Writing
Searchable posts on AI governance, security, leadership, and platform engineering.
Featured
Your Security Program Is a Sales Asset. Start Treating It Like One.
Why provable security closes deals in regulated industries — and why the next budget conversation should lead with revenue, not fear.
AWS Cost Levers That Actually Moved the Needle
Cutting ~35% off a multi-region AWS footprint with no capability loss — the levers in the order they paid back, best first.
More posts
Ransomware Recovery Is a Backups-You've-Tested Problem
Everyone has backups. Almost nobody has a restore they've actually run under fire. That gap is where ransomware turns a bad week into an existential one.
Make the Next Audit Boring: PCI and SOC Evidence as Code
Audits feel like fire drills because we treat evidence as something we go find later. Machine-readable SOC reports and modern PCI cryptography requirements finally let us wire proof into the pipeline instead.
Start Your Post-Quantum Migration in 2026, Not 2030
Post-quantum cryptography stopped being a research project and became a config task. The teams that win aren't waiting for a quantum computer — they're waiting for nothing.
Thousands of Accounts, a Three-Person Platform Team: Guardrails at Scale
A lean team can govern a sprawling cloud estate without becoming a ticket queue — but only if you put the rules in the pipeline, not in your inbox.
Context Lock-In Is the Next Vendor-Risk Line Item
Everyone negotiated data egress and capacity in their AI contracts. Almost nobody negotiated for the prompts, context, and memory that quietly became the real switching cost.
WAF in the Agent Era: Telling Good Bots From Abuse Without Blocking Customers
Agents are now real customers hitting your edge with real economics. The old bot question — human or machine? — is the wrong one. Here's the question that actually matters.
One Pane, Many Clouds: Consolidate SecOps on OCSF Instead of Buying Another Aggregator
Dashboard sprawl isn't a tooling gap you fix by buying more tooling. It's a schema problem. Standardize the data, and the single pane of glass stops being a slide and starts being real.
From Cluster Autoscaler to Karpenter Across a Fleet: What Actually Breaks
Karpenter is the right call for most EKS shops. But the migration breaks things that have nothing to do with autoscaling — and a lean platform team should know exactly what those are before flipping the switch.
Autonomous Pentesting Went GA. Should a Regulated Shop Turn It Loose?
A tool that scans and exploits your own estate on its own schedule is a gift and a loaded gun. Here's the scoping, approvals, and evidence I'd want before I let one run.
The Eight-Domain Azure Security Review for Regulated Environments
An automated tool scores your Azure posture; an assessor walks your architecture. The eight domains I review, in the order an audit walks them, and the evidence each one has to produce.
Zero-Downtime Database Changes Are a Process, Not a Feature
AWS will sell you blue/green and serverless Aurora as if they make migrations safe. They don't. The runbook does. Here's the boring discipline that keeps schema changes from becoming incidents.
Aurora DSQL for the Ledger: Active-Active Without the War Stories
Multi-region active-active sounds like the answer to every ledger nightmare. Before you bet the books on it, interrogate the consistency, the recovery math, and the migration you are actually signing up for.
Get Authorization Out of Your App Code: Fine-Grained Authz for Fintech APIs
Authorization scattered across your codebase isn't a feature — it's a liability you can't prove. Here's the pattern multi-tenant regulated platforms actually need.
MCP Is a New Attack Surface: An Operator's IAM Playbook
Every MCP server you stand up is a new identity reaching into your cloud. The control that decides whether that's leverage or liability isn't the model — it's least-privilege IAM on every tool call.
The Audit Passed in March. Is It Still True?
Point-in-time certification is the floor, not the goal. The case for continuous assurance over annual audits.
How to Survive an FFIEC Exam (and Make Your Banking Partners Trust You)
An exam isn't a pop quiz you cram for. It's a referenceable proof of control — and if you run it right, your examiner's findings become your best sales collateral.
PCI DSS 4.0 Without the Last-Minute Scramble
PCI DSS 4.0 didn't add a longer checklist — it changed who has to do the thinking. Here's how to bake the new continuous-control expectations into engineering instead of cramming for the audit.
How to Report Risk to People Who Don't Speak Security
Translating security for boards and investors — the three questions leadership actually asks, and how to answer them.
Data Privacy Is an Operations Problem, Not a Policy PDF
Every AI privacy promise rests on unglamorous plumbing — consumer-rights workflows, retention, DLP — that someone has to actually run. Treat privacy like an operating program, not a document you renew once a year.
An SBOM Nobody Reads Is Just Compliance Cosplay
Generating a software bill of materials is the easy part. Wiring it into the moment a change actually ships is where supply-chain security stops being theater and starts being a control.
Warm Standby Is a Promise You Have to Test
A disaster recovery plan you have never exercised is not a plan. It is a hypothesis with a logo on it.
Build a Threat-Intelligence Program Your Sales Team Will Brag About
Most threat intel dies as a PDF nobody reads. Done right, it sharpens your defense and becomes something your account team actually wants to put in front of a customer.
Security and DevOps Under One Roof: Why I Stopped Apologizing for It
The case for the dual mandate, and why org-chart distance doesn't create security.
Tabletops That Find Real Gaps, Not Ones That Flatter the Plan
Most incident tabletops are theater that confirms what the runbook already says. The useful ones break your assumptions and expose who actually gets to decide — before a real incident does it for you.
Your SOC Metrics Are Vanity Until They Change a Decision
MTTD and MTTR look great on a slide and tell you almost nothing. The only metric that matters is whether it changed what someone did next.
Third-Party Risk When You ARE the Third Party
Serving 1,500+ financial institutions means their vendor-risk teams audit you constantly. Done right, that scrutiny stops being overhead and becomes the fastest way to close your next deal.
Capital Allocation Governance: The Framework Companies Build Too Late
Mid-market capital allocation is rarely a strategy — it's individual capex, M&A, and debt decisions made in isolation. The governance framework that makes it programmatic.
Zero Trust for Humans: Just-in-Time Access Without the Help-Desk Revolt
Everyone's obsessing over non-human identity right now. Meanwhile your actual humans are sitting on standing admin rights — and the fix only works if people will actually use it.
The First 24 Hours: An Incident Response Runbook You'll Actually Use
Most incident response plans are binders nobody opens at 2 a.m. Here's what actually has to happen in the opening day of a breach — roles, decision rights, evidence, and a comms cadence that keeps the grown-ups out of your way.
The First 90 Days as a New Security Leader (When There's No Program Yet)
You were hired to build a security function from nothing. The trap isn't moving too slow — it's freezing the business while you try to make it perfect. Here's how to triage, ship quick wins, and earn the budget to actually build.
Board Reporting That Drives Decisions, Not Status Updates
The fifty-page board pre-read is the artifact most responsible for meetings that produce no decisions. Three sections fix it.
The First 100 Days: A Post-Close Cyber Integration Playbook
The post-close decade is decided in the first 100 days. The eight cyber controls to ship by day 30, and the identity-sprawl audit every exit diligence will run.
Cloud FinOps for the Mid-Market: Where 25–40% of Spend Actually Hides
The press-release version of cloud savings cancels workloads and books compliance debt. The version that lasts is commitment management and SaaS rationalization.
