Before I spent my days advising executives on risk strategy, I spent years building a cybersecurity company from a two-person operation into a business that served thousands of clients. The experience changed how I think about risk in ways that no certification program or conference talk ever could. When you're responsible for making payroll, keeping clients safe, and growing a company simultaneously, your relationship with risk becomes deeply personal and intensely practical.
The most important lesson was this: risk is not something you eliminate. It's something you navigate. Every business decision—hiring a new engineer, entering a new market, taking on a large client—carries risk. The goal is never zero risk. The goal is informed risk-taking with proportional safeguards and honest assessment of what could go wrong. This mindset is exactly what's missing from most enterprise security programs, which still operate as if the objective is to prevent all bad things from happening.
Running a company also taught me that trust is the most valuable and most fragile asset in cybersecurity. Clients trusted us with their worst moments—ransomware attacks, data breaches, operational crises. That trust wasn't earned through marketing or credentials. It was earned through transparency, competence under pressure, and the willingness to say 'I don't know yet, but here's what we're doing to find out.' Those principles guide everything I do today.