Welcome to the Expired CISO

TEC
Guy in a suit in a folding chair sipping a colorful drink with his feet up on a stack of switches in a data center

Where the expiration date is a suggestion, not a requirement

After decades in this industry, I’ve earned exactly two things: a drawer full of expired certifications and the freedom to finally say what I actually think.

I’m not here to sell you anything. No frameworks. No courses. No “transform your security posture in 90 days” nonsense. I’m just a security practitioner who’s been around long enough to watch the industry make the same mistakes on a ten-year cycle while pretending each iteration is revolutionary.

I’ve done the government thing. The Fortune 500 thing. The “we’re a startup disrupting security” thing. I’ve sat in boardrooms explaining risk to executives who nodded thoughtfully and then approved the project anyway. I’ve watched vendors rebrand the same product four times. I’ve seen “zero trust” go from academic concept to meaningless marketing term in record time.

And I’m still here. Somehow.

So why this blog?

Because I’m tired of watching smart people burn out chasing metrics that don’t matter. Because the industry has a habit of eating its young while the conference circuit celebrates the same twelve people saying the same twelve things. Because somewhere between “compliance theater” and “we take security seriously,” there’s actual work being done by people who deserve better than what this industry gives them.

I’m in what I call the DGAF era of my career. Not “don’t care” - I care deeply about this work. But I no longer care about the politics. The posturing. The LinkedIn thought leadership industrial complex. I’ve stopped playing the game where we all pretend the emperor’s new SIEM is revolutionary.

What to expect here*: Hard truths delivered with occasional humor and minimal buzzwords. Commentary on the gap between how we talk about security and how it actually works. The occasional rant about things that have bothered me for twenty years. Maybe some useful observations from someone who’s made most of the mistakes already so you don’t have to.

I’m staying anonymous because the goal isn’t building a personal brand - it’s saying things that need to be said without the filter of “will this hurt my next job opportunity.” If you’ve been in this industry long enough, we’ve probably shared a meal, or a drink, or a story. If you haven’t, it doesn’t matter.

Consider this your invitation to pull up a chair. We’ve got plenty to talk about.

—The Expired CISO

“Best consumed before the next framework revision”