Articles
Security leadership insights for scaling startups
How to make your first security hire and not regret it
The hire that succeeds isn't just about finding the right person but about being ready for them.
Security leadership is an executive function, not a technical one
It requires business judgment, communication skill, and technical credibility in roughly equal measure. Here's how to recognise it.
When to pursue security certification
Everyone says you need SOC2. The question is when, which one, and how to avoid building something you can't maintain.
Your first security hire will fail, and it's a management problem
You hired the right person and handed them an impossible job. Here's what to get right before you hire.
What does good security actually look like?
You achieved SOC2. You run pen tests. Does that mean you're secure?
How much does a security diligence traincrash actually cost?
The security conversations that are costing you deals, terms, and credibility don't show up in any report.
The three questions that matter for security
Most founders are making security decisions every week. They just don't know it.
What a fractional CISO actually does at a scaling startup
A practical guide for founders and CTOs evaluating whether fractional security leadership is the right move for their stage.
Security Questionnaires
Why your sales team is your best security questionnaire tool.
Is my security team drowning? What can I do about it?
The signs were there months ago. Here's how to read them, and what your options actually are.
Governance as code
Your engineers define infrastructure as code. Your security governance lives in a Word document. The four-layer model makes it possible to close that gap.
From intention to impact: a four-layer model for security governance documentation
Four layers, four audiences, invariants at every level. A model for documentation that steers choices and tells you whether operations are effective.
What's wrong with security governance documentation
Security governance documentation should steer security choices and tell you whether operations are effective. In practice, it does neither.