CTO Input

05/06/2026

Your cyber problem might be smaller than your reporting problem. If the board cannot make a decision from the update, the update failed.

Most CISOs talk in controls, coverage, and vulnerability counts. Boards govern revenue, downtime, legal exposure, trust, and timing. That language gap creates “green dashboards” and weak oversight at the same time.

I wrote this article to show how to bridge the gap with a simple, decision-shaped format. What changed, why it matters, who owns it, what decision is needed, and by when.

Why Your CISO Is Speaking a Language Your Board Never Learned

Plain-English oversight for boards, CEOs, and security leaders who need better decisions, not more noise. You're under more pressure than you were a year ago.

12/18/2025

Turn vendor risk into strategic advantage.

Stop reactive management. The iRobot case provides lessons to shift from vulnerability to true control. Build durability and compounding value.

I've watched technology companies handle risk for twenty years. Usually, it's margin compression or a supply chain hiccup.
iRobot hit everything at once.

The company behind Roomba didn't just have a bad year. They filed for Chapter 11 because their primary manufacturer became their owner.

Picea Robotics bought $190.7 million of iRobot's debt.
Combine that with the manufacturing costs already owed, and suddenly your supplier is your biggest creditor. That is the moment you lose all negotiating power. You aren't partners anymore. You're captive.

It’s a brutal lesson in concentrated dependency.

They bet their survival on an Amazon acquisition. Regulators killed it.
They moved to Vietnam to escape tariffs. Then Vietnam got hit with new 46% tariffs.
They fought a price war they couldn't win.

Most mid-market leaders are walking into this same trap right now.
We track customer concentration with obsessive detail. But we rarely look at vendor concentration with the same rigor.

You might not manufacture robots. But do you have a cloud provider that holds the keys to your entire operation? A single software vendor with no exportable data format?

If they go down, do you go down?

We run a Dependency Audit for this reason. It's not complicated, but it is uncomfortable. You take your highest-revenue product and map every single dependency required to ship it.
Then you answer three questions.

-> What is the financial impact if this fails?
-> What is the specific alternative? (Name the vendor. Not "we'll figure it out.")
-> How long does it take to switch?

iRobot couldn't answer those questions. Now Picea owns 100% of the equity.

Don't let dependency become control. Diversification costs money, sure. But concentration risk ends the business.

Does your board know your top three dependency risks?

Hit Like & Comment "Audit" if you want to see the questions we use to vet these risks.

12/18/2025

I built vendor governance for justice tech.

If you're leading technology for a court or corrections agency and your vendor contracts don't explicitly define incident notification timelines, audit rights, and strict data handling requirements...

You aren't managing vendors.
You're hoping.

I help justice organizations build governance that protects sensitive case data without slowing down operations. Because we know the docket doesn't wait for compliance checks.

The biggest risk isn't usually the technology itself. It's the gaps in the paperwork that leave you blind when something goes wrong.

I use a specific risk assessment framework with my clients to close those gaps. It forces clarity on the things that actually matter when you're dealing with sensitive justice data:

-> Exact notification windows (in hours)
-> Unrestricted audit rights
-> Data destruction validation

Happy to send over the framework I use with courts and corrections agencies if it helps you lock things down.

Drop a like if you agree that "standard" contracts rarely cover the real risks in our sector.

12/17/2025

One question reveals your hidden data risk.

The Coupang breach exposed 33.7 million accounts.
It wasn't a complex hack. A former employee just... kept an active authentication token. For months.

That's it.

Justice organizations and businesses face this exact risk every time a vendor changes hands. When your court records provider gets acquired or that dev agency rotates their staff, do you actually know who still has access?

Most don't.

We tend to think "access revoked" means the user is gone.
But modern systems don't just run on usernames. They run on API keys. Persistent tokens. Service accounts that sit there, quietly active, long after the human contract is signed off.

If you don't check, you are leaving the door open.
Here is the one question that reveals your exposure during a transition:

> "Show me the timestamped log where the API tokens and service accounts were rotated."

If they can't produce the log, the access is likely still there.
Don't accept "we took care of it."
Demand the evidence.

This is basic security hygiene.

How often do you audit your non-human access points?

Drop a "👋" if you've ever found an old vendor account still active months later.

12/17/2025

What SOC 2 doesn't tell you about risk.

You have the SOC 2 report. But what critical details about your vendor's actual security practices are missing? They are vital to stopping breaches.

I see organizations ask for SOC 2 reports like they are a magic shield. It feels safe to check that box. But a SOC 2 only proves a vendor passed an audit at a single point in time. It does not prove they can protect your data right now.

The Coupang breach happened at a company with certifications. The OpenAI-Mixpanel incident exposed metadata from a certified analytics provider.

They had the paperwork. They still had the breach.

Compliance is a baseline. Protection is different. Protection is operational.

If you want to know if a vendor is actually safe, you have to look past the PDF. You need to verify if they have the discipline to catch a problem before it becomes a headline.

Ask these questions instead:

-> What's your mean time to detect?
-> How exactly do you handle access when employees leave?
-> When was the last manual pe*******on test?

These answers tell you if they are watching the shop or just passing audits.

Speed and controls matter more than badges.

Like if you prefer operational truth over paper safety.

12/16/2025

Stop valuing vendors by contract size.
Your procurement process values new contracts over actual risk. The real threat isn't the cost of a vendor, but their access to your critical data.

I've watched justice organizations spend six months agonizing over a $50K software purchase. Meanwhile, they're auto-renewing a $200K contract with a vendor they haven't audited in years.

The process is broken because it optimizes for the new. It completely ignores the vendors already inside your walls.

We end up treating the company selling office furniture with the same scrutiny as the one holding defendant records. Actually, sometimes the furniture guy gets more attention just because his contract hit a specific dollar threshold.

Here is the framework I use to flip that priority:

-> Map every existing vendor by data access, not contract value
-> Identify exactly who holds the keys to the castle
-> Ignore the price tag

The vendor with access to defendant records matters more. Always. Even if they cost half as much as the cleaning service.

When you look at risk through the lens of data access rather than dollars spent, you start seeing the holes immediately. It’s alarming how open some back doors are just because the contract value didn't trigger a review.

Fix the focus.

What do you think? Are you auditing based on spend or access?

Hit Like & Comment if you'd rather be safe than just "under budget."

12/16/2025

Goldratt's Theory of Constraints changed manufacturing. Now, apply it to AI. Manage AI systems around constraints, not assumptions, and watch performance and value skyrocket. Proven results show a 32% cloud cost reduction in 90 days.

Stop optimizing everything.

That is the mistake I see boards making repeatedly. They push for "AI everywhere," thinking volume equals value. But in manufacturing—and in software—if you optimize a step that isn't the bottleneck, you haven't improved speed. You've just created expensive waste.

In the physical world, we call this inventory. Piles of parts waiting for assembly.

In our world, it's digital inventory.

Prototypes that never ship. Dashboards nobody looks at. Complex agent workflows that stall because the data foundation is dirty. That isn't innovation. It is operating expense that sits there and rots.

Goldratt’s logic is simple: Find the constraint.

It is rarely that you lack compute power. It is usually something human. Decision latency, slow drafting cycles, or maybe a legal team that is drowning in contract reviews.

Once you name it, you put the AI right there. Nowhere else.

> If legal review is the constraint, don't give them a generic chat tool. Build a governed workflow that drafts the boring clauses so the lawyers only review the high-risk exceptions.

> If the constraint is knowledge transfer, stop building creative bots. Build retrieval systems (RAG) that cut search time by 50%.

Everything else is noise. Subordinate the rest of the system to that bottleneck.

A fast engineering team does not help you if the Product Manager is the bottleneck on requirements. You just get a pile of code waiting for a green light. That is classic local optimization.

Ask your team one thing.

"Did this tool reduce the time our bottleneck spends per unit of output?"

If they can't answer that, pause the budget.

What is the single biggest bottleneck in your org right now?

Agree? Like and share if you think we have too much AI inventory and not enough flow.

12/16/2025

Transform legal aid with unified CRM.

Stop wrestling with fragmented client and donor data.
I see too many legal aid organizations running in two completely different worlds. The attorneys live in case management tools. The development team lives in a donor database.

And they rarely speak to each other.

That silence is expensive.
It slows down funding because you can’t map dollars to specific outcomes. It forces smart people to do dumb data entry.

When you integrate them—strategically—you stop chasing paperwork and start proving value.

-> Automate the handoff from intake to donor reporting
-> Show exactly where the funding went with real-time data
-> Cut the administrative overhead that burns out your staff

You don't need more complex software. You need less friction.
The goal is simple. Give hours back to attorneys so they can actually help people.
That is the metric that matters.

Are your systems talking or fighting? Like & Comment if you’re ready for less noise... 🚀

12/08/2025

Why Most Digital Roadmaps Fail In Year Two (And How To Protect Yours)

You are a CEO or founder who is spending more on tech and getting less back. Year one of your digital roadmap looked good. New tools went live, dashboards appeared, vendors were upbeat, your team felt like things were finally moving. Now you are in year two, costs are up, projects are stuck, and the board is asking why the numbers have not changed....

A practical set of moves to protect year two and set up years three and four for actual business results, not just more tools.

12/08/2025

A CEO’s Guide to Aligning Technology Decisions with Racial Justice and Equity Goals

As a CEO, you assume the tools you buy are neutral. That your software, algorithms, and data are objective. This is one of the most expensive assumptions you can make. The reality is that your technology is likely loaded with hidden biases, creating massive legal, financial, and reputational liabilities you can't see. Fixing this isn't just about "doing the right thing." It's a core risk management strategy....

As a CEO, you assume the tools you buy are neutral. That your software, algorithms, and data are objective. This is one of the most expensive assumptions you can make. The reality is that your technology is likely loaded with hidden biases, creating massive legal, financial, and reputational liabili...