Live Webinar | 26 June 2025 9AM PT
From Black Box to Boardroom: Operationalizing Trust in AI Governance
February 15, 2024

Risk Grustlers Ep 12 | Security: Building a Business Within A Business

Hey there, everyone! Welcome to Season Two of Risk Grustlers, where we immerse ourselves in the fascinating narratives of individuals within the realm of risk and compliance. With a diverse array of guests hailing from various backgrounds, each conversation promises to be both exhilarating and profoundly enlightening.

Today, we're in for a treat as we engage in a candid discussion with Aaron Wurthmann, the CIO and CISO at Spire One, to uncover his journey through the realm of risk management. Let's explore his insights and experiences in navigating the complexities of cybersecurity.

You can listen to the complete podcast here.

https://youtu.be/PUnWvt3mgGM

Todd: Before we delve into the intricacies, I'm genuinely intrigued by your journey. What sparked your interest initially? Because, frankly, none of us started off in IT and security. It wasn't even a prominent field back in the nineties, barely a blip on the radar. So, please, share your story. How did it all begin for you?

Aaron: Certainly. I was born and raised here in Silicon Valley. My father was a sys admin, working for companies like IBM and Texas Instruments. Computers were always present in our household, but I never saw it as a career path initially. My passion back then revolved around being a tagger and heavily indulging in street art, especially here in the valley. When it came time for higher education, I opted for graphic design. There was a local school offering specialized programs in either sys admin or graphic design, and I chose the latter.

During that period, I worked at a few startups. I believe my first stint was around '96 or '97. Initially, I started as a receptionist, then worked my way up to administrative roles like assistant and eventually office manager. Throughout these positions, I found myself tinkering with the startup's computers due to my background. Tasks like setting up user accounts, managing DNS and static IP addresses, handling anti-accounts, and setting up exchange accounts became part of my routine as an office manager.

Then, one day, a recruiter approached me about a full-time IT position. My initial reaction was reluctance; after all, I enjoyed the autonomy and perks of my current role. However, when she mentioned the salary, which was double what I was making as an office manager, I reconsidered. Thus, my journey into the world of sys admin, SRE, and eventually leadership began, thanks to someone taking a chance on me.

Todd: Now, regarding the bread-making endeavor you mentioned, that's quite a departure from IT! How did that come about?

Aaron: Well, during the pandemic, like many others, I missed the sourdough trend entirely. However, I received a pizza oven as a gift, which sparked my curiosity. I embarked on a quest to perfect pizza dough, researching the most flavorful options. That's when I discovered Serrano as the ideal choice. From there, it evolved into a side hobby of sourdough-making, primarily for pizza.

But as anyone who's ventured into sourdough territory knows, there's a lot of discard involved. So, naturally, bread-making became the next logical step, followed by cakes, muffins, and even English muffins. It's been a culinary journey inspired by a desire for the perfect pizza dough.

Todd: Great, that's good some bread, although let's get back on track discussing security! Even if we did have an enormous budget, there's no way we would be able to protect a company from every single threat. So how do you establish a budgetary baseline for a security program?

Aaron: So, I think it starts with the philosophy that IT and security functions should operate as businesses within a business. It's about being mindful of our spend, understanding who our customers, investors, and partners are, essentially building a community around our security product. Imagine if security were a product – how would we run it?

After adopting this philosophy, the next step is to align with stakeholders and grasp the bigger picture of the company's vision. As security and IT leaders, our role is to enable the company to succeed in achieving that vision. This deep involvement in the business helps us understand its risk appetite and tolerance, which forms the basis of our security strategy.

In practical terms, it's akin to creating a business plan for security. We engage with various stakeholders, from customer support to marketing and sales, to understand their needs and concerns. By doing so, we can tailor our risk management approach to align with the company's objectives.

For instance, we consider both the positive and negative impacts on the company. Positive outcomes might include pursuing a compliance certification that unlocks new revenue streams, while negative risks could involve potential breaches or failures to meet objectives.

Now, regarding budget allocation, the industry standard often suggests around 1% of revenue for security. However, for pre-revenue companies, this calculation can be challenging. In such cases, I propose linking security budget to potential revenue or the revenue targets for the year.

Communicating this risk to stakeholders, particularly the board of directors, is crucial. Even if they accept the risk, it's essential to prepare contingency plans while being willing to let go if our advice isn't followed.

When it comes to presenting security to the board, it's about understanding the business impact of security incidents. We need to speak their language, aligning our discussions with their objectives and concerns. While precise numbers are ideal, establishing rapport and credibility through ongoing dialogue is equally important.

Transitioning from a tactical to a strategic mindset, especially for highly technical individuals, requires learning business speak and understanding investor language. It's a skill set that can be developed with time and effort.

Ultimately, establishing a budgetary baseline for a security program involves aligning with stakeholders, understanding business objectives, and effectively communicating the impact of security incidents in business terms.

Todd: How do you find the right balance between allocating resources for immediate needs and investing in long-term resilience for your security program?

Aaron: It all comes down to a fundamental philosophy I adhere to, which emphasizes the value of diverse skill sets within the team. Rather than solely hiring experts in specific areas, I prefer individuals with varied experiences, like a senior risk analyst who has also worked as a network or security admin. This diversity enables us to maintain a balanced approach to budget and resource allocation.

To stay ahead of scaling challenges, I advocate for proactive measures such as establishing relationships with Managed Service Providers (MSPs) or considering outsourcing before the need arises. By doing so, we can access burst capacity when required without compromising the integrity of our internal team.

For those navigating the early stages of building a company's IT and security infrastructure single-handedly, my advice varies based on company size and growth trajectory. Typically, once a company reaches around 100 employees, it's time to consider focusing either on IT or security, depending on the business's priorities and plans.

For instance, if security plays a significant role in the company's objectives, such as achieving a SOC 2 type II certification for a SaaS business, investing in compliance expertise or suitable tools beforehand is essential. By strategically aligning resources with business goals, small companies can lay a robust foundation for future growth and security.

Todd: Since you mentioned it, do you ever try to sell compliance as a revenue advantage to the company?

Aaron: Absolutely. When discussing compliance with the business, I frame it as a cost of revenue. Just like we calculate the cost of goods sold, understanding the investment needed to obtain certifications like SOC 2 Type II or FedRAMP is crucial for unlocking potential revenue streams. This conversation is essential for security professionals to have with CFOs or board members to align security initiatives with business objectives.

Moreover, in smaller company scenarios, staying informed about industry breaches is paramount. Tools like Feedly help me curate cybersecurity news, allowing me to promptly address concerns raised by CEOs or stakeholders. Regardless of our role, whether a CISO or an individual contributor, it's our responsibility to stay updated and provide confident responses when questions about the company's security posture arise.

Todd: Okay. So since you touched on tools, we all learn from when we get breached or something happens. So when you start at a new company or consulting for a company, do you follow any specific frameworks that you like to measure by

Aaron: Absolutely. There are foundational frameworks like CIS top 20 and various NIST standards that provide a solid starting point regardless of the company's industry or size. However, before diving into specific certifications or compliance requirements, it's crucial to understand the business stakeholders and align security initiatives with their objectives.

Todd: Understood, however with the proliferation of security tools, managing them effectively becomes a challenge. How do you navigate purchasing decisions amidst this vast landscape of security solutions?

Aaron: It's essential to adopt an internal-first approach and evaluate if we can develop certain features or tools in-house before considering external purchases. For instance, if a company lacks visibility into its attack surface, building an internal tool to assess it may be more cost-effective than buying a commercial solution outright. However, it's crucial not to overburden the budget with unnecessary purchases. Developing a clear strategy for in-house development and rigorous documentation ensures continuity and mitigates risks associated with personnel changes.

Todd: So based on all your experiences, have you ever encountered or heard of an organization that severely underspent on security, leading to a significant breach or cyber catastrophe? And if so, what were the lessons learned from that situation? Was it primarily a budgetary issue or a cultural issue, or perhaps something else?

Aaron: I've come across instances where organizations failed to allocate adequate resources to cybersecurity, leading to devastating consequences. While I haven't directly experienced this, I've observed scenarios where there was a breakdown in communication between cybersecurity leadership and budget stakeholders, often the CFO. This breakdown can stem from either party being unwilling to engage honestly with the other. It's crucial for cybersecurity leaders to strike a balance, ensuring they neither overspend nor underspend on security initiatives. Real leadership lies in transparent communication and the ability to reassess and reallocate resources as needed.

Todd: Hospitals, for example, often face budget constraints, yet ransomware attacks can have life-threatening consequences. How do we address this challenge, particularly in non-profit organizations where revenue isn't the primary concern?

Aaron: That's a critical issue. For non-profits like hospitals, the conversation needs to shift from revenue to other critical metrics, such as patient care and operational continuity. By quantifying the potential impact of cyber incidents on patient care and operational downtime, cybersecurity leaders can effectively convey the importance of investing in security measures. It's about understanding the organization's core objectives and aligning security initiatives accordingly, even if revenue isn't the driving force.

Todd: As we wrap up, could you shed some light on how one begins their security journey within a company, and perhaps provide us with a top five checklist of key considerations?

Aaron: Absolutely, Todd. Firstly, it's crucial to grasp the landscape of stakeholders, encompassing partners, superiors, and even potential board members. Next, delve into understanding the people aspect, acknowledging the significance of your team, peers, and reporting structure.

Following that, comprehending the company's approach to cybersecurity is paramount. This entails grasping the overarching mission, tactical methodologies, and historical strategies. Then, delve into dissecting the spend. As a leader, it's imperative to scrutinize past expenditures, particularly in personnel, and prepare for potentially tough decisions regarding compensation.

Lastly, but certainly not least, is technology. Assess the current tech infrastructure, including communication and collaboration tools, and correlate it with the overall expenditure. Remember, it's all about aligning People, Approach, Spend, and Technology (PAST) for a comprehensive security strategy.

Todd: That's fantastic. And I like how you've encapsulated it all into the PAST framework. It's definitely a memorable way to approach it.

Aaron, thank you so much for taking the time to join us today. Your insights into the realm of security and budgeting have been invaluable.

Budgeting with all aspects of security in mind is truly a key requirement. To all our listeners, thank you for tuning in to this episode of Risk Grustlers, Season Two. If you haven't caught Season One yet, remember to take a look at it here!

Stay tuned for more exciting episodes ahead with some fantastic guests lined up. Until next time, stay informed and stay compliant.

Liked the post? Share on:
Table of contents
Join our community
Join our community and be the first to know about updates!
Subscribe
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Join our community and be the first to know about updates!

Subscribe
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Posts

HIPAA
Compliance Essentials
Understanding HIPAA violations: Types, prevention, and best practices
HIPAA
PHI vs PII: Essential comparisons, compliance differences, and a focused checklist
GDPR
Risk Management
Best GDPR Compliance Automation Software in 2025: Features, Pricing, Pros & Cons

Ready to see what security-first GRC really looks like?

Ready to see what security-first GRC really looks like?

Ready to see what security-first GRC really looks like?

See what a real security- first GRC platform looks like

Ready to see what security-first GRC really looks like?

Focus on the traveler experience. We’ll handle the regulations.

Get Scrut. Achieve and maintain compliance without the busywork.

Choose risk-first compliance that’s always on, built for you, and never in your way.

Ready to see what security-first GRC
One platform, every framework. No more duplicate work.
You can’t manage user access if you’re always playing catch-up.
Explore the future of enterprise GRC
Tired of chasing vendors for risk assessments?

Join the thousands of companies automating their compliance with Scrut.

The right partner makes all the difference. Let’s grow together.

Make your business easy to trust, put security transparency front and center.

Risk-first security starts with risk-first visibility.
Secure your team from the inside out.
Don't settle for slow, expensive compliance. Get Scrut instead.
Risk-first compliance for forward-thinking teams.
Audits without the back-and-forth. Just seamless collaboration.
Scale fast. Stay compliant. Automate the rest.
Compliance? Done and dusted, in half the time.
Get ahead of GDPR compliance before it becomes a problem.
Outgrowing table-stakes compliance? Create custom frameworks with ease.
Navigate SOC 2 compliance, minus the stress.
PCI DSS compliance, minus the panic.
Take the wheel of your HIPAA certification journey today.
We’ve got what you need to fast-track your ISO 27001 certification.
Make your NIST AI RMF journey as smooth as possible.

Your GRC team, multiplied and AI-backed.

Modern compliance for the evolving education landscape.

Ready to simplify healthcare compliance?

Don’t let compliance turn into a bottleneck in your SaaS growth.

Find the right compliance frameworks for your business in minutes

Ready to see what security-first GRC really looks like?

Real-time visibility into every asset

Ready to simplify fintech compliance?

The Scrut Platform helps you move fast, stay compliant, and build securely from the start.

Scrut helps you set up a security program that scales with your business and stands up to audits. Without last-minute chaos.

Scrut helps you streamline audits, close deals faster, and stay ahead of risk without slowing down your team. Because trust shouldn’t take months to earn.

Scrut helps you set up a security program that scales with your business and stands up to audits. Without last-minute chaos.

Tag, classify, and monitor assets in real time—without the manual overhead.

Whether you're entering new markets or launching new products, Scrut helps you stay compliant without slowing down.

Scrut pulls compliance data straight from the tools you already use—so you don’t have to dig for evidence, chase approvals, or manually track controls.

Less manual work, more customizability. The Scrut Platform gives you everything you need to align your compliance to your business’s priorities.

With Scrut, you’re not just adding a tool to your offering—you’re adding a competitive edge. Join our Partner Network and help your clients streamline their GRC program.

Gaining trust is your first step to growing and cracking better deals. The Scrut Platform comes pre-built with all the tools you need to showcase a firm security posture and build confidence.

Don’t settle for rigid systems—Scrut ensures your risk management strategy is as flexible as your business needs.

Start building a security-first culture. Save your operations from improper training and a lack of compliance awareness.

Scrut fast-tracks compliance so you can focus on scaling, not scrambling. Automate compliance tasks and accelerate enterprise deals—without the grind.

Automate assessments, track compliance, and get full visibility into third-party risk—all in one place.

Scrut automates compliance tasks, supports proactive risk management, and saves you time, so you can focus on growing your business. Start building trust with customers and scaling confidently.

Leave legacy GRC behind. Meet the AI-powered platform built for teams managing risk and compliance in real time.

Give auditors direct access, keep track of every request, and manage audits effortlessly—all in one place.

Scrut ensures access permissions are correct, up-to-date, and fully compliant.

Whether you need fast results or a fully tailored program mapped to your risks and needs, Scrut delivers exactly what you need, when you need it. Ready to start?

Scrut unifies compliance across all your frameworks, so you can stop juggling systems and start scaling securely.

Manually managing your compliance processes and audits can get inefficient and overwhelming. Scrut automates these outdated, manual processes and eliminates your last-minute worries.

Access automated compliance, real-time risk tracking, and expert-backed support—all in one platform. Get started with Scrut!

Less manual work, more customizability. The Scrut Platform gives you everything you need to align your compliance to your business’s priorities.

The Scrut Platform helps you move fast, stay compliant, and build securely from the start.

Earn trust and back it up with solid evidence. Scrut takes you through the SOC 2 compliance journey step-by-step, navigating every complexity you face.

Manage your PCI DSS compliance with real-time monitoring and effortless automation. Get started with Scrut today!

Securing your PHI shouldn’t be a constant hassle. Scrut automates your workflows—from risk assessments to monitoring—so you can put your compliance worries on the back burner.

Automate security controls, simplify audits, and keep your ISMS aligned with the latest standards. Get started with Scrut!

Tackle potential AI risks with NIST AI RMF-compliant controls and get expert support every step of the way.

Offload the grunt compliance work to us. Execute manual, draining GRC tasks with the reliable AI-powered Scrut Teammates without switching contexts or bottlenecks.

Whether you're managing student data, partnering with educational institute, or expanding to new geographies—Scrut gives you the tools to stay compliant, manage risk, and build trust at every step.

Scaling healthcare doesn’t have to come at the cost of security. Scrut keeps your organization compliant, audit-ready, and protected—no matter how fast you grow.

Scrut automates the hard parts of compliance and security so you can move fast and stay ahead of risks from day one.

The Scrut Platform helps you move fast, stay compliant, and build securely from the start.

Growth in fintech comes with heavy scrutiny. Scrut helps you stay compliant, audit-ready, and secure—without slowing down your momentum.

Book a Demo
Book a Demo
Join the Scrut Partner Network
Join the Scrut Partner Network