Notes on things I am learning, thinking about, and trying to understand better. Mostly centered on security engineering, distributed systems, program management craft, and the intersection of AI with all of the above.
This is not a polished reference library. It is a working notebook made public on the theory that thinking out loud is more useful than thinking in private - for me and occasionally for whoever stumbles across it.
Some of this will be wrong. Some of it will get updated as I learn better. That is the point.
| Note | What It Covers |
|---|---|
| System Design Concepts for Security TPMs | Working notes on the distributed systems and security concepts that come up most in large-scale platform security programs - encryption, PKI, TLS, zero trust, compliance frameworks, and emerging AI security considerations. Written from a TPM perspective: enough to be useful in the room, not a deep implementation guide. |
| Cryptography Fundamentals for TPMs | Symmetric and asymmetric encryption, hashing, digital signatures, certificates and PKI, key management, deprecated algorithms, and the questions worth asking during technical reviews. Written for TPMs who need to understand what the engineering team is building without becoming cryptographers. |
| Note | What It Covers |
|---|---|
| TPM Craft: Notes on Running Programs at Scale | Things learned running security, infrastructure, and compliance programs at enterprise scale that are not in any certification curriculum. On starting programs, planning, execution, stakeholders, teams, reporting, and finishing. Updated as the work teaches new things. |
| Program Management for Career Changers | A practical PM introduction for people coming in from other fields. The vocabulary, the lifecycle, the skills that actually matter, and how to get your first role - without the jargon and theory that make most PM training materials difficult to use. Developed from teaching professional skills to Year Up students. |
| Note | What It Covers |
|---|---|
| SANS LDR553: Cyber Incident Management | Notes from completing SANS LDR553, taught by Steve Armstrong-Godwin. The course is not about technical IR - it is about leading the humans in the room when facts are incomplete and executives are impatient. Covers the 3 Whats executive briefing format, uncertainty discipline, credential blast-radius thinking, supplier incident management, and the GenAI component. Includes a summary of the capstone playbook produced during the course. |
| Folder | What It Contains |
|---|---|
| year-up/ | Teaching materials from my time as a volunteer instructor with Year Up, a workforce development program for young adults entering tech careers. Four slide decks from the ProSkills and Project Prep curriculum (Fall 2015 and Fall 2016 cohorts). The Thanksgiving deck in this folder is the original source for the rebuilt PM: A Thanksgiving Story in tpm-templates. See the year-up README for full context. |
| Note | What It Will Cover |
|---|---|
| Identity and Access Management Concepts | Authentication vs. authorization, OAuth, SAML, MFA, privileged access management - the concepts behind IAM programs |
| Cloud Security Architecture | Shared responsibility model, cloud-native security controls, multi-cloud security considerations - what changes when the infrastructure is someone else's |
| AI/ML Security: A TPM's Field Guide | Prompt injection, training data exposure, model governance, the emerging compliance landscape for AI systems - notes from the current frontier |
| Note | What It Will Cover |
|---|---|
| Book Notes: An Elegant Puzzle | Will Larson's systems-oriented approach to engineering management - useful reading for TPMs thinking about organizational scale |
| Book Notes: Staff Engineer | Tanya Reilly's framework for operating at senior individual contributor level - relevant for TPMs thinking about influence without authority |
| Lessons from Leading Large-Scale Encryption Programs | Patterns and anti-patterns from running encryption modernization at scale - what works, what does not, and what nobody tells you at the start |
| Working with Compliance Teams | How to build a productive working relationship with GRC, what they need from you, and how to avoid the most common friction points |
The job of a Technical Program Manager in security is to sit at the intersection of three things that do not naturally talk to each other: engineering teams who think in systems and code, compliance and legal teams who think in requirements and controls, and executive stakeholders who think in outcomes and risk.
Being effective at that intersection requires more than process skills. It requires enough technical fluency to understand what the engineering team is building and why it matters, enough compliance literacy to know when a regulatory requirement changes the plan, and enough domain knowledge to make the tradeoffs visible to the people who need to make decisions.
These notes are how I build and maintain that fluency. They are written for TPMs, not engineers - the goal is practical understanding, not implementation depth.
Security and AI are fast-moving fields. Notes here reflect my understanding at the time they were written. Where I know something has changed, I will update it. Where I am uncertain, I will say so.
If something here is wrong or outdated, open an issue. Getting it right is more important than being right the first time.
Maintained by Eric White | ChefPlex