I remember the chill of that New England winter not for its wind, but for the cold shoulder I got inside the boardroom. I was the Chief Information Security Officer—one of the first, back when that title earned more suspicion than respect. The CIO at the time wept to the leadership team, behind closed doors, telling them I was trying to make security like Fort Knox. Too rigid. Too expensive. Too aggressive. Too paranoid. Not one of those criticisms ever came to me directly. They came as secondhand whispers, rolling eyes, veiled jokes about “tin-foil hats” and “garrison mentalities.”
That was years ago.
When I left, tired of fighting, exhausted from trying to defend the company from threats they refused to acknowledge, they finally had what they wanted—compliance without confrontation. A security lead who would smile and sign off. That new CISO? They were given a choice: lie to regulators, customers, stakeholders—or get fired. Breaches were hidden. Reports doctored. Timelines buried under red tape and internal legalese. And still, the CIOs and CEOs of the world cried that Fort Knox was too much.
Now we face 184 million breached Google and Apple accounts, stacked on top of past sins—Equifax, Facebook, Yahoo, Marriott, MOVEit, SolarWinds, LastPass, Okta, and the endless carousel of incompetence and coverup. No boardroom ever asked, “Why didn’t we build Fort Knox?” Instead, they gaslighted us into believing we were the problem—security was a cost center, not a standard bearer. Until the lawsuits come. Until the customer base flees. Until the breach exposes everything from personal messages to trade secrets.
The truth hurts more than any breach. The truth is that the industry let cowardice become policy. They chose convenience over resilience. Executives celebrated availability, ignored integrity, and hoped confidentiality was someone else’s problem. I carried that burden until it broke me. I burned out in the trenches—berated, undermined, isolated—because I told the truth too soon.
If we had built Fort Knox then, maybe by now, we’d have more than ruins and regrets. Maybe today’s 184 million wouldn’t be a headline, but a footnote in a history where we finally got it right.
But I wasn’t allowed to be right. I was allowed to leave. And when I did, so did the last real chance they had to do the right thing.
And that story, like too many others in security, ends not with a breach—but with silence.
