field journal · learning in public · no fixed cadence

UPISLAND

Security comes from Latin se—without, cura—worry. Without worry. That's the deliverable — and it isn't what we're shipping.

For thirty years, cybersecurity programs have shipped chaotic documentation of activity instead of an interface to the business that invokes calm. This is a field journal arguing for a different shape — a Cybersecurity Program Product: narrative + evidence, presented to the right person at the right time, so the viewer's experience is one of calm about the state of their data and infrastructure. I'm not building it. I want other companies to. Until they do, I think out loud here.

send me the next dispatch read what's there

free/no cadence/roughly 10 min when it lands/be early — no readers yet.

$ sketch components --target=cpp what a cpp would surface

A CPP has five things going on at once. These are sketches.

No. 01·component · sketch

a live program narrative.

One always-updated paragraph the CFO can read in twenty seconds: here are the goals we're pursuing, here are the metrics we track them by, here are the strategies we're using, here is the budget and team, here is what's actually moving. Top-down. Honest. No charts that lie.

how this lands →
program.md — sketch · live state
# a paragraph the cfo can read in 20s goals ├── reduce blast radius of identity compromise ├── shrink MTTR on prod data-path incidents └── raise CFO confidence in spend mix metrics — last 90d [ok] identity blast radius: ↓ 38% [wip] MTTR data-path: 52m → 41m [ok] CFO confidence: 4 of 5 # this paragraph is the deliverable.
No. 02·component · sketch

what attackers are trying.

A short, plain-language readout of the adversary activity that actually applies to us right now — and the specific controls preventing each attempt from landing. Updated as the field moves. Read it, and you know what's pointed at you and why it hasn't worked.

how this lands →
adversary.live — sketch · last 24h
# what they're trying. why it isn't working. [try] oauth consent phishing → blocked by consent governance · MFA replay-protected [try] agentic recon on public surfaces → surfaced to attack-surface monitor · rate-limited at edge [try] npm supply-chain on shared deps → blocked by pinned lockfile · isolated build agents # the calm comes from naming both halves.
No. 03·component · sketch

cost if they succeeded.

The same adversary activity, priced. What it would cost the business if each attempt landed — translated from threat-language into CFO-language, with sources from real incidents in the industry. Not theatre. A number, with a footnote.

how this lands →
cost-if.txt — sketch · directional
# what it would cost us if each landed oauth consent phish · exec mailbox direct: CHF 0.4–1.2m (wire-fraud range) agentic recon → public exposure direct: CHF 0.1–0.3m (remediation + comms) supply-chain → prod compromise direct: CHF 2.0–6.5m (downtime + breach class) # cited from 3 industry incidents, 2024–26.
No. 04·component · sketch

money → programs → safety.

Every CHF on the security spend, mapped to the program it funds and the proactive defence that program produces. The viewer can trace any line item to the attempted attack it blocks. No mystery line items. No "security tax."

how this lands →
spend-map.txt — sketch · annual
# every line, traceable to the attack it stops identity hardening CHF 220k/yr blocks: oauth phishing · MFA replay · token theft attack-surface monitor CHF 80k/yr blocks: agentic recon · shadow-IT exposure build-pipeline integrity CHF 140k/yr blocks: supply-chain · CI compromise # trace any CHF to the threat it retires.
No. 05·component · sketch

the right view, the right viewer.

One source of truth. Different surfaces for the board, the ops team, the auditor, the regulator, and you. Each one sees what they need at the depth they can act on — AI handles the targeting. Same facts, different focal length. Calm is per-viewer.

how this lands →
viewers.cfg — sketch · per-audience
# same facts. different depths. calmer rooms. board one paragraph + 3 numbers + trend arrows cfo spend → programs → blocked attacks ops active controls + queue + drift audit control evidence + sampling + gaps you the full picture, no charts that lie [ai] targeting layer rewrites depth per viewer # a CPP is calm at every focal length.

$ man up-island what's an up island?

Everyone's heard of Up Island. Few have been.
It's the place where the work is calmer, the leverage is real, and one person quietly does what a team of twenty used to do.

The maps are wrong. The ferries don't go there. You don't arrive — you find your way.

$ ./diagnose --role ciso why we made this

The CISO role was designed for the Fortune 500. Everyone else gets a fractional consultant — or nothing.

stderr diagnose.sh 3 findings
fail

The defenders are losing ground — year after year, gap widening, no plateau in sight.

we're racing 20-year-old playbooks against 6-month-old attacks. that math doesn't work.
warn

We burn the budget on compliance theater. The attackers, sadly, don't read the audit reports.

a green dashboard has never stopped a real one. not even once.
info

The standard fix — "hire more people" — is broken. Talent is gone. Market priced you out.

so. what now? that's what this journal is for.
idea

We document activity when we should be presenting calm. The fix isn't more controls. It's a different product.

a security program is a product. and we haven't built it yet.

$ diff compliance.md security.md a small distinction

One of these looks like security. Only one of them is.

benchmark — compliance vs adversary-aware · illustrative directional · not measured here
Real attacks stoppedper quarter · median
compliance
0.4
real security
6.2
15.5× more attacks actually stopped
Time spent on paperworkhours per week · per operator
compliance
22h
real security
4h
5.5× less time in the audit binder
Budget hitting actual risk% of security spend on adversary-aware work
compliance
18%
real security
74%
4.1× more budget on what matters
Median response timefrom alert to containment · minutes
compliance
312m
real security
17m
18× faster to contain
You don't strengthen a defence by adding paperwork.
You strengthen it by giving the business an interface it can feel safe behind. — up·island · field note · early

$ ls ~/dispatches/ the kind of thing that shows up

No fixed format. Three habits show up most often.

habit 01 curation

thought-leader picks

Who I'm reading and stealing from this round — the practitioners and contrarians worth your attention, with the load-bearing idea underlined.

I read the noise so you don't have to.

habit 02 translation

into an operating model

What their thinking looks like once you try to run a CISO program from it. Components, sequencing, what to drop, what to insist on.

ideas are cheap. operating models cost something.

habit 03 in public

built in the open

The artifact, dashboard, prompt, playbook or program-narrative I'm trying right now. Nothing exists yet. You see the rough version first.

half-built beats well-pitched.

$ who --on-island solo or fifty, doesn't matter

The one-person CISO office scales both ways.

Whether you're alone in the office or running a 50-person team at an SME — if you're trying to rebuild the shape, this is for you.

$ cat MANIFESTO.md signed and dated

one-person-ciso volume i things we believe

Cybersecurity has failed to communicate its value to the business for two decades. The fix isn't more controls. It's a different product.

The controls mostly worked. The gap was the interface — what we said to the people funding us, and how little of it landed. Boards still don't feel safe. CFOs still don't trust the spend. The deliverable was supposed to be calm. We shipped chaos and called it documentation.

What's missing is a Cybersecurity Program Product. An always-updated, audience-targeted interface that combines narrative and evidence so that, looking at it, the viewer feels safe. Not because it claims safety — because it presents safety. What the program is pursuing, what it's spending, what attackers are trying, what they can't reach because of X and Y, what it would cost if they did. Top-down. Honest. Calm.

I'm not building this as a product. I run my own program this way, and I think other companies should build it for theirs — or, better, somebody should build it as a category so the rest of the field can pivot. This journal is me thinking out loud about that pivot — translating thought leaders, sketching components, and showing my own version as it takes shape, in public.

I won't promise weekly. I won't promise short. I'll promise honest, and that there's no vendor underneath any sentence here.

— Kitaro keeper · resident of the island

$ tip --target=keeper supporting = loving

Keep the lighthouse on.

No ads. No sponsors. No vendor strings. There are zero subscribers yet — but if anything here ever earns its keep with you, you can drop a coin in the jar. There's no premium tier and no member wall. Same journal. Just better fuelled.

monthly
$5 $10 $25 $50 $100
one-time
$5 $10 $25 $50 $100

▸ links are placeholders for now — payment processor wiring pending (Ko-fi recommended; Stripe later).