How to Make Black Swans Extinct
and Why ISO31000 is the Weapon of Choice
Presented at the 2021 ISC2 Security Congress 18OCT21

We lack an agreed definition for cybersecurity and even worse, despite an international risk management standard endorsed by more than 160 nations, our profession uses multiple differing security risk management frameworks. If every employer, client and supplier has a different view of risk management, how can we expect to keep up with the bad guys, let alone beat them consistently? Even if your cybersecurity framework is best in the world, we all need to be in alignment. When 100 security professionals developed the Security Risk Management Body Of Knowledge, we integrated best practice from around the world. And it started with the ISO31000 Risk Management Guideline. This presentation is about applying ISO31000 principles, framework and process in the real cybersecurity world, and in the internet of things.

Five Insights Into Risk Management

These PowerPoint and PDF files contain the slides from my presentation at Risk Awareness Week 2020.

I started out with the intention of highlighting five key insights into risk management but the list grew to roughly 25 insights.


As a result the presentation is an intense information-rich journey through a collection of risk insights from the past 30 years of my risk management career. All a bit much for a 60 minute video, so I provided a list of additional videos, articles, books, and resources where you can find more information and supporting evidence. Hope you find it useful.

You can find a link to the video of the presentation as well as reading material and evidence at this FYI.TO link:

Enterprise Security Risk Assessment

This PowerPoint file contains the slides from my presentation at Protective Security In Government in October 2020. You can find the conference and the video presentation at:

It takes a slightly different focus from my usual presentations on Enterprise Security Risk Assessments (ESRA) and Enterprise Security Risk Management (ESRM). Rather than focus on the tactical process of an actual assessment, I chose to cover an overview of the four processes of an ESRA:

  1. Strategic Process

  2. Operational Process

  3. Tactical Process

  4. Background Process

I also wanted to answer the age old question of (roughly) how much does it cost to conduct an ESRA, whether using a consultant such as myself, or in-house staff, or a combination thereof. 

Risk Benchmarking

This is a presentation that I originally created some years ago. It is something of a precursor to the Risk Performance Benchmarking book but has some graphics and concepts that you might find useful. 

Security Risk Management MasterClass 28 January 2020

These three presentations (PPTX on the left and PDF on the right) are the presentations from an SRM Masterclass that I ran in Singapore.


They cover:

1. Update on SRMBOK and ISO31000

2. Security Risk Assessment

3. Career management