Journey Through Asia: Reflections, Lessons & the Power of Family

Arriving in Tokyo always brings a sense of order and discipline, but this time it felt even more pronounced. Like many long international flights I've taken, we landed under the cover of darkness nearly 24 hours after leaving home—with only carry-on bags to stay nimble for a three-country journey in under three weeks.

Returning to Tokyo after almost a decade was both nostalgic and refreshing. Instead of staying in the heart of the city, we opted for an Airbnb an hour outside the capital. A quaint two-story flat with all the essentials and a few quirks we've learned to embrace when traveling. This time, it was the cruise-ship-sized shower on the second floor and the red-painted walls on the first that made work Zoom calls interesting. Still, the location gave us an authentic slice of suburban Japan and made our visits to the Samurai Museum, Sensō-ji Temple, and a traditional & memorable tea ceremony even more special.

One unexpected highlight: stamp collecting. Various places we went — from temples to train stations with each stamp felt like a small treasure. And of course, the ever reliable 7-Eleven became our go-to for late-night snacks, essentials, and TikTok-famous treats the kiddos were eager to try. Their willingness to sample local packaged meals was a small joy in itself.

From there, we journeyed to Kyoto and Osaka on the bullet train cruising at 150mph. We witnessed and experienced everything from the world's busiest crosswalk to majestic castles, exceptional sushi, and surprisingly delicious Japanese curry. Yet even with Japan's legendary order and efficiency, navigating train transfers proved challenging. Thankfully, my daughters took the lead from backtracking storage lockers to multi-line transfers while I hit my limit without knowing the language.

With clean clothes running low, we welcomed our next stop, Manila, for dry cleaning services. We expected but came to reality the drastic variance of wether changing fro 20 degrees Warner with just a 4 hour flight southward. After navigating traffic reminiscent of LA rush hour despite landing after 10 p.m. we arrived in a beautifully crafted Airbnb south of the city. From custom woodwork to a modern kitchen and a sunlit upper deck, it was a warm welcome. Our host's generosity, from freshly made morning coffee to lending his vehicle, allowed us to explore local neighborhoods with ease.

This visit felt different from my business trip 13 years earlier. This time, it was all about family, our "Asia Extravaganza," as we coined it when we decided to take this trip 7 months prior to initial plans. This was due in part of more than 300 cousins across four generations reuniting on my mom's side. Imagining the few who couldn't attend only amplified the magnitude of the moment. The celebrations stretched into the week and continued with my dad's side of the family, smaller in number but overflowing with gratitude, stories, and a shared sense of pride.

Understanding the local language made every conversation richer, especially when contrasted with Japan and later Bangkok, where cultural similarities were familiar but language barriers more pronounced. Across these countries, the influences of history, economics, and regional culture whether Chinese or Indian were evident.

Bangkok brought its own energy being vibrant, spiritual, and dynamic. From temples and Buddhas proudly on display to the Sky Tower (the Hangover filming location we recognized), a duck boat ride through Lumphini Park, and Muay Thai at Rajadamnern Stadium, the city delivered one experience after another. We even met a local student eager to practice English, offering insider tips on lesser-known temples which was an exchange that inspired us to pay it forward even more so when we get back home.

Of course, no trip to Bangkok is complete without a canal boat ride and a Tuk-Tuk adventure. And the Grand Palace and sacred Buddha temples offered a breathtaking reminder of Thailand's cultural soul.

Now, writing during an unexpected delay in Hong Kong (my first visit here). I'm taking advantage of the downtime to journal. My sister brought my folks across the globe and now it's our turn to bring them home. They're ready for their own beds, familiar routines, and the comforts of home after two months.

Leadership has taught me many things, and communication remains at the center of them all. In travel as in business clarity matters. As I wait for updates from our gate crew, I'm reminded how essential communication becomes, especially in unfamiliar surroundings. Through every step of this journey, my compass and soulmate and two daughters have been right there with me, exploring countries they're seeing for the first time.

Quick debrief…

• Family is the strongest anchor. Whether across a table or across continents, it's the connections that matter most.

• Cash is king abroad. Local currency remains essential, no matter how digital we've become.

• Pay it forward. Advice, kindness, local insights, small gestures shape meaningful experiences.

• We prefer structured agenda. While we enjoy the spontaneity of travel, this trip reaffirmed that a well-planned itinerary is our natural rhythm.

• Stay adaptable. From train stations to flight delays, flexibility is a powerful skill.

As we watch the United Airlines app, strategize backups for our now-uncertain LAX connection, and accept that a PTO day may be sacrificed to maintenance delays, one thing remains clear: this adventure has been priceless. 

And I can't wait for our next family journey.

Making Cyber Risk a Company-Wide Priority

SINC Fireside Chat: Security Is Everyone's Job: Aligning Cybersecurity and Business Through Leadership and Trust. Aligning Cybersecurity and Business Through Leadership and Trust. Cybersecurity isn't just about protection but instead about performance. When security is embedded into the organization's fabric, aligned with business objectives, and championed by leadership, it becomes a catalyst for growth, resilience, and mission success.

Cybersecurity is a Business Imperative

Boards and executive leadership increasingly recognize cybersecurity as a core business risk. Awareness is high, but execution gaps remain. Regulators and investors expect demonstrable governance, transparency, and effective cyber programs that protect revenue, enable strategic initiatives, and preserve brand trust.

The most mature organizations treat cyber risk as enterprise risk. Risks are measured, prioritized, funded, and owners are held accountable to the  business. Frameworks such as NIST CSF and CIS Controls offer practical structures to operationalize these principles.

Governance turns to Execution

Cybersecurity governance must extend from the board to the CEO, CISO, CIO, and business leaders. Integration starts with:

1. Incoporating security into workflows — embedding controls into product development, procurement, onboarding, and vendor intake.
2. Ensuring security habitual — through frictionless solutions such as single sign-on, passwordless access, automated patching, and secure defaults.
3. Defining role-based responsibilities — integrated into job descriptions and performance reviews.
4. Delivering contextual learning — just-in-time nudges within email and collaboration tools.
5. Embedding security champions — within business functions like engineering, HR, and sales to act as internal service partners.

Risk Translated into Business Terms

Start with a value map connecting critical business assets revenue streams, intellectual property, and customer data to that of cyber controls. Define risk appetite and thresholds to clarify acceptable downtime or data loss. Translate these into measurable KPIs such as:

• Percentage of revenue-impacting systems patched within SLA
• Mean time to detect and remediate incidents
• Frequency of resilience and recovery tests passed
• Risk exposure and ROI of cyber investments
• Third-party assurance levels for critical vendors

Measurements that show business impact and risk trend lines help leadership make informed, strategic decisions.

Quantifying and Communicating Risk

Adopting Cyber Risk Quantification (CRQ) enables leaders to evaluate potential financial impacts: lost revenue, remediation costs, fines, and compare them with other enterprise risks in a shared business language.

Run tabletop exercises that use these quantified scenarios to prepare the board for tradeoffs, investment decisions, and communication strategies. Brief leadership concisely — focus on scenario impacts, not technical detail.

Embed cyber oversight into board committee charters (audit, risk, or dedicated cyber committees) and establish standing agenda items for top risks, readiness, and compliance updates. Use leadership pipelines to influence vendors, reinforce supply chain security, and restore customer trust after incidents.

Build a Culture of Security

Technology without culture is brittle. Sustainable resilience depends on the synergy of People, Process, and Technology. An emphasis my co-presenter established which each reinforcing the other.

• People are the first line of defense and most vital element to maturity and success. Leadership must model secure behavior and psychological saftegy, reward good security habits, and foster psychological safety where employees report issues without fear of blame. 
• Process provides structure and balance between the other pillars. Embed security governance into workflows, performance measures, and decision-making routines across business functions.
• Technology amplifies capability and supports the structure built. Invest in frictionless, adaptive solutions that enable security by design and reduce complexity for users.

Together, these pillars create a resilient ecosystem where security becomes second nature not a separate discipline.

Measuring Readiness

Run annual board-led tabletop exercises to test decision-making and communication readiness. Track key indicators such as time-to-decision, time-to-public communication, and exercise frequency. Maintain pre-approved playbooks for communications, legal response, and escalation paths.

Leadership should:

• Approve the top 5-10 enterprise cyber risks and risk appetite definitions.
• Endorse funding for a CRQ pilot and prioritized CIS Controls implementation.
• Commit to an annual tabletop exercise and a monthly top-risk dashboard.

Conclusion

It's an honor to help empower cybersecurity and business leaders with strategies that transform technical risk into business urgency and position cybersecurity as a true business driver.

A modern take on the Security "CIA Triad" extends beyond confidentiality, integrity, and availability to include:

• Communication — telling the "why" story that resonates across the enterprise.
• Integration — fostering genuine, enterprise-wide partnership.
• Adaptation — driving innovation to advance the organization's mission.

This discussion extends and deepens the conversation around cybersecurity as a business imperative. A leadership discipline that drives trust, resilience, and competitive advantage.

Software Supply Chain in Crisis

CISO panel discussion at Cyber Defense Conferences on evolving third-party and AI supply chain risks

Third-party and software supply chain threats are escalating in complexity and frequency, driven by trusted access, automation, and the rapid adoption of AI. Traditional governance models reliant on static assessments and siloed controls are no longer sufficient. A shift toward continuous, integrated, and behavior-based security is imperative.

Key Insights

• Fundamentals still matter
  Core security principles including strong credentials, least privilege, layered defenses, and Zero Trust Architecture (ZTA) remain foundational. These principles must extend across third-party ecosystems.
• Third-Party risk is a growing threat vector
  Attackers exploit trusted relationships, leveraging vendor access, CI/CD credentials, and automated update pipelines to bypass controls. The software supply chain remains fragile due to fragmented ownership across AppSec, CloudSec, and Vendor Risk.
• AI-Native Dependencies Expand the Attack Surface
  AI vendors introduce opaque models, broad API integrations, and sensitive data flows. This creates new risks: model tampering, data leakage, and abuse of delegated access.
• Velocity Outpaces Governance
  The scale and speed of modern development particularly with GenAI have outstripped traditional security and compliance models. Manual vetting can no longer keep pace.
• Nation-state and ransomware threats converge
  Adversaries increasingly target SaaS and developer ecosystems for espionage, disruption, and extortion. Supply-chain compromise offers persistent access and high-leverage impact.

Strategic Actions

1. Modernize vendor governance
   Transition from static questionnaires to continuous trust models. Require SBOMs, runtime attestations, CI/CD hygiene evidence, and enforce phishing-resistant MFA and rapid credential revocation.
2. Institutionalize continuous validation
   Adopt CTEM-like models for third-party and supply chain risk. Automate dependency scanning, runtime enforcement, and least-privilege enforcement for connectors and APIs.
3. Govern AI-generated code
   Implement CI policies requiring AI-generated code to be flagged, scanned, and reviewed especially for critical modules. Make this process auditable and enforceable.
4. Prepare for supply chain campaigns
   Develop cross-functional incident playbooks. Simulate package compromise scenarios, enforce CI runner isolation, and ensure rapid token rotation and rollback capabilities.
5. Unify ownership across domains
   Assign a supply-chain risk owner e.g., CISO, Legal, and IT lead) with authority to enforce cross-team controls. Align SLAs and runbooks across AppSec, DevOps, CloudOps, and Vendor Risk.

Securing today's dynamic and delicate supply chain eco-system demands more than tools but a strong third-party risk management program rooted in risk-based tolerance approach through execution of  enterprise-wide partnership, trusted vendor relationships, and continuous validation. Next up, 4th-parties...

October Cybersecurity Awareness

A Day of Cybersecurity Leadership, Technology, and Collaboration

What an inspiring day surrounded by cybersecurity leadership, technology, and collaboration. It was incredibly rewarding to see an entire organization come together to learn, share, and innovate toward a more secure future.

The morning began with a technical deep dive into an Application and Developer Security Platform that engaged participants across disciplines of developers, architects, analysts, and even non-technical team members eager to understand the benefits of an integrated BizDevOps and DevSecOps approach across the SDLC and vulnerability management lifecycle.

Key highlights included exploring capabilities that deliver visibility across the developer's path to production, from code inspection checkpoints to coverage spanning multiple languages, frameworks, and platforms that include infrastructure, containers, and workflows. Visibility and discovery remain essential to strong security postures, and the ability to scan environments for flaws, misconfigurations, and dependencies enhances protection from the start. Through SAST, DAST and SCA techniques, participants witness how pre-deployment and runtime vulnerabilities can be detected earlier, reducing risk and remediation costs. 

This "shift-left" approach not only embeds security into development but also strengthens collaboration between business and technology that create actionable remediation and continuous improvement opportunities.

Fireside Chat with Security Leadership

The day continued with a company-wide fireside chat, moderated by the CISO, featuring security leaders in the organization. The session began with a creative twist of introductions without using the words cyber, security, or technology. With the CISO set the tone, "I promote the company vision and protect member information," the discussion blended humor, engagement, and depth. Key topics covering leadership journeys, personal motivations, and practical insights. A light-hearted "Would You Rather…Lead this Way" segment sparked great energy, while the conversation delved into meaningful areas such as:

• Cyber maturity and leadership evolution – highlighting how strength, curiosity, and adaptability shape effective teams.
• Personal passions and superpowers – underscoring empathy, adaptability, and awareness as key leadership traits.
• Security at home – emphasizing that cyber hygiene applying to family memebers: strong passwords, MFA, phishing awareness, and router security.
• AI and innovation – exploring both opportunity and responsibility, balancing progress with privacy and ethical guardrails.
• Resiliency as a core principle – reinforced through the importance of backups, continuity, and operational safeguards.

Audience participation was lively, with thoughtful questions on topics such as password managers, MFA vs. passwordless authentication, and AI's evolving role in cybersecurity.

The session closed with scenario-based questions that brought humor and reflection. Purposefully debating situational but practical scenarios including:

• Building a rock-star team with no experience but eager learners or, seasoned veterans but overworked and burnt out.
• Short-term wins that boost morale or, long-term goals but suffer short-term pain.
• Budget cuts toward innovation but safeguard core operations or, cutting operations for future growth.

Afternoon Sessions

The afternoon featured a showcase of the organization's security pillars, including Compliance and Governance, Security Operations, Incident Response, Architecture, Security Awareness, and Third-Party Risk Management. Each security pillar leader shared updates and priorities, reinforcing how aligned security functions drive enterprise resilience.

The day concluded with interactive trivia focused on industry best practices and concluded with prizes and giveaways, recognizing participation and celebrating strong partnerships with leading security vendors and solution providers.

Key Takeaways

• Integration matters: Embedding security into every stage of development enhances visibility, collaboration, and faster remediation.
• Resilience requires preparation: Backups, testing, and awareness are vital both at work and at home.
• Leadership through partnership and collaboration: Cybersecurity thrives when technology, business, and people share responsibility.
• Balance innovation and governance: AI and automation drive progress but require ethical and strategic guardrails.
• Culture is the differentiator: Awareness, engagement, and shared accountability strengthen the entire security ecosystem.
• Power of partnership cannot be overstated, as security excellence is reflected across business lines that strengthen us through collaboration with our vendors, third-party partners, and trusted service providers.

 See my LinkedIn post for vendor and product solution partner names.