Entry N° 009 · 25 April 2026 · 7 min
Never Waste a Good Incident
Boards should treat incidents as learning moments. Culture, executive commitment, response speed, and asset insight matter as much as frameworks or technology
N° 07 · THE JOURNAL Essays · Field notes · Weather
TheJournal.
Writing from the trail. Essays on digital leadership, AI assurance and the small, telling moves that separate a new executive from a newly-appointed one.
Topics
Entry N° 013 20 April 2026 · 2 min
Context decides whether AI risk work is real
AI risk cannot be judged in the abstract. Organisations should assess AI in context, use NIST’s seven characteristics, and make appraisal a collective exercise rather than a solo compliance check.
Entry N° 006 14 April 2026 · 14 min
A Better Logic for Cybersecurity Spend
Most boards still back cybersecurity spend with benchmarks and instinct. The answer here is a clear pyramid: fund hygiene first, treat compliance separately, and reserve full ROSI for targeted risk scenarios
Entry N° 008 17 March 2026 · 6 min
Putting a Price on Cyber Risk
Cyber risk becomes a board decision when loss scenarios are quantified. Yuri Bobbert shows how breach impact, ROSI, governance gaps, and balanced scorecards turn security spending into business evidence.
Entry N° 007 18 February 2026 · 7 min
Simplifying the Weight of Tech Compliance
Rising EU tech regulation becomes manageable only when companies simplify control evidence. The answer is practical: in-control statements, one common controls framework, and a test-once-comply-many model that reduces duplicated compliance work
Entry N° 005 7 January 2026 · 11 min
Eight questions every executive should be able to answer about the AI their company is about to sign off on.
A working list, distilled from boardroom conversations. None of them require technical expertise; all of them reveal whether the programme is ready to be signed.
Entry N° 004 17 December 2025 · 4 min
Field note · Zürich.
On spending two days in a room with an incoming CIO.
Entry N° 003 3 December 2025 · 8 min
The Practical Case for a vCISO
A vCISO gives organisations strategic security leadership without the cost of a full-time hire. The article sets out the role, the business case, and the operating disciplines that make it credible.
Entry N° 002 15 November 2025 · 5 min
Where Technology Debt Breaks the Deal
Kuijper and Bobbert argue that weak cyber due diligence leaves buyers blind to the technology debt shaping valuation. Their Cyber Risk Agent turns raw IT evidence into decision-ready risk, cost, and integration insight.
Entry N° 001 1 November 2025 · 9 min
Crossing The Silos In Cyber Governance
Boards are increasing cyber budgets, but resilience still depends on execution. Bobbert argues that CIO, CFO, and CISO governance must turn Zero Trust, risk quantification, and validation into one operating model.
Entry N° 010 22 April 2024
How AI will Elevate or Eliminate the Role of the CISO
Bobbert argues that AI will automate much of the CISO’s current workload, but not its human core. The real issue is whether the role rises into strategy or dissolves into broader enterprise management.
N° 02 · The archive
Every entry, by year.
2026.
Context decides whether AI risk work is real ·A Better Logic for Cybersecurity Spend ·Putting a Price on Cyber Risk ·Simplifying the Weight of Tech Compliance ·Eight questions every executive should be able to answer about the AI their company is about to sign off on.
5 entries
The Fortnightly Dispatch.
A short letter every other week — one essay, one field note, one small observation worth keeping. No advertising, no reposts.
Private · One-click unsubscribe · Held at Ysherpa