I've been in technology for thirty years — starting in Silicon Alley in the mid-nineties while I was still in high school, building servers in my dorm room, figuring out how networks worked by breaking them.

That background eventually collided with insurance. I spent years underwriting professional liability at AIG, led cyber strategy at Beazley, and then joined Marsh in 2014 to build what is now the firm's global cyber practice. I built it from the ground up. That's still the job.

The through-line across all of it is the same question: how do you make a rational decision about risk when the threat is technical, the exposure is hard to quantify, and the people in the room are either overselling certainty or drowning in it?

Most of the public conversation about cyber is driven by vendors selling products and consultants selling anxiety. The actual questions — what is the real risk here, what security investment really get you, how do you build a program that survives contact with a real incident — get less airtime than they deserve.

That's what this site is for. Links to things worth reading, with the parts that matter called out. Occasionally a longer piece when something deserves it.

I'm based in New York. All views here are my own.