Most companies don’t think about security until something breaks. A deal stalls when a prospect asks for a certification no one planned for. An auditor shows up, and the team realizes their “security program” is a Google Doc from two years ago. A board member asks, “Are we compliant?” and the room goes quiet.
I’ve spent most of my career on the other side of that silence.
My career has been in cloud infrastructure and security, building the systems that keep organizations running and the compliance frameworks that prove it. I’ve worked through ISO 27001 implementations and navigated the gap between what auditors ask for and what engineering teams actually build.
The pattern I keep coming back to is the same everywhere. The hardest part of security isn’t the technology. It’s getting smart, busy people to take it seriously before something breaks.
Security and compliance teams operate in one world. Engineering operates in another. Leadership gets a dashboard that tells them everything is green. And somewhere in between, the real risk picture gets lost.
Compliance doesn’t have to slow a company down. When it works, it’s invisible; built into how the team already operates. When it doesn’t, your best engineer is mass-updating spreadsheets instead of shipping features.
Most of what I write here lives in that gap. The distance between how compliance actually works at growing companies and how it should. The stuff that’s obvious in hindsight but easy to miss when you’re moving fast.
I publish here when I have something worth saying.