What I actually do
Built 0 → 1
Built a risk function from one headcount into an enterprise program. Over six years at Box I stood up Risk and Resilience from scratch: hired and developed the team, won every headcount, and grew the scope from tech risk into enterprise risk, business continuity, disaster recovery, and crisis management, with board audit committee endorsement of the relaunched program.
[coming soon] What I learned when I couldn't type the words 'on track’
GRC @ eng speed
Redesigned a risk organization for the AI era before the company asked for it. At Coinbase I restructured Tech Risk into a lean service model, senior leads as concierges to risk owners, automation absorbing the triage layer, eliminating roughly a thousand hours of annual toil and freeing the team for high-context judgment work. The operating model came out of a conviction that GRC has to evolve from manual oversight into living technical architecture: telemetry that recalculates risk as the environment changes, quantification wired into the systems the business already runs, governance that keeps pace with how fast those systems now move.
Board engagement
Inspired boards to engage with GRC instead of nodding at it. At Netflix I rebuilt the CISO's audit committee report from siloed sections into a single narrative anchored by quantified risk, rallying the broader security org to produce it; engagement rose visibly, and executive leadership got interested enough in the methodology to ask where else it could apply. At Box I presented FAIR analyses to the audit committee directly and built a standing relationship with its chair.
[coming soon] How I turned an audit committee report from a status update into a real conversation
Judgement over dogma
Matched risk rigor to the decision, not to fashion. I built quantification that fit the organization's maturity rather than the loudest methodology in the room, scaling from plain-English risk conversations to full FAIR-grounded analysis depending on what the decision actually warranted. High-fidelity quant is the right tool when an organization is ready for it and the stakes justify the engineering; forcing it onto a program that isn't ready just produces compliance noise. The discipline is reading which the moment calls for.
Why the best risk model is the one that informs a decision today
Player coach
I lead from inside the work. I write runbooks, draft my own decks, and build alongside my team rather than managing from a distance. At Coinbase I was mid-build on an agent that reads decision memos against the risk register and open findings to hand the author a risk read while the decision is still open. The habit doesn't switch off outside of work either; I've shipped a company intelligence tool, an automated industry research newsfeed, and a search app for my cookbook library.