Welcome!

The information security industry has one customer in mind. It is not you.

If you’re a photographer, podcaster, ceramicist, videographer, or any kind of creative building a business on digital platforms, the industry’s guidance wasn’t designed for your situation. The threats — account takeovers, payment fraud, data exposure — are the same ones enterprises face. The solutions exist. Nobody translated them into language a working artist can use.

That is why this publication exists.

Essential Risk Management is plain-language information security, written specifically for artists and media creators. Not for compliance departments. Not for IT teams. For the photographer whose client archive lives on a cloud account she set up in ten minutes, and the podcaster who just got his PayPal hijacked and doesn’t know where to turn. For media creators, painters, sculptors, glassblowers, and those who create beauty in the world.

Each piece is built to be understood and acted on — no jargon, no fear-mongering, no enterprise solutions dressed up in a sales pitch.

Why subscribe?

Free subscribers receive:

Plain-language breakdowns of data breach news reports — how the breach affects you and what steps reduce your exposure
Alerts about new online threats with corrective actions you can actually implement
Commentary on how Artificial Intelligence is reshaping our daily online activities
Notes and commentary on topical issues that affect your online activities
Pictures and short vignettes of my cat Tigre the Tiger Tabby (Non-negotiable)

Paid subscribers also get:

Comment and join a community of working creatives sharing experiences and practical solutions with each other
Periodic "Ask the Ace" Q&A sessions for you to get your questions answered about online risk reduction
Checklists and tools to harden your web browser that reduce and obscure personal data so you can retain more of your privacy online
Processes for interacting with your email and social media activities to reduce your risk of triggering malware that can steal your data, money, and encrypt or destroy your devices

Where do I use Artificial Intelligence (AI) in my writing process?

"AI is here to stay. How do we live with it?"

-- Rosana Francescato, Writers@Work Live

This section was inspired by Sara Fay Substack Writers@Work. The relevant posts can be found at

Why Every Substack Creator Should Disclose Their AI Usage Policy
Substack Live video: What’s your Substack’s AI policy? And why you need one

Here are opportunities for using AI in the writing process and how I have decided to live with it:

Brainstorming for ideas to write about - None. I come up with my own ideas and subjects to write about. There is so much happening in the world right now that I find no shortage of topics screaming for my attention.

Research: Yes. I use AI built into the search functions in the Brave, Edge, and Chrome browsers and related search engine sites. It is almost impossible to not use AI due to the up front, in your face deployment by their respective developers. I personally review the search results for veracity and any links provided as sources.

As a subscriber to Claude.ai, Microsoft CoPilot, and others in the future, I pose them questions requesting they search the web for a specific item or topic relevant to my research and specifically request links be included with the results (sometimes links are not provided). I use more than one AI during the research stage to see the differences in output when provided the same input. Once again, I personally review the source links for veracity and usefulness for my topic. Sometimes AI is just stupid!

Drafting: I request that AI provide an outline when a topic might benefit from a structured discussion. However, I use the outline as a suggestion and quite frequently deviate drastically from it. Sometimes a rough draft is requested when I get stuck looking at a blank page or the topic requires considerable research.

Macro Editing and Revision: None. I learned from Matthew Long that AI can search the web to test how ideas in my current text may have been covered by other authors; I can incorporate this capability in the future. My revision process is read and edit, walk away for some time, return to read and edit again. I execute this loop as many times as needed until the topic is covered to my satisfaction.

Fact Checking: I personally fact check AI results received due to my inherent distrust of the technology, its propensity for hallucination, and on what data the AI was trained.

Micro Editing | Copy Editing | Proofreading: I subscribe to Microsoft Office and its tools. Microsoft is placing more AI into its proofing tools (spell check, grammar check, Editor) so AI will be used to fix my spelling errors at minimum. I frequently ignore grammar "fixes" because I have intentionally chosen to dispense with a particular rule due my own "artistic license" (insert raspberry here 😝).

As for proofreading, my lovely partner Linda Naylor fulfills that role better than any AI ever could!

Image Creation: I will occasionally use a generated AI image, such as those made available within the SubStack Post Editor with the "Insert Image" function. The majority of image uses are my own photographs or stock images licensed from an online stock image provider. For each stock image I acquire, I retain its related use license regardless of usage in publication.

Reader Data Protection: I do not use AI in any processing of reader data on or off the SubStack platform. In fact, I do not process any reader data. The only reader data processed is that which is native to the SubStack publisher platform commonly available to those of us who write regularly.

AI Training on my Writing: I have used the tools available to me as a SubStack writer to block AI training. That does not mean all AI will be blocked. It means my intentions are published to the ubiquitous AI content scrapers and it is up to those scrapers to honor my blockage settings. There is no way for me or anyone else to block an AI content scraper that willfully ignores blockage settings (DeepSeek, we see your routine violation of our wishes).

Audio & Video: Yes. AI has excellent capabilities for voice recognition and is quite useful for transcribing audio and video programs, inserting time stamps in the transcriptions, and summarizing descriptions. My main use for this is as a consumer of audio or video programs for future commentary. In the event I undertake publication of my own audio and video programs, I will certainly use AI transcription services as the labor-savers they are intended to be.

That covers how I use AI in my writing process. You are welcome to contact me for clarification or extended discussions on this topic.

Who am I?

I spent 25 years inside the security industry — the part that serves banks, payment networks, and Fortune 100 companies. I reviewed service providers inside Visa’s compliance program. At the PCI Security Standards Council (the payments industry’s own regulator), I spent two years auditing the auditors who enforce its standards. I certified systems processing hundreds of millions of transactions daily.

I know exactly what the industry can do. After I left that world, I ran directly into the people it was ignoring: artists and media creators with real security problems and no guidance designed for them.

I’m also a creator. My father handed me my first camera at age 12. I shoot photographs, build home lab networks, and listen to music on equipment I’ve spent years obsessing over. I know what it is to care about the work before caring about the infrastructure holding it up — which is exactly why the industry’s standard guidance doesn’t fit this community. It was never written for people like us.

I write for this community at Essential Risk Management. I also advise and consult directly — specific answers, practical support, over Zoom or in person for those local to me.

Professional Certifications

ISACA Certified Information Security Manager (CISM)
ISACA Certified Information System Auditor (CISA)
ISC2 Certified Information System Security Professional (CISSP)
ISC2 Certified Cloud Security Professional (CCSP)
CompTIA Secure Cloud Professional (CSCP)
CompTIA Cloud+
CompTIA CTT+ Classroom Trainer (cert retired 2023)
CompTIA Security+
Microsoft AZ-900, Azure Fundamentals
Microsoft AI-900, Azure AI Fundamentals
Microsoft MCSE Server 2003, Security – (cert retired 2020)
Payment Card Industry Professional (PCIP #1006-949)
Toastmasters International Dynamic Leadership Proficient
Toastmasters International Competent Communicator

You can see my photo work at my other Substack Paul's Visual Arts.

I am a Contributing Author and Photographer and amateur chef at TASTE | Pacific Northwest, Linda Naylor's food and travel Substack. Learn how I steam artichokes here.