF 2.0
For years, cybersecurity teams followed the traditional NIST Incident Response Process: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. This model shaped how organisations built response capabilities and how students learned incident handling. The threat landscape has shifted dramatically, with cloud‑identity attacks defying linear phases, ransomware spreading before containment can begin, and supply‑chain compromises blurring… Read more: The Evolution of Incident Response: Updating the Classic NIST IRP to the 2026 Framework
If you work in Australia, you’ve probably heard someone mention the ACSC Essential 8 in a meeting, usually right before everyone nods like they understand what’s going on. Spoiler: most people don’t. The Essential 8 is Australia’s baseline cyber security framework, a minimum and a voluntary baseline standard organisations can adopt to meet their cyber… Read more: The Essential 8 Explained Like You’re New to Cyber (But Want to Actually Understand It)