About
I created this space to document lessons from more than two decades working in information security, governance, and risk leadership.
Over the years, I have served as a Chief Information Security Officer and led risk and compliance functions across regulated and technology-driven environments. Those roles exposed me to something consistent: organizations rarely struggle because they lack frameworks. They struggle because they lack clarity.
Security becomes complicated when it is disconnected from decision-making.
My work has always focused on aligning security with business reality, not theoretical maturity models, not vendor-driven narratives, and not audit checklists detached from operational context. I have built security programs from the ground up, reduced unnecessary complexity, and guided organizations through demanding regulatory environments, including SOC 2, PCI-DSS, ISO standards, HIPAA, GDPR, PIPEDA and CMMC.
Certifications matter. But resilience matters more.
A passed audit does not prove a program works. It proves that evidence was collected.
Through executive leadership roles and advisory engagements, I have learned that sustainable security is built through disciplined governance, proportionate controls, and leadership ownership. When accountability is delegated without understanding, compliance becomes fragile.
This site reflects that philosophy.
It is not a marketing vehicle. It is a ledger of practical insight, informed by real audits, real incidents, real regulatory pressure, and real executive responsibility.
Core Beliefs
- Integrity is non-negotiable. Advice must remain independent, even when it is inconvenient.
- Partnership drives progress. Security imposed without context rarely survives.
- Pragmatism outperforms perfection. Controls must be defensible, operable, and sustainable.
Security is not a technical function alone. It is a governance discipline. When leaders treat it that way, outcomes change.