What the Billable Hour Reveals
The time-and-materials model is not just a pricing mechanism. It is a lens that exposes a structural misalignment between how consulting firms spend effort and where clients perceive value.
Series
Phase I — Observation
7 essays in this series
Before you can secure or transform a system, you have to see it clearly. Phase I essays address the foundational challenge of visibility — in operational technology environments, in AI deployments, and in organizational structures where the documented state rarely matches the actual one. The core argument across this phase is that most security and transformation failures begin not with the wrong response, but with an incomplete picture. Observation is not passive. It is the first disciplined act of operating in a complex environment.
From Continuous Monitoring to Continuous Awareness
Data volume produces the appearance of security awareness while frequently obscuring the understanding that awareness is supposed to provide. The distinction between monitoring and awareness is the difference between having data and understanding what it is telling you.
Safe Interrogation in Fragile Systems: The Art of Touching Without Breaking
There is a competency in OT security that rarely appears in job descriptions but separates practitioners who can operate in industrial environments from those who have only studied them.
The Visibility Gap in OT: Why You See Less Than You Think
The gap between documented assets and actual assets in industrial environments is not organizational incompetence — it is a structural feature. And threat actors are not constrained by your asset inventory.
Why Vulnerability Management Breaks Down in Industrial Systems
The patch-prioritize-verify cycle of enterprise vulnerability management rests on assumptions that collapse in OT environments. A mature OT vulnerability program looks fundamentally different — and must be built from scratch.
Active vs. Passive Monitoring in OT: The Question Nobody Wants to Answer
Passive monitoring is the safe choice in OT — and if taken too literally, it is also an incomplete one. The real answer is a tiered interrogation model that reflects actual device risk, not methodology purity.
The False Promise of IT Security in OT Environments
The assumption that OT security is just IT security in a different building is not only wrong — it is dangerous. Applying IT controls to OT environments does not reduce risk. It introduces a new category of it.