Trusted by leaders. Proven in practice. Hired for clarity.

I’m an author, consultant, and long-time practitioner in cyber risk quantification. I write about modern cyber risk, measurement, and decision-making — and I share that thinking with organizations and the broader community through advisory work, workshops, and keynote talks.

Explore My Work
About My Book

My Approach

My work focuses on modern cyber risk, quantitative analysis, and better decision-making. I write extensively about these topics in essays, in my newsletter, and in my book From Heatmaps to Histograms. If you want to understand how I approach cyber risk, measurement, and uncertainty, or how I teach and advise through keynotes and consulting, start here.

Two white standard six-sided dice with black dots on a blue background, mid-air, showing different numbers.

Essays on cyber risk, risk quantification, and better decision-making. Practical insights for practitioners and leaders.

Explore Essays
Book cover titled "From Heatmaps to Histograms" by Tony Martin-Vegue, with a black background and a heatmap graphic in a circle at the top.

From Heatmaps to Histograms is a practical guide to modern cyber risk quantification and better decisions.

My Book
A man in a gray suit giving a presentation or speech with a slide in the background.

Keynotes, workshops, and advisory work rooted in clear thinking and real-world experience.

Speaking/Advisory

Speaking & Advisory

I work with organizations and events that want clear, practical guidance on modern cyber risk and decision-making.

Speaking

A man in a gray suit giving a presentation on stage, holding a remote in his right hand and gesturing with his left hand.

Keynotes and talks for conferences, leadership teams, and security organizations. I focus on modern cyber risk, uncertainty, and clearer decision-making. My talks introduce practical ideas and frameworks that help teams think differently.

Speaking Details

Advisory

A person with curly hair and a beard points at a wall covered with notes and sketches, with a shadow cast on the wall, in a bright room with horizontal window blinds.

Expert guidance on cyber risk quantification, program design, and decision-making frameworks. I work with leaders who want clarity, defensible analysis, and a practical approach grounded in real experience.

Consulting Overview

Latest Essays

Featured
“That Feels Too High”: A Risk Analyst's Survival Guide
“That Feels Too High”: A Risk Analyst's Survival Guide

When stakeholders say your quantitative risk numbers don't "feel right," there are three main reasons: you missed something they know, cognitive bias is affecting their judgment, or you failed to communicate the numbers clearly. The key is to listen first and diagnose which reason applies, because their discomfort often contains the most valuable feedback for improving your risk analysis.

Six Levers That Quietly Change Your Risk and How to Spot Them
Six Levers That Quietly Change Your Risk and How to Spot Them

Most people think risk only moves when you add controls, but five other hidden forces are quietly reshaping your exposure behind the scenes. This post breaks down the six levers that actually move the math, so you can stop treating risk like a snapshot and start reading it like a live feed.

AGI Dreams: What Keeps a Risk Professional Up at Night
AGI Dreams: What Keeps a Risk Professional Up at Night

Even a data‑driven risk analyst like me loses sleep when the threat model is a hypothetical, self‑aware AGI that could be friend, foe, or clueless Pinocchio. Its timeline and motives are so unknowable that they expose the limits of traditional risk models and remind us that the scariest risks are those we can barely imagine—until they suddenly arrive.

Why Ransomware Isn’t Just a Technology Problem (It’s Worse)
Why Ransomware Isn’t Just a Technology Problem (It’s Worse)

Ransomware isn’t a tech failure - it’s a market failure. If you think the hardest part is getting hacked, wait until the lawyers, insurers, and PR firms show up.

Vendor Sales Tactics: The Good, The Bad, and the Bathroom
Vendor Sales Tactics: The Good, The Bad, and the Bathroom

Most security vendors are great — but a few cross the line from persistent to downright creepy, sometimes in ways you won’t believe. With RSA Conference looming, here’s a behind-the-scenes look at the worst sales tactics I’ve ever seen (yes, even in the bathroom).

What the Great Hanoi Rat Massacre of 1902 and Modern Risk Practices Have in Common
What the Great Hanoi Rat Massacre of 1902 and Modern Risk Practices Have in Common

When the French tried to solve Hanoi’s rat problem, they accidentally made it worse , and today’s cyber risk management is making the same mistake. Beneath the polished audits and colorful risk charts, a hidden system of perverse incentives is quietly breeding more problems than it solves.

Zines, Blogs, Bots: A Love Story
Zines, Blogs, Bots: A Love Story

After a quiet stretch spent baking bread and relearning balance, I started wondering—has blogging joined zines in the graveyard of formats displaced by tech? With AI now mimicking human voices, I’m asking a bigger question: what does it mean to write now, and why does it still matter?

The CISO’s White Whale: Measuring the Effectiveness of Security Awareness Training
The CISO’s White Whale: Measuring the Effectiveness of Security Awareness Training

Most CISOs secretly wonder: does security awareness training actually reduce risk, or just check a compliance box? This post breaks down the metrics that don’t work—and offers a practical framework for ones that do.

Read More

Stay in the Loop

I often write about cyber risk, measurement, and how we make decisions. If you want updates on new essays, book news, and early ideas I am working through, you can join here.