Writing
Essays across cybersecurity, cloud engineering, project management, and leadership — on the topics that matter most right now.
2026
Feb. 2026Why Post-Quantum Cryptography Matters Now, Not Later
NIST's 2024 finalisation of post-quantum cryptographic standards marked a turning point — not because quantum computers can break RSA today, but because the window for organisations to act is closing faster than most security leaders realise. This essay walks through the threat model, the standards landscape, and a practical migration framework for teams who can't wait for the problem to become urgent.
Read article →AI in Threat Detection: Signal or Expensive Noise?
Every major security vendor now claims AI-powered threat detection. But when you look at what's actually happening under the hood — the false positive rates, the labelling dependencies, the drift problem — the gap between marketing and operational reality is stark. A critical look at where ML genuinely adds value in a SOC, and where it's adding cost without clarity.
Read article →Zero Trust at Scale: A Reality Check for Practitioners
Zero Trust has gone from fringe principle to compliance checkbox in under five years — and that speed has created a generation of Zero Trust programmes that look right on paper but don't change real access behaviour. This piece cuts through the buzzword layer to examine what genuine Zero Trust adoption requires: identity-first architecture, microsegmentation trade-offs, and the organisational change problem that no vendor solves for you.
Read article →2025
Dec. 2025FinOps in Practice: Getting Real Cloud Cost Visibility
Cloud bills keep growing, but the visibility into why rarely improves at the same pace. This piece walks through the FinOps discipline from a practitioner angle — tagging strategies that actually work, the right time to introduce unit economics, how to run a cost review that finance and engineering can both act on, and the common failure modes that turn cloud cost management into a political problem instead of a technical one.
Read article →Cloud-Native Security: What the Shared Responsibility Model Actually Demands
Every AWS customer accepts the shared responsibility model at account creation. Most don't truly internalise what it means until something goes wrong. This essay takes the model apart layer by layer — what AWS owns, what you own, and the dangerous grey zone in between — with specific focus on the most commonly misconfigured services: S3, IAM, EC2 security groups, and Lambda execution roles.
Read article →IaC and the Security Drift Problem: Why Terraform Alone Isn't Enough
Infrastructure-as-code solved configuration drift for provisioning. But it didn't solve security drift — the gradual divergence between what your Terraform state says and the actual security posture of your environment, caused by manual changes, emergency fixes, and the slow erosion of policy enforcement. This piece covers detection strategies, Policy-as-Code patterns with OPA and Conftest, and how to build a pipeline that catches drift before audit does.
Read article →2025
Dec. 2025AI-Assisted Project Management: What Actually Changes and What Doesn't
AI tools are reshaping how project managers draft plans, generate status reports, and synthesise stakeholder feedback. But the core of PM work — risk judgement, stakeholder trust, scope negotiation, leadership under pressure — remains stubbornly human. This essay separates the real productivity gains from the hype, and argues that the PMs who thrive won't be those who resist AI, or those who defer to it, but those who use it to free up time for the work that still requires a human in the room.
Read article →Technical PM vs Programme Manager: Why the Distinction Matters
The terms are often used interchangeably — and shouldn't be. A Technical PM operates inside a delivery team, holding technical credibility alongside process rigour. A Programme Manager coordinates across multiple projects at the strategic level, often without deep technical fluency. Understanding the distinction clarifies career paths, hiring decisions, and why organisations sometimes put the wrong person in either role and wonder why delivery suffers.
Read article →Hybrid Delivery Done Right: Neither Agile Nor Waterfall
Most real-world projects don't fit neatly into agile or predictive frameworks — and the PMP's updated focus on hybrid delivery reflects this. But "hybrid" can mean anything, which means it often means nothing. This piece lays out a principled approach to blending methods: where predictive planning adds stability, where sprint-based iteration accelerates discovery, and how to design governance structures that don't become bureaucratic overhead for teams trying to move fast.
Read article →2026
Feb. 2026Building Technical Credibility as a Leader (Without Staying an IC)
The transition from technical contributor to technical leader requires a paradox: you need to let go of the work that earned you the room while still demonstrating enough fluency to hold your team's respect. This essay explores how to maintain technical credibility through curiosity rather than output — asking the right questions, engaging meaningfully in architecture discussions, and building a reputation for judgement rather than just execution.
Read article →Managing Up in Technical Organisations: A Practitioner's Guide
Managing up is one of the least discussed and most career-defining skills in technical work. This piece breaks down what it actually means — translating technical complexity into executive language, building trust before you need it in a crisis, knowing when to escalate and when to absorb, and navigating the uncomfortable reality that your manager's success is part of your job description. Written for practitioners who are technically strong and organisationally still finding their footing.
Read article →Psychological Safety in Security Teams: Why It's a Performance Issue, Not a Feelings Issue
Security teams that can't speak up about gaps, question assumptions, or escalate concerns without career risk are security teams that will eventually miss something critical. Drawing on Amy Edmondson's research and real-world security incident patterns, this essay makes the business case for psychological safety in security contexts — not as a culture initiative, but as an operational requirement for teams trusted to protect critical systems.
Read article →