A substantial personal post. After three years as CISO at Gala Coral, I have left to found my own consulting practice — Hedgehog Security. The decision was reached through the cumulative thinking documented in the previous post; the operational transition begins this week.
This is going to be a longer post than usual. Founding work is infrequent enough that it deserves careful framing.
What Hedgehog Security is
A new UK consulting practice focused on practitioner-level cybersecurity work. The initial scope:
CISO and security-leadership advisory. Specific cumulative experience from the Gala Coral CISO role supports specific cumulative subsequent advisory work for organisations developing their security leadership capability.
Threat-disruption and DDoS defence. Specific cumulative work from the DDoS book and the cumulative operational experience at Gala Coral supports specific cumulative subsequent client work in this category.
Penetration testing and vulnerability assessment. Specific cumulative technical capability from Vodafone interim work and ongoing cumulative practitioner reading supports specific cumulative subsequent technical-assessment engagements.
Compliance and regulatory advisory. Specific cumulative cumulative experience from gambling-sector regulatory environment, payment-card industry compliance, ISO 27001 and broader regulatory frameworks supports specific cumulative subsequent advisory work.
Forensic and incident response. Specific cumulative cumulative experience from the gambling-sector incident-response work, including specific cumulative cumulative cumulative cumulative cumulative cumulative cumulative cumulative cumulative engagement with law enforcement, supports specific cumulative subsequent forensic engagements.
The cumulative scope is bounded by my own cumulative cumulative experience; specific subsequent client work will inform specific cumulative cumulative subsequent specialisation.
Why now
Three reasons the timing is operationally rational.
The cumulative practitioner profile supports independent work. The book, Infosec Europe presentations, specific cumulative cumulative subsequent network development — all support specific cumulative cumulative subsequent client engagement.
The cumulative defensive maturity at Gala Coral has substantially completed. Specific cumulative subsequent CISO work would be incremental rather than structural; specific cumulative cumulative role-specific learning is essentially exhausted.
Specific cumulative cumulative cumulative cumulative thinking about independent practice has been sustained. I have been considering this for some time; the cumulative cumulative cumulative thinking is now sufficient to support specific decisive action.
The cumulative cumulative cumulative trajectory through the past several years has produced the conditions for this transition. The cumulative cumulative cumulative timing is operationally rational.
What I am taking from Gala Coral
Specific cumulative learning from the three years that I will carry forward.
The cumulative discipline of operational rigour at scale. Specific cumulative practices, specific cumulative procedural maturity, specific cumulative cumulative commitment to sustained operational discipline. The cumulative cumulative discipline travels with the practitioner.
Specific cumulative cumulative leadership patterns. Specific cumulative team development, specific cumulative cumulative communication with executive leadership, specific cumulative cumulative regulatory engagement. The cumulative cumulative leadership capability is portable.
Specific cumulative cumulative cumulative cumulative cross-organisational network. Specific cumulative cumulative peer relationships from the past three years inform specific subsequent independent work.
Specific cumulative cumulative cumulative cumulative cumulative cumulative incidents handled. The cumulative cumulative archive of operational experience informs ongoing thinking about defensive engineering. Specific cumulative cumulative events from the three years will continue surfacing in writing.
The cumulative cumulative learning is portable; specific cumulative organisational knowledge is bounded; specific cumulative cumulative cumulative structural patterns continue.
What is hard about founding
Three structural things worth recording.
The transition from operational salary to client-revenue is substantial. Specific cumulative cumulative client acquisition, specific cumulative cumulative invoicing and accounts, specific cumulative cumulative cumulative cumulative business operations — all are different from operational employment. The cumulative cumulative learning curve is bounded but real.
The cumulative cumulative isolation of independent practice is real. Specific cumulative cumulative cumulative cumulative team support that operational employment provides is absent in early independent practice. Specific cumulative cumulative cumulative cumulative cumulative external network compensates partially; specific cumulative cumulative discipline of sustaining engagement matters.
The cumulative cumulative cumulative cumulative cumulative responsibility is now personal. Specific cumulative cumulative outcomes of client work directly affect cumulative reputation and cumulative cumulative subsequent work. The cumulative cumulative cumulative accountability is qualitatively different from operational employment.
These are predictable features of independent practice. The cumulative cumulative adjustment is part of the transition.
What this means for the notebook
The weekly cadence continues unchanged. Specific cumulative cumulative operational content from independent practice will be bounded by client confidentiality; specific cumulative cumulative general patterns can be discussed.
The cumulative archive continues. Specific cumulative cumulative subsequent posts will reflect the cumulative cumulative cumulative independent-practice trajectory; specific cumulative cumulative subsequent operational reality will inform subsequent writing.
A specific commitment
For the first six months of Hedgehog Security: specific cumulative substantive engagement with each client; specific cumulative cumulative careful attention to scope, deliverables, and outcomes; specific cumulative cumulative cumulative discipline about not over-promising.
The cumulative cumulative cumulative cumulative discipline is to build a sustainable practice rather than to chase rapid growth.
A reflection on career trajectory
The cumulative trajectory through the past thirteen years has been varied. DEC, the gaming-operator role, RBGE consulting, Vodafone interim, Gala Coral CISO, now founding work. Each transition has expanded the cumulative cumulative operational variety.
For practitioners considering similar transitions: the cumulative cumulative discipline of articulating professional decisions in writing is itself valuable. Specific cumulative cumulative cumulative subsequent decisions are informed by the cumulative cumulative archive.
For my own continued discipline: the notebook documents the trajectory.
More in time.