State CISO · Florida
State CISO protecting 35 Florida agencies. DSc researcher. Practitioner-researcher essays on cybersecurity at scale.
I lead cybersecurity operations for 35 Florida state agencies and the whole-of-state cyber program under F.S. 282.3185, which extends to more than 4,000 local government entities (counties, municipalities, school districts, water utilities, and special districts). I am also a doctoral researcher at Capitol Technology University, applying the FAIR risk quantification model to historical incident data from Florida agencies to test whether our risk models actually predict what happens.
Before this seat, defense contracting at Lockheed Martin and critical infrastructure security at the Greater Orlando Aviation Authority. Before that, the Marine Corps. The work has always been about decisions made under uncertainty with consequences that outlast the decision-maker.
The day job tests what the research argues. The research tests what the day job assumes.
The Practitioner
I lead cybersecurity for 35 enterprise agencies, 107,000+ employees, 200,000+ devices, and 4,000+ local government entities. The work is unglamorous: governance, risk, incident response, and the slow build of a defensible posture across a population the size of a mid-sized country.
Connect on LinkedInThe Researcher
I apply the FAIR risk quantification model to historical incident data from 35 Florida agencies. The research question: do our risk models tell us the truth, or do they encode the assumptions that produced the incidents in the first place?
Read research essaysWriting about what I learn as I build, break, and fix enterprise security at scale.
Most security programs don't fail during attacks. They fail during audits they pass. Here's why looking secure is more dangerous than being vulnerable.
AI lets every employee generate production-grade risk at machine speed. Here's what that means for enterprise security leaders.
AI agents are making security decisions at machine speed. Nobody owns those decisions. That gap is the real crisis in cloud security right now.
A State CISO on why the hardest leadership skill isn't decision-making. It's making yourself unnecessary in the right moments.
Enterprise vendor selection feels like risk management. It isn't. Here's what most CISOs get wrong before the contract is even signed.
Point-in-time compliance audits tell you where the fire was, not where it is. Here's why that distinction costs organizations everything.
Whether you're interested in research collaboration, speaking engagements, or enterprise cybersecurity advisory - I'd like to hear from you.