Inspired by Phil Venables’ Good CISO / Bad CISO framework, this piece explores the mental models that distinguish effective security leaders from those trapped in reactive cycles.

I’ve spent the past decade working across cloud, application, and enterprise security. I currently serve as an Information Security Lead and Deputy CISO.

My work centers on advising executives on risk, resilience, and security strategy while ensuring that security aligns with broader business priorities.

As the digital threat landscape evolves, Governance, Risk, and Compliance (GRC) has become an essential focus for every CISO. But managing GRC today feels like juggling endless responsibilities—compliance demands, security risks, and resource constraints—all while trying to protect your organization. Traditional GRC approaches aren’t cutting it anymore. They’re slow, inflexible, and often prioritize compliance over actual security.

The key challenge is decoupling compliance from security. Compliance frameworks, while necessary, shouldn’t dictate how you manage security risks. Passing audits doesn’t mean your organization is secure. CISOs need to focus on real threats and risks, letting compliance be a byproduct of effective security rather than the driver.