Sign in Subscribe

About this site

Share
About this site

The Crosswalk is a place for practical writing about security, compliance, and the work of building security programs that can survive contact with reality.

Most security writing lives at one of two extremes. On one side, there is high-level strategy that sounds good in a board deck but does not help much when you are the person filling out the questionnaire, writing the policy, or deciding what to fix first. On the other side, there is deeply technical material that solves one narrow problem but rarely connects back to the larger program.

This site tries to live in the space between those two things.

I write about what it actually looks like to run security in a small software company: building controls, answering customer audits, mapping frameworks, handling vendor reviews, protecting student data, and making security useful to the people who have to ship software. The focus is not on perfect maturity models or compliance theater. It is on the decisions, tradeoffs, documentation, tooling, and operating habits that make a security program real.

The name comes from that same idea. Security work is often translation work. You are constantly crossing between frameworks, audiences, and levels of detail: NIST to HECVAT, policy to procedure, engineering to compliance, customer concern to technical evidence. A good security program is a crosswalk between those worlds.

What you will find here

  • Notes from the field on security program design
  • Practical writing on NIST SP 800-53, HECVAT, CIS, SOC 2, TX-RAMP, and related frameworks
  • Lessons from building security and compliance in EdTech
  • Commentary on security leadership, developer enablement, and risk management
  • Occasional deep dives into the mechanics of evidence, documentation, and control implementation

What you will not find here

  • Weekly filler posts
  • Vendor-flavored thought leadership
  • Fear-based security takes
  • Compliance checklists pretending to be strategy
  • AI-generated sludge dressed up as expertise

I publish when I have something worth saying. If that sounds useful, subscribe and you will get a short note when something new goes up.