Practical risk management for teams without a playbook
Hard-won lessons from building security and compliance programs at organizations where you can't just throw resources at the problem.
I've spent decades in technology—starting in development, moving through project management, and eventually landing in security and compliance leadership. These days I'm responsible for protecting systems, meeting regulatory requirements, and keeping operations running with a small team and a realistic budget.
Along the way, I've had to navigate the maze of compliance frameworks—NIST, ISO 27001, CMMC, and others—and translate their requirements into something that actually works on the ground. Most guidance out there assumes you have resources that smaller organizations simply don't have.
This site will share what I've learned: how to cut through the jargon, where the frameworks actually overlap, and how to implement controls that satisfy auditors without grinding your operations to a halt.
What I'll be covering
Navigating the framework maze
NIST, ISO, CMMC, SOC 2—translating alphabet soup into plain language and practical implementation.
Templates that actually get used
Frameworks and documents that have survived contact with real audits and real operations.
Talking to leadership
How to communicate risk to executives who have a hundred other priorities—and actually get traction.
The multiple hats problem
Strategies for managing IT, security, and compliance simultaneously without burning out or dropping balls.
Where things stand: I'm building this alongside a full-time role, so progress is deliberate. I'd rather share something substantive than rush out content that doesn't hold up.
Get notified when this launches
Drop me a line and I'll let you know when there's something to read.
hello@allaboutrisk.infoJust say "notify me" — I'll add you to the list.