A fast-growing B2B SaaS company hired me to answer security questionnaires. They were ISO 27001 certified. SOC 2 certified. Selling to Fortune 500 accounts. Technically strong team. The brief was simple: help us respond faster. What I found when I got there was something different — and more expensive — than slow turnaround times.

Your security advisor might be doing excellent work. You might never see the results of it.

A vibe-coding platform with a potentially fabricated ISO 27001 certificate just left every pre-November 2025 project — source code, database credentials, AI chat history — readable by any free account for 48 days. And counting.

I was listening to a podcast about doubt last week. The guest made a point that stuck with me: doubt is most useful before a crisis, not during it. Under acute stress, people fall back on their habits. If habits are built on unexamined assumptions, they fail. It made me think about tabletop exercises.

The first week of a new vCISO assignment, I always meet the same person. Their title says Platform Engineer. Or DevOps Lead. Or Senior SRE. But somewhere in the last year, they became the unofficial security team. They didn’t ask for it. They were "voluntold” because they’re “the technical one” and security seemed adjacent to infrastructure. By the time I show up, they’ve been carrying something they can’t quite name. Here’s what it looks like.

We've all heard the joke. You mention something casually in conversation — a product, a place, a craving — and seconds later it appears in your feed. Spooky, right? A post circulating recently told the story of a college student studying organic chemistry with friends. Days later, Instagram recommended her a Mexican musician whose songs teach you o-chem. App closed. No search. Just... conversation.

The conclusion? Our phones are listening. It's a compelling story. And it's almost certainly wrong.

My response to "What Should Boards Demand from a vCISO?" by RM2 Security

The attack that defeated H2-Pharma didn’t come through a vulnerability. It came through a workflow nobody had ever questioned.

In the scale-up world, "Do It Yourself" is a badge of honor: “We DIY our first MVPs, sales scripts, and office builds.” But when that same instinct is applied to ISO 27001, it stops being an entrepreneurial virtue and starts being a structural liability.

You just saved yourself 6 hours. The enterprise prospect's security questionnaire landed in your inbox last Tuesday—87 questions spanning access controls, incident response, business continuity, data encryption, vendor management. Your sales team is breathing down your neck because this deal is "critical for Q1." Your CEO mentioned it in the all-hands.

So you did what any practical CTO would do: you copied the questions into ChatGPT, fed it your company context, and got back polished, professional-sounding answers. Sales submitted them. The prospect thanked them. Everyone moved on. You're off the hook.

Right?