Most security writing on the internet falls into two camps: vendor blog posts that pitch a product, or compliance checklists that tell you what to do without explaining why. Neither is particularly useful when you're a 30-person startup trying to close an enterprise deal and figure out SOC 2 at the same time.
This blog is an attempt at the third option: notes from the field. Short, opinionated, and written from the perspective of someone who has sat in the CISO chair, shipped AI systems, and walked companies through audits.
What to expect
A few directions I want to explore:
- Interim CISO work — how to scope it, when it's the right fit, what a first 90 days actually looks like.
- AI and ML security — practical threat modeling for the systems teams are shipping now, not hypothetical attacks from three years ago.
- Compliance that doesn't stall a business — SOC 2, ISO 27001, and GDPR, treated as engineering problems rather than paperwork exercises.
- Things I'm wrong about — I'll try to keep the posts honest, including when a previous take has aged poorly.
Posts will be short on purpose. If a topic needs 3,000 words, it usually means I haven't thought it through yet.
Who this is for
Founders, heads of engineering, and security leads at growing tech companies — the people who have to make pragmatic calls with incomplete information. If any of that sounds like you and you'd like to talk through a specific problem, book a call. The first 30 minutes are on me.
— Jean-Baptiste