The Governance Retrofit: Shape the Culture, Before It Shapes the Risk

The CEO walked in and said: "Everyone uses AI now." The room applauded. No one asked the hard questions.
No policy. No inventory. No defined expectations. No answer to what "using AI" actually means — what data can flow where, which tools are approved, or what happens when something goes wrong. Just a mandate. And a cultural vacuum the organization filled on its own terms.
This is how Shadow AI begins. Not with malice. With obedience.
People did exactly what they were told. They used AI — all of it. Personal accounts carrying corporate data. Unauthorized integrations. Ungoverned agents with unrestricted access to sensitive systems. They optimized for the only clear objective they had. IBM's 2025 research puts the cost at an additional $670K per breach — not from external attacks, but from behavior no one governed.
Then security arrived with controls. And security became the enemy.
Not because the controls were wrong. They were necessary. But they arrived after the culture did. Every restriction became an obstacle to what leadership explicitly asked for. The security team wasn't fighting a threat — it was fighting the CEO's own mandate. Employees learned to route around it, because their goal was clear and the controls were just friction.
Most organizations in this room already have this problem. This session isn't about building AI governance from day zero. It's about retrofitting governance into a culture that already has its own rules — and winning anyway.
The Governance Retrofit is a four-layer framework for organizations that need to govern AI culture from where they are:
Inventory first. You can't govern what you don't know exists. An AI inventory isn't bureaucracy — it's your actual risk surface.
Policy as communication, not compliance. The first governance document has to speak the language of the business. A legal memo nobody reads isn't governance — it's theater.
Culture before controls. Controls slow down wrong behavior. Culture installs right behavior. Deploy them in the wrong order and you're not governing — you're negotiating against yourself.
Measure what's observable. Not policies signed. Not training hours logged. Actual behavior: what tools, what data, what accounts.

Attendees will leave with a governance sequence they can implement from day one — and the language to make the case to the leadership that started this problem in the first place.

The Spiral of Change: A Methodical Approach to Shaping Human Behavior

Cybersecurity awareness isn’t just about phishing simulations and annual trainings—it’s about transforming behavior. The Spiral of Change is a 10-step framework designed to reshape how organizations embed security into their culture. Instead of isolated campaigns, this approach creates a continuous cycle of diagnosing gaps, engaging stakeholders, empowering employees, and adapting to new threats. In this talk, we’ll break down practical strategies to move from “checking the box” training to real cultural transformation. Attendees will walk away with a clear roadmap and actionable tools to make security awareness stick, no matter the size or type of organization. If you’ve ever felt your awareness program isn’t working—this session will show you how to fix it.

Series B(reach): How Startups can Leverage Cybersecurity for Growth

Startups thrive on speed, but that same speed makes them prime targets. Attackers know early-stage companies are often under-defended, while enterprise buyers and investors now expect rigorous cybersecurity due diligence before signing contracts or writing checks.

This session is aimed at CTOs and CISOs in high-growth startups. It traces the path from ideation to IPO, showing how security maturity must evolve alongside business growth. Attendees will learn:

The top cyber risks that disproportionately hit startups.

The security checkpoints that customers and investors require at each funding stage.

How to turn cybersecurity from a compliance burden into a sales accelerator and valuation booster.

Grounded in real breaches, hard data, and pragmatic roadmaps, this talk reframes security as the difference between scaling successfully—or stalling at “Series B(reach).”

Beyond the Perimeter: Building Omnichannel Security Awareness for Third Parties

When we think about “security awareness,” most companies look inward—training employees to avoid phishing and social engineering. But what about the risks that live outside your walls?

In industries like banking, fintech, crypto, and insurance, regulators demand that awareness also reaches customers, partners, and even suppliers.

In this session, we’ll explore how to design omnichannel awareness campaigns that actually work: using social media, in-app alerts, influencers, branch posters, and more.

You’ll see how to adapt the same core message to multiple audiences, measure whether it sticks, and integrate external and internal campaigns into a single security story. If you want to transform your entire ecosystem into proactive allies against cyber threats—not just your employees—this talk will give you the blueprint.

Pitching cybersecurity: Frame it Their Way, Secure it Your Way

In today’s high-stakes cybersecurity environment, effectively communicating the value of cybersecurity initiatives to non-technical executives is crucial. This session will delve into the complexities of bridging the communication gap between cybersecurity professionals and business leaders. Attendees will receive practical recommendations and communication strategies to ensure executives understand, support, and endorse their cybersecurity projects.

A key highlight of this presentation is the introduction of the "Cybersecurity Project Canvas," an innovative tool designed by me, offering attendees firsthand exposure to unpublished and novel content. This tool empowers professionals to translate technical cybersecurity challenges into strategic business discussions, facilitating clearer, more strategic conversations with C-suite executives

GPT-Crime: Cybercrime and Cybersecurity Powered by AI

Artificial intelligence is no longer a future trend — it’s a present force reshaping both cybercrime and cybersecurity. This session begins by exposing how criminals are already leveraging AI tools to scale and sharpen their attacks: from automated phishing and deepfakes to adaptive malware and targeted exploitation of AI model vulnerabilities. Through real-world examples, we’ll uncover how these tools are transforming the threat landscape and raising the stakes for defenders.

Then, we’ll shift focus to the other side of the equation: specific, real-life use cases where AI is becoming a powerful ally for cybersecurity teams. From real-time threat detection and incident response automation to intelligent risk prioritization and enhanced resilience strategies, we’ll explore how organizations are already integrating AI into their security operations.

The session will close with a critical reflection: AI is not inherently good or bad — its impact depends on how we choose to use it. In a world where speed and scale define both attacks and defenses, ethical and strategic adoption of AI will be key to staying ahead.

Key Takeaways:

Understand how cybercriminals are exploiting AI to automate and scale attacks.

Discover specific, real-world use cases of AI applied to cybersecurity.

Learn practical strategies to defend against AI-powered threats.

Hacking culture

In this session, we'll elevate the discussion around the human factor in cybersecurity, highlighting its role as the broadest attack surface yet often the most neglected. I'll argue that the onus is on organizations, not individuals, to elevate their security posture through education and training, aligned with existing regulations and frameworks that mandate user training. By introducing a proprietary framework, which has been applied across hundreds of clients with measurable success, I aim to shift the narrative from mere awareness to fostering a profound and lasting cybersecurity culture change. Attendees will gain practical insights and tools, ready to be implemented, to transform their approach to human-centric cybersecurity, ensuring a more resilient organizational defense.

Hackers Are From Mars and Executives Are From Venus

Budgets that never get approved, incidents where everyone looks for someone to blame, projects that security learns about only after something goes wrong—these are not technical failures; they are communication failures.
In this session, we’ll explore the cultural and linguistic gap between cybersecurity teams and executives—why they think differently, speak differently, and often misunderstand each other.
Through real-world examples and years of boardroom experience, I’ll show how to decode the language of the business and translate technical risks into strategic priorities.
You’ll learn how to frame cybersecurity conversations that resonate with leaders, build credibility, and turn “no” into “how soon can we start?” Because earning a seat at the table isn’t about being louder—it’s about being understood.

Estimated duration: 45-60 mins
Target audience: Cybersecurity Leaders (CISOs, CIOs, Head of Cybersecurity, Cybersecurity Managers)

Traffic lights don’t prevent collisions: how to move from colors to decisions.

For years, cybersecurity has been expected to “prevent attacks.” That expectation is common—and flawed. Incidents can happen even with strong controls. The real problem is making decisions blindly.
This session introduces a shift in mindset: risk management is not about implementing controls or turning “red” into “yellow.” It is about making informed decisions on which scenarios to accept, mitigate, transfer, or avoid—based on risk appetite, priorities, and constraints.

We start by clarifying a widespread confusion: what risk is (and what it is not), separating it from threats, vulnerabilities, findings, controls, or maturity. Then we examine why qualitative methods (risk matrices and heat maps) are weak decision inputs: ambiguity, bias, low repeatability, and poor comparability—especially when you need to choose between “high vs. high” risks or build a cost-benefit case.

Finally, we introduce quantification as the natural evolution of risk management, showing how FAIR translates cyber scenarios into business terms the organization can understand and act on: loss event frequency/probability, loss magnitude, and ranges. We close with practical use cases: control and roadmap prioritization, budget justification, risk appetite discussions, board/finance communication, and third-party and cloud risk evaluation.

Target audiencie: CISOs, security leaders, GRC/Compliance teams, risk managers, auditors, IT leaders, finance stakeholders, and executives involved in prioritization and risk acceptance.

Estimated duration: 35-45 mins