Why Being Myself Ended Up Helping My Clients More Than Anything Else

From Chaos to Clarity: The Moment a Team Finally Felt Confident About Security

If you work in a startup or small tech business, you’ll know the feeling when someone says “We need to sort the security out”, and before you know it, there’s a 20-item list of complicated frameworks, acronyms, and controls being thrown around like confetti.

I see this a lot. But there’s one moment that always sticks with me, a moment when a whole team went from confused and overwhelmed to actually feeling in control of their security for the first time. And it had nothing to do with buying more tools or throwing more jargon around.

It came down to understanding the real job of security.

When Everything Is a Priority, Nothing Is

I remember sitting in a boardroom where the team proudly shared their “security plan”. They had a long document full of all the things they were going to implement, including NIST RMF, role-based access control, continuous vulnerability management, encryption at rest, and about a dozen other terms that felt like they were pulled straight off a compliance bingo card.

Every item had been marked as “priority”.

It didn’t take long to realise what was going on: they’d collected every security term they’d ever heard and assumed that doing all of them would equal being secure.

But when I asked “Why do you need this control?”. The whole room fell silent. People glanced at each other and someone shrugged. Another person said, “Isn’t this just what secure companies do?”

It wasn’t a lack of effort or that they didn’t care. It was that they were treating security like a shopping list instead of a business decision. And honestly, this is more common than you’d think.

Security Isn’t a Technical Problem

Once we got talking, I could see the frustration in the room. They had spent weeks pulling this list together, cross-checking it, researching tools, trying to “get it right”.

But the breakthrough came when I explained something that most founders and small teams never get told:

Cyber security isn’t actually a technical problem, it’s a risk problem. A business problem.

Yes, it uses technical controls, of course it does, but those controls exist because of a business risk, not in place of one.

You don’t encrypt data at rest “because it’s best practice”.
You encrypt data at rest because losing that data would impact:

• Your customers

• Your reputation

• Your ability to trade

• In some cases, your entire business model

When that clicked for them, the energy in the room shifted. For the first time, they weren’t trying to “look secure”. They were trying to understand what they were securing and why.

Mapping Security to The Business

We pulled everything back and started again, not with a list of controls, but with the business itself.

I asked:

• What are your most critical assets?
  
  

• What would genuinely keep you up at night if it disappeared tomorrow?
  
  

• What would cause your investors to panic?
  
  

• What would stop you delivering to customers?
  
  

• What could you live with?
  
  

• What absolutely must not fail?

Just honest conversation without all the jargon.

Once we’d worked through their risk appetite and business objectives, suddenly everything seemed clear. Security was a handful of decisions tied directly to the real world they operated in.

They went from: “Everything matters equally” to “We know exactly what matters and why”.

That shift alone made them visibly more confident. They’d gone from reacting to hypotheticals to making intentional decisions.

Finally: A Roadmap That Made Sense

Once the priorities were clear, we could build a roadmap grounded in business risk, practical constraints (like budget and time) and real-world impact.

A map with direction of travel that everyone, technical or not, could understand.

This roadmap showed:

• What they needed to protect
  
  

• How each control reduced risk
  
  

• What they could delay
  
  

• What they could ignore entirely
  
  

• What would deliver the biggest impact for the least cost
  
  

• How it supported their mission and product

For the first time, security didn’t feel like a burden or a black hole of money. It felt like something they were steering.

Accepting the Reality: No Business Is Ever “Risk-Free”

One thing I always make clear, and this team got it instantly, is that you can never remove all risk. If the only way to build a completely risk-free system is to not build anything at all, then that tells you everything you need to know.

Startups exist because they take risks. The trick is to take the right ones.

When they realised this, it brought the temperature down in the room. They needed clarity and confidence instead of perfection. They got both.

What Really Shifted for Them

If I had to sum it up, it’s as simple as they stopped seeing cyber security as an IT checkbox, and started seeing it as a business tool.

There was a clear shift in having ownership, knowing what actually mattered, understanding the “why” behind the controls, realising they didn’t need to do everything, and having a roadmap that aligned security with the mission of the company

They walked with confidence. And honestly, that’s the bit I care about most.

Because if a founder or team feels confident about their security, they make better decisions, spend money in the right places, and stop feeling like they’re drowning in jargon.

My job isn’t to impress people with acronyms.
It’s to cut through the noise and help them build something secure, sensible, and aligned with what they’re actually trying to achieve. That’s the work that makes the biggest difference.