I’m not a good fit for institutions that want to hand off responsibility instead of sharpening their own cybersecurity decision‑making.

More specifically, I'm not a good fit for prospects seeking:

• Managed security operations: I don’t run SOCs, manage security tools, or provide 24x7 monitoring. My work is strategic, focused on governance, roadmap development, and decision support. If you need someone to operate tools day to day, an MSSP or managed provider is a better fit.
• Audit-style assessments: If the goal is to score every compliance control and produce a binder for an auditor, I’m not the right person. I use frameworks, but only as a lens. My work focuses on capabilities, tradeoffs, and project sequencing. Traditional audit firms specialize in helping complete detailed audits and assessments.
• Engagements pushed down the org chart: When a CIO or CISO brings me in, then pushes the relationship down to someone without budget or planning authority, the engagement is not a good fit. The CampusCISO model is designed to help the people who own strategy and budget decisions.
• Vendors looking for client lists: I will not sell access, share client data, or steer institutions to a preferred product. If a vendor wants to use Cyber Heat Map for their own consulting engagements, we can talk about licensing options. If they want a back door into my client base, that’s a hard no.
• Teams that just want a rubber stamp: If your tools and strategies are already chosen and you just need an external expert to bless the decision, we’ll both be frustrated. I work best with leaders who are open to looking at their portfolio holistically and crafting strategies based on data.

Most new customers come to me when the stakes feel high and the path forward feels unclear.

Some common triggers include:

• New CIO acceleration: A CIO recently started their role and wants to quickly understand their current cybersecurity posture, how they compare to peers, and what priorities they should focus on.
• CISO transition or gap: A CISO has left, is retiring, or the role never existed. The CIO needs continuity, credible board conversations, and help stabilizing the roadmap using our Strategic Operating System to ensure continuity without rushing a permanent hire.
• “We need a real plan” moment: A cabinet member, auditor, research sponsor, or board committee asks for a formal information security plan. The pieces exist in various documents, but there’s no single, coherent roadmap they feel comfortable presenting.
• New CISO getting oriented: A new CISO, especially someone new to higher education, wants a trusted partner who understands both technical and institutional realities. Often the CIO initiates this engagement to support a new leader they’ve recently promoted.
• Portfolio and vendor confusion: The institution has a crowded security stack, often managed by multiple teams besides security. CIOs want to identify overlapping tools and Leverage the Cyber Heat Map® to identify overlapping tools and cut through the steady stream of 'must-have' pitches from vendors. They want a vendor‑neutral view of what they actually have, what they need, and what solutions can be simplified or retired.

In all of these cases, what prospects are really looking for is a calm, experienced partner and a simple way to get to “here’s what we’ll do next and why.”

I help leaders turn scattered cybersecurity work into a clear, living plan they can actually maintain, regardless of the size of their team or budget.

Most institutions already have:

• Audits and assessments
• Risk registers and project lists
• A long backlog of “we really should…” ideas

What they usually don’t have is a shared, data‑informed roadmap that says:

• Here’s what we will do first.
• Here’s what can wait.
• Here’s how this protects our mission.

My work focuses on:

• Assessing current capabilities in a structured way.
• Benchmarking against similar peers.
• Turning that into a multi‑year roadmap inside Cyber Heat Map.
• Keeping that roadmap current as risks, budgets, and people change.

For institutions in the Guided Membership, the CampusCISO model becomes a force multiplier for their leadership team: quarterly strategy reviews, peer validation, and data-driven decision support without the overhead of a full-time executive.

A few things:

• Don't start with the Audit: Frameworks are important, but they aren't a strategy. We believe you must visualize your capabilities first (using tools like Cyber Heat Map), and let compliance follow.
• Cybersecurity is an essential utility, not a differentiator: In higher education, security should be planned more like providing electricity or libraries to the campus. It keeps the core mission running safely. Forcing ROI language into security discussions often creates more confusion than clarity.
• Strategy has to be maintainable in real life: A “good enough and easy to update” plan is more valuable than a beautiful deck that is out-of-date the minute it’s presented.
• Authority must align with accountability: Cybersecurity isn't a silo; it’s the aggregate result of decisions made by network directors, cloud architects, and system administrators. Since the CIO typically controls the budget and strategy for those teams, the CIO must retain ultimate accountability for the risk. The CISO acts as the strategic architect and governance authority, but cannot be the "responsible executive" for risks they lack the budget or authority to mitigate.

I’ve spent years at the intersection of two worlds:
‍

• Long‑horizon technology and security planning in higher education.
• Product and services portfolio work in the vendor world.

From that combined perspective, two unique philosophies have emerged:

• Treating security as a living product, not a project: Projects have end dates; security doesn't. I treat roadmaps like product backlogs, managing a living portfolio where 'maintenance' is just as important as 'new features'. This backlog needs to be adjusted and rebalanced regularly to maximize the impact of your available resources.
• A “less is more” discipline: Sometimes the most strategic move is subtraction. I measure success not just by what we implement, but by the 'shelfware' tools we decommission and the performative busywork we stop doing. I’m comfortable saying “yes, that project would add value, but this other change will move the needle more right now.” I focus on progress over perfection: are you in a better place than you were last quarter, not “did you hit a perfect maturity score.”

That mix of agile thinking, “less is more,” and progress over perfection shows up in how I designed the Strategic Operating System, built the Cyber Heat Map®, and guide our Members.

People come to me with “what’s next” questions:

• “Is this new security tool actually worth caring about?”
• “What should I be paying attention to with AI right now?”
• “Is this low‑code platform real, or a toy?”

I’m fairly hands‑on with technology. I like piloting new cybersecurity products, building internal tools with low‑code and NoSQL platforms, and exploring AI in my own work and for clients.

So when people want a grounded read on emerging tech (how it might fit, what could go wrong, and whether it deserves attention given their constraints) they tend to ask me.

You can count on calm, practical, vendor‑neutral guidance.

No hype. No fear‑mongering. No “Top 10 tools you must buy now.”

My goals are simple:

• Help you think more clearly about cybersecurity in a higher education context.
• Give you usable ways to plan, prioritize, and communicate information security strategies.
• Offer ideas you can apply today, even if you never join as a CampusCISO Member.

If a piece of content doesn’t do at least one of those things, it probably won’t make it out of my drafts folder.