CISO & Resilience Architect
I build the enterprise security, identity, and operational-resilience programs that regulated institutions can stake their businesses on. Twenty years defending institutions against adversaries and risk — from military intelligence to global markets to enterprise cyber and the boardroom — most of it spent turning regulatory pressure into resilience that holds under stress.
“In a world defined by interdependence and disruption, resilience is no longer a story we tell. It is a performance we deliver.”
Three ideas the architecture returns to.
The intellectual spine of twenty years of enterprise security work. Each is developed at length in the essays that follow — the shape of the argument lives here first.
Identity as a Control Plane
The identity frontier as the next architectural centre — why the Zero Trust vocabulary is a floor, not a ceiling. The plane on which every other control either holds or fails.
Architecture Determines Outcomes
What it costs when architectural assumptions about failure are wrong. The governing idea behind the framework.
Operational Resilience as Strategy
Regulation as the ground condition — and resilience as the discipline that lets an enterprise stay within tolerance through severe but plausible disruption.
Featured writing, in reading order.
Three essays, sequenced. Regulatory frame first — the brief most institutions are failing to read. Then the architectural depth the frame demands. Then the identity frontier where the next decade of liability is being written.
Operational Resilience Is Becoming the Global Regulatory Baseline
The regulatory frame — DORA, PRA, SEC — as the ground condition any enterprise-scale CISO now works inside. Read this first.
Regulation is the ground condition, not the adversary — and the architectures that read it as a brief will age the best.
When Assumptions Fail: Architecture and the Reality of Resilience
Identity as a Control Plane: The Successor to Zero Trust
The Resilience framework page sits alongside these essays — the longer argument, with the Executive Brief available there as a PDF companion.
From military-intelligence operations to commanding cyber incident response at a global bank — twenty years on the operating side of institutional risk.Read about →