I’m Not Great at Marketing. I’m very good at Cyber security.

I’ve been meaning to write this for a while. Not because I had a content calendar, a funnel, or a marketing strategy, but because I kept having the same conversations with the same kinds of people, usually after something had already gone wrong.

• This blog is not a sales pitch.

• It’s not a lead magnet.

• It’s not optimised for algorithms.

It’s simply a place where I can write down how I actually think about cybersecurity. A quick introduction (without the brochure language).

• I work in information security and cyber risk.

• I’ve done this for a long time, across different industries, regulatory environments, and maturity levels.

• Most of my work lives in the uncomfortable space between:

  • what organisations “believe” they have in place, and

  • what actually exists when systems, controls, people, and pressure are examined together.

I don’t spend much time talking about myself online. Not because I’m hiding anything, but because I’ve always been more interested in - how organisations behave under stress vs how services are packaged. That said, context matters. So, this blog exists.

How I actually see cybersecurity (and why it’s often misunderstood).

Cybersecurity is often treated as:

• a product,

• a checklist,

• or a compliance exercise.

In practice, it’s none of those. At its core, cybersecurity is a “risk discipline”. It’s about understanding:

• what can fail,

• how it will fail,

• who is affected when it does, and

• whether the organisation can absorb that failure without unacceptable consequences.

Most breaches I’ve investigated didn’t happen because someone “forgot a patch”. They happened because:

• assumptions were never tested,

• controls existed on paper but not in reality,

• responsibilities were diffuse, or

• governance relied on optimism rather than evidence.

These are not technical failures alone. They’re “systemic failures”. Compliance is not the same as control and this is where I tend to sound difficult, unintentionally.

Frameworks and standards matter. Regulatory alignment matters. Audits matter. However, none of them create security by default. For example, a documented control that:

• isn’t implemented consistently,

• isn’t understood by the people operating it, or

• isn’t reviewed against real threat behaviour,

is not a control. It’s a statement of intent. Real security shows up when:

access is boring because it’s well-designed,

• monitoring produces fewer alerts but better ones,

• incidents are contained quietly instead of escalated publicly,

• and leadership understands “why” something matters, not just “that” it exists.

That’s usually invisible work. Which may explain why it’s harder to market.

What I spend most of my time doing

The bulk of my work is not spent “implementing security”, it’s spent:

asking uncomfortable questions,

• mapping dependencies people forgot about,

• translating technical risk into business language, and

• removing false confidence before it becomes expensive.

That means that I spend a considerable amount of time performing:

• information security governance activities,

• cyber risk assessments,

• regulatory and audit support,

• control design and validation,

• and incident readiness (before an incident forces the issue).

If that sounds less exciting than breach simulations and zero-day headlines, that’s because it is. However, it’s where most real risk reduction happens.

Why this blog exists

I’m aware that this is not how most cybersecurity businesses introduce themselves.

• There are no buzzwords here.

• No “next-generation” claims.

• No growth hacks.

This blog exists for:

• people who want clarity rather than reassurance,

• leaders who are tired of being told everything is “critical”, and

• organisations that would prefer fewer surprises over louder dashboards.

  
  

If you’re looking for aggressive marketing, you won’t find it here, however if you’re looking for careful thinking, grounded in experience and evidence, you probably will.

Final thought (and then I’ll stop talking).  Good security is calm, it doesn’t shout or panic, nor does it rely on hope. It’s designed, tested, reviewed, and quietly maintained, even when no one is watching. That’s the work I do. And this blog is simply where I explain how I think about it.

If you’d like to talk

I don’t run funnels, booking links, or automated sales journeys. If something here resonates, the easiest way to continue the conversation is simply to have one.

• A cup of coffee,

• A straightforward discussion, and

• No pitch deck.

If you’re dealing with information security challenges that actually matter, the kind that sit between technology, people, regulation, and accountability, I’m always open to talking them through.

You can reach me directly:

• WhatsApp: a direct message to my personal phone,

• Email: a direct email, no ticketing system, and

• Call: if it’s easier to talk than type

Lastly, there is no obligation or sales pressure. Just a conversation to see whether the problem is worth solving, and whether I’m the right person to help.