So you maybe noticed that there was a post on here yesterday and it’s not here now.  After consideration and from a “full disclosure” standpoint, I feel like I owe folks an explanation about why that is.

If you saw that post, you’ll know I posed a few methodological-questions about the Cybersecurity 500 list (i.e. who was on it and why).  After discussions with one of their executives, I have suspended that post.  Folks who know me know that I don’t usually ever suspend a post – even when big companies (or sometimes people I consider friends) disagree with what I say (case in point the argument I had with AMTSO folks a few years back)…   I figure that any company has a bigger megaphone than I do – because bear in mind this isn’t my “day job” – so they’re free to say whatever they want in response to anything I say here.

This situation is a little different though.  Ultimately, in this case, it comes down to the value to practitioners associated with the questions I posed.  I’ve come to the conclusion that those questions will likely occur to others with or without my post.  Answering them fully requires significant work on my part.  So, with apologies to Learned Hand’s formula, the time required for me to deep dive into it (i.e. to fully unpack the methodology, meet with them about it, etc.) outweighs the value that publicly posing the questions would have.  I still have the same questions, but exploring them more isn’t worth the opportunity cost when I could be writing about something more directly practical – like, for example, TLS 1.3.

Am I backing down?  I don’t think so.  But hey, I didn’t think yesterday’s post was overtly negative either.