Brutalist CISO Notes
Jan 2026
A CISO's Minimal Notes Method
TL;DR
Capture fast. Preserve decisions. Drive action. Reconnect context later without maintenance. One note per day. Pen and paper or a plain text app.
The Method
The idea of a “second brain” sounds perfect. Structured knowledge. Everything tagged. Everything searchable.
For a CISO, it usually collapses under its own weight.
Modern CISOs don’t lack information. They suffer from velocity. Constant context switching. Executive meetings. Incidents. Budget politics. Board pressure. Regulatory noise. Vendor churn. Internal power dynamics.
A second brain assumes time. Time to curate. Time to file. Time to maintain structure. Time to revisit and refine.
A CISO doesn’t have that time.
The more elaborate the system becomes, the less it gets used. It quietly turns into a digital attic. Things go in. Very little comes back out. You end up managing the system instead of the system serving you.
What actually works at this altitude is not knowledge management. It’s operational memory.
A CISO notes system only has three real jobs. Capture fast. Preserve decisions. Drive action.
Everything else is overhead.
This method uses simple symbols to route information immediately, without folders, taxonomies, or future cleanup.
The symbols are:
* Context
+ Decision
-> Action
? Open decision (optional)
If a note doesn’t preserve judgment, record a decision, or move something in the real world, it isn’t useful.
Context is not documentation. It’s what future-you will forget or misremember.
Signals. Constraints. Executive intent. Risk posture. Power dynamics. Political reality.
Examples:
* Finance quietly blocking headcount through “efficiency” language
* CEO framing next quarter around simplification, not growth
* Legal uneasy about owning breach comms again
This is what shapes decisions months later, when everyone swears the past was different.
Decisions are the highest-value artifact a CISO produces. They are also the first thing memory rewrites.
A decision line captures what was decided, why, and when it should be revisited if needed.
+ Remove CVSS from board reporting | false precision
+ Defer EDR migration | org instability + Q4 freeze | revisit Feb
+ Accept 60-day prod access review exception | revenue blocking
This creates defensible executive memory. Not just outcomes, but intent.
Open decisions live here too:
? Replace XDR this year or fund identity hardening
? Centralize IAM now or wait until post-M&A integration
Writing them down removes cognitive drag. They stop living only in your head.
Actions are one-line commitments. They are never buried, implied, or scattered.
Format:
-> verb + object — owner — timeframe
-> Confirm incident comms owner — Jim — by Thu
-> Rewrite board slide 5 to risk narrative — me — by Fri
-> Pull unmanaged AWS account list — Cloud Ops — by Mon
If something must move in the real world, it earns an arrow.
Capture is intentionally boring.
One note per day. Date at the top. Write continuously. Use the symbols.
Pen and paper works. A pocket notebook. Index cards. Whatever opens instantly.
A notes app works too. One new note per day. Plain text. No structure. Fast open, fast write, fast search. Personally, I’m partial to Auer Notes. It’s intentionally plain and optimized for fast capture and retrieval without imposing structure. But the tool is interchangeable. Even a single running .txt or .md file using Vi on the terminal works.
If your app pushes you to organize, tag, decorate, backlink, or curate, it is working against you.
Search does the work. Search “+” for decisions. “*” for context.
Once a week, five minutes, non-negotiable. Search for “->” and ask three questions.
1. Is this done?
2. Is this dead?
3. Does this belong to someone else?
If it survives the week, you follow up or consciously kill it.
That’s the entire maintenance model.
This beats a second brain because there is nothing to maintain. No taxonomy. No folders. No system to manage. The symbols route information instantly. The method survives incidents, board weeks, fatigue, and political churn.
Example Note
Friday 2026-01-16
* CEO pushing “simplification” narrative → budget pressure likely H2
* Legal uneasy about owning breach comms again
-> Confirm IR comms owner — Jim — by Thu
+ Do not centralize IAM this quarter | org churn + M&A fatigue | revisit Q2
Met with Cloud Engineering
* Shadow AWS accounts still appearing from acquired teams
-> Pull unmanaged account list + owners — Cloud Ops — by Mon
+ Allow temporary prod access exception | blocking revenue deploy | 60-day sunset
Board prep
* Directors respond to risk narrative, not control maturity
-> Rewrite slide 5 to material risk story — me — by Fri
+ Remove CVSS from board deck | false precision
Late afternoon
* CISO role informally expected to arbitrate product vs security disputes
-> Schedule standing biweekly with Product + Security — EA — next 2 weeks
? Solid-line product security or remain federated
That's It
No summaries. No transcripts. No knowledge gardening. Just what’s going on, what was decided, and what must move.
This isn’t a second brain; it’s operational memory.
And for a CISO, that’s what actually compounds.
Note: this post also lives in CISO Notes.