Risk looks neat in frameworks but messy in reality. I learned this by building a company, serving clients in crisis, and making decisions with real consequences, ready or not. That experience changed how I think about cybersecurity, as it forced me to face risk at the decision point, under pressure, with stakes attached.
Before leading enterprise security and AI initiatives, I built a cybersecurity company from a two-person operation into one serving thousands of clients. Being responsible for growth, delivery, and cash flow made risk concrete, a daily part of operating the business.
Why this matters
Many security conversations still frame risk as something the organization is supposed to eliminate. That sounds disciplined, but it does not survive contact with reality. Businesses do not function by removing uncertainty from every decision. They function by understanding which risks are worth taking, which are not, and what safeguards are proportionate to the consequences.
That distinction matters because many security programs still produce activity without producing clarity. They generate dashboards, findings, policy language, and long roadmaps, yet still struggle to help the business answer the only question that really matters: "What deserves attention now, and why?"
The goal is not zero risk. The goal is to make informed, proportionate, and defensible decisions when the pressure rises.
What running a company changed for me
Running a company changed my relationship with risk very quickly, making the stakes personal and practical. I was not looking at exposure through a narrow technical lens. I was looking at it through the lens of client confidence, business continuity, team capacity, timing, and the cost of being wrong.
The first thing that changed was how I thought about uncertainty. I stopped seeing risk as something that could be solved once and moved past. In business, that illusion disappears fast. Hiring too slowly creates one kind of exposure, while hiring too fast creates another. Expanding into a new market can create opportunity and strain at the same time. A careful decision can protect the business in one area while quietly limiting it in another.
Cybersecurity is similar. Mature security means seeing where exposure matters most, reducing it where it counts, and being honest about what remains.
The second thing I learned was that prioritization is where leadership shows up. When you are building a company, almost everything can be framed as urgent. If you let urgency drive every decision, you end up reacting to noise rather than leading through consequences. That same problem exists in security. A long list of findings is not a strategy. A crowded roadmap is not the same thing as direction. And a program that treats every issue as equally critical usually proves only that it cannot distinguish between what is visible and what is material.
The third lesson was about credibility. Clients did not come to us in difficult moments because they wanted polished language or the performance of certainty. They wanted competence, honesty, and direction. They wanted to know what we knew, what we did not know yet, and what happened next. In my experience, that is where confidence is built, not through perfect answers, but through clear judgment under pressure.
The point most leaders still miss
One of the biggest mistakes I see is that organizations ask how to remove risk rather than how to understand it well enough to make better decisions.
That may sound like a small distinction, but it changes the entire posture of a security program.
When leaders focus on reducing risk, they create broad controls and defensive thinking, resulting in work that sounds serious but lacks clarity. When they shift to understanding and managing material risk, the conversation becomes about consequence, tradeoffs, and decision-making—a far more useful standard.
It also forces an unpleasant truth into the open: not every risk deserves the same response, and not every strong-sounding control is operationally wise. A control may be technically correct and still be wrong for the business if it creates friction the organization will not sustain, arrives too late to matter, or ignores how work is actually being done.
That is why I have become increasingly skeptical of security work that cannot answer one basic question: What does this change in practice for the business?
If the answer is vague, the value usually is too.
When False Certainty Feels Safer Than Trust
One case from those years at my business still stays with me because it made risk feel brutally personal. A small business owner was preparing to take out a second mortgage on his home to pay a ransomware demand because the encrypted files were critical to his business. We believed we had the in-house expertise to recover the files ourselves, but we could not guarantee it. He had not approved our services, and from his perspective, the attackers seemed to offer the only thing that mattered at that moment: certainty. It was false certainty, but when someone feels cornered, false certainty can be more persuasive than honest doubt.
We decided to keep working on the case anyway. We were willing to absorb the cost of our malware researcher's time, even if we failed and were never paid, because we knew that once the ransom was sent, the decision would be irreversible. We stayed on it and recovered the files just in time. What stuck with me was not only that we solved the technical problem. It was that the real contest was between trust and desperation. The client was not choosing between the hackers and us because he trusted them more.
He chose the option that seemed more certain while everything around him was collapsing.
That experience sharpened something I still believe now: in cybersecurity, trust is not built when things are calm. It is built when people see that your judgment, transparency, and willingness to carry risk hold up under pressure.
Where “radical transparency” sharpened the lesson
At one point in that journey, reading Ray Dalio's Principles gave language to something I had already been learning the hard way. His emphasis on trust and radical transparency stayed with me because it reinforced what I had seen in real operating environments: people can handle difficult reality far better than they can handle confusion, half-truths, or performative certainty.
That idea mattered to me because cybersecurity is full of moments where leaders are tempted to soften the truth, delay clarity, or hide behind jargon until they have a cleaner story to tell. I have found the opposite works better. When the situation is serious, credibility comes from surfacing reality early, being direct about uncertainty, and making the next decision clearer instead of trying to look flawless.
To me, that is where transparency becomes practical rather than philosophical. It is not about oversharing. It is about building enough confidence in the decision-making process that people believe the organization can deal with reality as it is.
What a practical approach looks like
The most useful risk programs I have seen do not start by trying to cover everything. They start by clarifying what actually matters.
First, define the outcomes the business cannot afford to lose. That might be operational uptime, customer confidence, recovery capability, safety, revenue continuity, or strategic execution. If those priorities are unclear, risk conversations quickly become generic.
Second, assess exposure by consequence, not by volume. Not every issue carries the same business weight, nor does every signal deserve the same level of attention. Some problems are loud but manageable. Others are quieter and far more serious. Good leadership depends on being able to tell the difference.
Third, choose safeguards that are proportional and sustainable. Some programs overcorrect by reaching for the strongest possible control without accounting for how work actually gets done. Others underreact because they are trying to avoid friction. Neither is especially mature. The right answer is usually the one that reflects the consequence, the likelihood, the operating environment, and the business's actual ability to sustain control over time.
Fourth, explain tradeoffs plainly. One of the most valuable things a security leader can do is remove confusion. That means being able to explain the issue, why it matters, the realistic options, and what each option changes. When security can do that well, it becomes easier for the business to act with confidence rather than react to fear.
Where I landed
Building a cybersecurity company taught me that risk is not something to fear or something to perform against. It is something to understand well enough to navigate with clarity, proportionality, and credibility.
That lesson shaped how I operated then, and it still shapes how I lead now. I think like a business owner first and a technologist second, not because technology matters less, but because security only becomes valuable when it helps the business make better decisions in the real world.
Risk is not to be eliminated, but understood and managed to maintain focus, credibility, and resilience.