Case Studies

Stories Behind the Numbers

The metrics matter, but they don't tell the whole story. Here's what actually happened.

Building a Security Function From Zero

Context

Government organization, 180+ entities, 30,000+ users, no existing cybersecurity capability.

Challenge

The Government of Sharjah was forming a new digital department and needed a cybersecurity function — not an assessment, not a recommendation, a functioning department. No team. No tools. No policies. No SOC. No incident response. Nothing.

What I Did

Started with a comprehensive gap assessment across all 180+ entities. This wasn't a checkbox exercise — it was the foundation for a multi-year roadmap. I assessed every entity against UAE IA, NIST CSF, ISO 27001, and CIS Controls. The results were sobering. Most entities had no formal security governance. Some had no IT policies at all.

I presented the findings to the Executive Council — not as a list of technical gaps, but as a business risk narrative. "Here's what we don't have. Here's what happens if we don't fix it. Here's what it costs to fix it. Here's the order we should fix it in." The program was funded.

Over the next eight years, I built everything:

  • Hired and scaled the team from 3 to 22 specialists across SOC, GRC, architecture, and consulting
  • Deployed a full enterprise security stack — SIEM, EDR, PAM, BAS, SOAR, DLP, Zero Trust, email/web gateways
  • Built a 24/7 SOC with MSSP partnerships
  • Founded the state CERT, coordinating 30+ penetration tests annually and publishing advisories
  • Launched secure cloud services for 15,000+ mailboxes with built-in Zero Trust controls
  • Delivered compliance dashboards to the Executive Council with real-time risk visibility
Results
  • Incident response times reduced by 60%
  • Detection coverage expanded by 40%
  • CIS maturity improved from Level 2 to Level 4 across 184 entities in 3 years
  • Zero audit failures across 8 years of annual reviews
  • $2.3M in cost savings through vendor consolidation and strategic negotiation
  • Compliance effort reduced 70% by unifying multiple frameworks into a single control set
The Invisible Impact

Beyond the metrics, there's something that doesn't fit into a dashboard: every year, we brought in approximately 10 university interns and I personally trained each cohort. Over eight years, that's roughly 80 young professionals who got their first real exposure to cybersecurity through our department. They rotated through the SOC, worked on compliance projects, participated in penetration testing engagements, and sat in on executive briefings. Most of them went on to build careers in security. Several have told me that their time with us was what made them choose this field. The programs we built were important. The people we developed might matter more.

Lesson

The hardest part of building from zero isn't the technology. It's earning the trust of 180+ entities that don't report to you, don't share your priorities, and didn't ask for your help. You earn that trust by being useful, not by enforcing compliance. I made sure that every policy, every tool, every process we deployed made their lives easier, not harder. That's why adoption worked.

The Consulting Years — Why Listening Matters More Than Knowing

Context

6 years, 10+ clients, government/banking/enterprise, ISO 27001 certification programs.

Challenge

Each client organization was different. Different industries, different risk appetites, different levels of maturity, different politics. The temptation for a consultant is to apply the same playbook everywhere. The reality is that the same framework implemented the same way in two different organizations will succeed in one and fail in the other.

What I Learned

My first engagement was at a bank. I showed up with what I thought was a comprehensive gap analysis template. Sixty questions. Every ISO 27001 control domain covered. Three days into interviews, I realized my template was useless — not because the questions were wrong, but because the client's organization didn't work the way my template assumed. Their reporting lines were different. Their approval processes were different. Their definition of "risk owner" was different.

I threw the template out and started over. Instead of asking structured questions, I asked one open-ended question to each department head: "Walk me through how things actually work here." No framework language. No compliance terminology. Just: how does your team operate day to day?

What I heard was completely different from what the project brief described. The brief said the problem was "lack of ISMS documentation." The actual problem was that three departments had overlapping responsibilities, no one had clear ownership of key processes, and the policies that did exist contradicted each other. The ISMS gap was a symptom. The organizational clarity gap was the disease.

After that engagement, I changed my approach permanently. Every new client, every new engagement, every new role starts with the same discipline: shut up and listen. What's actually happening? What do people believe is happening? Where's the gap? That gap is where the real problem lives.

Results

80% of the organizations I coached through ISO 27001 certification passed on the first attempt. Not because of a better template. Because of better listening.

From Security Leader to Application Builder

Context

Post-relocation to the U.S., challenging job market, AI tools available.

Challenge

After 15 years of evaluating, procuring, and managing security tools — I realized I'd never built one. I understood how SIEM platforms detected threats. I knew how GRC tools mapped controls. But I'd never designed a database schema, written an API endpoint, or deployed a container to production. That gap bothered me.

What I Did

I started with Claude Code, an AI-assisted development tool. Not a no-code drag-and-drop platform — actual code. TypeScript, React, PostgreSQL, Docker. I wrote the prompts, reviewed every line of output, made the architecture decisions, debugged the issues, and deployed to production.

The first application was rough. I spent more time understanding the stack than building features. But by the third application — a full GRC platform with AI risk scoring, multi-tenant architecture, and compliance mapping — I was making deliberate design decisions and shipping working features.

The cloud evaluation alone was worth the effort. I hands-on tested Oracle, Azure, AWS, and Akamai. Each had trade-offs. I picked Akamai for its simplicity, predictable pricing, and CLI-first workflow. It was the same evaluation methodology I'd used for enterprise security platforms — except this time I was the one deploying, not the one signing the PO.

What Changed
  • Architecture reviews: I now understand what the engineering team is actually discussing.
  • Vendor evaluations: I can assess whether a product's architecture is sound, not just whether the demo looks nice.
  • Policy writing: I write security requirements that are implementable because I understand what implementation actually involves.
  • Credibility: When I talk to developers about security, I'm not speaking from theory.
Lesson

You don't need to become a developer to be a better security professional. But building one real thing — planning it, designing it, deploying it, maintaining it — changes how you think about everything else in security. Every security leader should try it once.

← Back to Home Read My Thoughts →