When there are more questions than answers, I prefer to build.

When people say no, I say yes.

When there’s a shift/change/whatever-it-is-that-is-happening with technology right now in the economy and the world like the application of LLMs and other tech to everything, once again, I prefer to build.

Taking my own advice, the next chapter of my role in my dayjob is evolving, expanding from CISO to VP Engineering - Platform & Security, continuing to own the CISO responsibilities and taking on some new problem statements! (yay for learning) While leading security is no pushover for a problem statement at any size company, for me, it hasn’t felt right to limit myself to that problem statement, the needs are great in this timeline we’re in - so instead of talking about how the world is changing around me, I just started building so I could be part of the solution, admiring problems was never my favorite past time anyways.

To be clear, I love waxing poetic about the impact of technology on human behavior, economic theory, how the world is changing (or not), and assessing and analyzing that as much or more than the next person. I also feel EXTREMELY responsible to take it upon myself to practice what I preach, to stumble, learn, and fumble with what is new or different to really understand what I’m talking about.

When I started writing Much Potential, I wanted to create an outlet where I could share an ongoing dialogue, create some shared context and understanding, as much as it can spark curiousity in a person, share a perspective that may not be widely held, or challenge an assumption about technology’s role in the world.

My journey to this point, and my entire career in security are really more about my views and understanding about technology’s role in the world than it is about the technology itself. Every role I’ve ever had, I saw as an opportunity to observe, reflect, experience, and understand the innerworkings of both the technology and the people around me - individually and collectively as a system - it just fascinates me and I never get tired of it!

When I left big companies for startups, I had one thesis - what would it take to build and scale security from scratch, from the earliest stages, Seed, Series A, before you’ve gone too far and settled into your ways. Ultimately, I concluded what felt right for me was that building was the way and everything else that was conventional, “the way it’s been done” in enterprise never made sense. I imagine the large complicated processes in enterprise were meant to reflect the complexity of these environments, but over time, I think the complexity became something we worshiped and not something we managed, something we need to decompose and optimize - not admire.

There are mostly non-technical reasons that have more to do with organizational politics and inertia, human behavior, and relationships for why something is done a certain way in companies, but I wouldn’t dare misrepresent or pretend that if given the option people would want it that way. I mean, come on, WHO LIKES MBRs and QBRs? (Please comment to discuss - would love to learn about the wonders of these rituals)

Prime example: The 10 levels of approvals in ServiceNow, don’t bring me joy (s/o to Marie Kondo).

Some reflection on my journey, I’ve forever chased problems, not titles, working on the right problem > cool title on the wrong problems.

• Long long ago in a galaxy far far away, I wanted desperately to work on improving public education, as a product of K-12 public education - I volunteered with the YMCA, worked in public schools doing IT, ran academic enrichment for elementary students, served on the board of a nonprofit, went to school for poli sci and public policy. Really, I just did as many things as I could in as many ways I could think of in as many ways I was capable to tackle the problem.

• Then cybersecurity (infosec IYKYK) came along, a child hacker I was, I never cared to make computers my career, breaking things, making things, that’s all I cared about, the satisfaction was in the process as much as it was in the outcome, could I get into this network, could I get into this computer, could I get this game to work, mitigations for CVE-2003-0352 aka Blaster Worm for the family PC. One day, I was asked, would you want to come to Washington, D.C. to work on the biggest questions in cyber facing the nation? ABSOLUTELY, I SAID.

• I never felt more purposeful (and tired) working on so many cybersecurity issues in the early innings of national cyber policy. NIST CSF, US-China cyber, federal/state/local coordination, etc. etc. It was a crazy time - extremely controversial back then to propose the notion or concept of reporting requirements for any industry for that matter for anything public company related.

• Expedia Group found their way to me. They asked: Can you help us understand enterprise cyber risk? WELL SURE WHY NOT! Went from responses to members of congress and executive orders to why-do-we-have-so-many-apps (that we wrote), from C to Java, Javascript, Typescript, Scala, Scalatra, C++, .net, Go, whatever, I wish I could say in that order. Spent a whopping 5 years building security from the inside out (really felt like brick by brick), how we understood enterprise cyber risk, how we built and developed cyber capabilities, how we quantified cyber risk liabilities in M&A transactions (rapidly), transforming cyber from service-management to product management, built a super duper massive mega security architecture (to replace all the biggest vendors at the time) with some amazing people (to name a few things), then got tired of it all.

• As the company went through some turmoil at the beginning of this decade, a new problem and with a new question slapped me in the face when the Expedia Group CEO/CFO were unceremoniously let go the morning after a board meeting - How do we build a platform company out of an ecommerce and travel company? SIGN ME UP, I said and joined the Corporate Development team and then went on to lead Commercial Strategy for the Platform Tech group. We did so many things, some things worked, some things didn’t, some things were way ahead of their time, some things - who knows!? We attempted to no less than - re-platform the entire company, re-architect 25+ years of technology, rationalize $10bn+ in acquisitions and mergers, into a massive platform supporting billions and billions of travel consumed annually for a multisided marketplace for hundreds of millions of customers and millions of suppliers.

• After smashing my head against the wall, being humbled by the reluctance to act with urgency in large public companies, a new call came coming from a Series A startup, with new and old problems to solve in new places, the opportunity to ‘travel back in time’ to go back to the beginning, work on security problems again, but now at a startup before they’ve matured into something much scarier? OF COURSE. I didn’t think twice about it (as you can tell), left for a tiny company to build a security program of one. Little ol’ me. We could do it, (mind you pre-LLMs), we’d just take advantage of our relatively small scale to build a security program that focused on outcomes, not ceremony and ritual. I had never worked in startups before, I used to fancy myself a big company problem solver, now I couldn’t get enough of the urgency and clarity being in a tiny company.

• I met the founders of a pre-seed startup and took some time to get to know them, what they were trying to solve and at some point we got to a conversation… Would I consider joining them? It hadn’t crossed my mind, I wasn’t sure, since they were much too early for a CISO. We went back and forth and landed on WHY NOT, there’s no shortage of problems to solve and work on, through a lengthy process of discovery, building shared understanding and context, back and forth with others on the leadership team, the board, we landed on me joining to build the North America Partnerships motion from scratch before taking on the CISO scope as we grew more than 3x/year, many challenges, so much to learn! I had never done partnerships before, but in hindsight, very glad I took the plunge.

So many stories all along the way, so many people I’ve learned so much from - if you ever hangout with me, can talk your ear off with many an entertaining and absurd story.

The journey’s been filled with sidequests too. More to come on that in Pt. 2 and what I’m building and focused on next.