by Keith McCammon

Assorted things I’ve read, watched, or listened to:

  1. $ Why AI Is ‘Not Particularly Good’ at Curing Disease (Plus: The Next GLP-1 Boom and Why America Hates Big Pharma): A wide-ranging interview with Dave Ricks, the CEO of Eli Lilly - Pound for pound, Derek Thompson may be my most valuable Substack or newsletter subsription. I learned so much from this.

  2. The Brand Age - “One obvious lesson is to stay away from brand. Indeed it’s probably a good idea not just to avoid buying brand, but to avoid selling it too. Sure, you might be able to make money this way — though I bet it’s harder than it looks — but pushing people’s brand buttons is just not a good problem to work on, and it’s hard to do good work without a good problem.”

  3. The Signal: The cybersecurity economy, charted. - “Real-time venture funding, M&A, and market intelligence across thousands of companies and investors in the global cybersecurity industry. The market intelligence platform behind the Return on Security briefing.”

  4. The Hidden Cost of Hard-to-Fire Labor Laws: Why European Firms Don’t Take Risks - Related to items I shared back in February.

March 11, 2026

Assorted things I’ve read, watched, or listened to:

  1. How will OpenAI compete? - “OpenAI has some big questions. It doesn’t have unique tech. It has a big user base, but with limited engagement and stickiness and no network effect. The incumbents have matched the tech and are leveraging their product and distribution. And a lot of the value and leverage will come from new experiences that haven’t been invented yet, and it can’t invent all of those itself. What’s the plan?”

  2. Be a thermostat, not a thermometer - Solid life advice, disguised as employment (and management) advice.

  3. Time to Move On – The Reason Relationships End

February 24, 2026

Assorted things I’ve read, watched, or listened to:

  1. AI Taxonomy: An Operational Framework for Precision in AI Discourse - “AI” has become an umbrella term similar to “cloud”, and some precision is useful.

  2. Why Europe doesn’t have a Tesla: Europe’s cutting edge firms are falling far behind the American frontier because of restrictive labor laws, and a coincidental case study “Made in EU” - it was harder than I thought

  3. The Dangerous Economics of Walk-Away Wealth in the AI Talent War: How firms are accidentally paying their best employees to become their biggest competitors

  4. Research ROI: Floors & Ceilings - As someone who believes in the importance of research, but loathes what often end up being company-sponsored science projects, this resonates.

February 23, 2026

Menu of cybersecurity risk management options

Risk management menu

A simple visualization of risk management options, explained in the context of cybersecurity but broadly applicable.

Avoidance

Eliminate at-risk components entirely—ideal when practical, though it rarely is.

A common example is credit card processing. Many organizations choose not to store or process credit card data, instead using third-party gateways. This avoids the risks, costs, and compliance burdens (e.g., PCI DSS) of handling sensitive card information internally.

Mitigation

Manage risk exposure or impact using preventive, detective, or response controls—the most common cybersecurity approach.

Most cybersecurity products and services focus on mitigation. Endpoint detection and response (EDR), identity security solutions (IdPs), cloud security, security event management platforms (data lakes, SIEM), and managed security services (MSSP, MDR) all help mitigate present and emerging risks.

Transference

Find someone else to actively manage the risk. You still have a risk, and transference is rarely wholesale, so a good understanding of your remaining risk is critical.

“Risk transference” used to be largely synonymous with “insurance.” Today, using cloud-based applications or infrastructure is one of the most common forms of cybersecurity risk transference. Availability, integrity, product security and more are shared with the vendor, allowing the customer to build upon a strong foundation. That said, widespread adoption of these technologies has also created a tremendous concentration of trust, which can have a disastrous impact if and when adversaries compromise cloud vendors.

Acceptance

Evaluate the potential cost of a realized risk. If prevention or mitigation costs aren’t justified, explicitly accept the risk and plan accordingly. Often the least desirable option for security practitioners—though business leaders may be more willing.

A typical scenario involves legacy or niche applications running despite known vulnerabilities, risk of failure, or other scenarios. When mitigating or replacing such systems is too costly, risks are accepted, often supplemented by basic mitigations like isolation or enhanced disaster recovery planning.

Assorted things I’ve read, watched, or listened to:

1. Shapeshifting Chrome extensions

2. Comprehensive (>6500 word) business and technical teardown of spyware peddler Paragon

3. Migrate your Tweets to Bluesky, preserving the original date - Novel use of the AT Protocol’s timestamp functionality, which allows backdating of posts. To avoid the appearance of shenanigans, the date and time of the Bluesky post will reflect when it was migrated, and the original date is preserved as a badge. NOTE: I am never doing this.

March 19, 2025