Most companies don’t think about security until something breaks. A deal stalls when a prospect asks for a certification no one planned for. An auditor shows up, and the team realizes their “security program” is a Google Doc from two years ago. A board member asks, “Are we compliant?” and the room goes quiet.
I’ve spent most of my career on the other side of that silence.
My career has been in cloud infrastructure and security, building the systems that keep organizations running and the compliance frameworks that prove it. I’ve worked through ISO 27001 implementations and navigated the gap between what auditors ask for and what engineering teams actually build.
The pattern I keep coming back to is the same everywhere. The hardest part of security isn’t the technology. It’s getting smart, busy people to take it seriously before something breaks.
I learned that, while building Wave Health, a patient-reported outcomes platform for oncology, Cedars-Sinai ranked the app #1 in a published review. When clinicians and patients trust you with their data, compliance becomes more than a checkbox exercise. It becomes personal. The PRO-WAVE1 study was eventually published in ESMO’s Real World Data and Digital Oncology journal, but what stuck with me wasn’t the publication. It was the realization that the most effective security programs are the ones nobody notices because they’re woven into how people already work.
Security and compliance teams operate in one world. Engineering operates in another. Leadership gets a dashboard that tells them everything is green. And somewhere in between, the real risk picture gets lost.
Compliance doesn’t have to slow a company down. When it works, it’s invisible; built into how the team already operates. When it doesn’t, your best engineer is mass-updating spreadsheets instead of shipping features.
Most of what I write here lives in that gap. The distance between how compliance actually works at growing companies and how it should. The stuff that’s obvious in hindsight but easy to miss when you’re moving fast.
I publish here when I have something worth saying.