They call me when it’s broken. They keep me when it works.

CISO | Security that scales with the business and holds under audit

My Path

For 20+ years, I’ve built and operated security programs in regulated, high-growth environments.

Frameworks delivered: SOC 2 Type II • ISO 27001 • GDPR • CPRA • CMMC Level 1

Based in the New York metro area.

I lead security as a business function.
Boards see risk in financial terms.
Engineering sees controls designed with them.
Customers see a trust posture that closes enterprise deals.

That operating model didn’t start in security.
It came from two decades running technology across pharmaceuticals, telecommunications, secure media, SaaS, and financial services. By the time I took my first security mandate, I already understood how the business runs.

The mandate was at a Series B SaaS company. From zero to SOC 2 Type II, ISO 27001, GDPR, and a mature security program – and a culture that outlasted my tenure.

Today: CISO at a global financial services firm, leading cybersecurity for institutional digital-asset and trading operations.

Security is a business function first, and a technical one second.

How I Lead

Security is most effective when it’s aligned to how the business actually runs
Not how frameworks say it should.

I lead by earning trust before asking for authority.

The first thing I do is listen to engineering, product, legal, and leadership.
I learn how the business actually works before proposing how to protect it.

I build controls with teams, not around them. Security designed in isolation gets circumvented; security built collaboratively gets owned. Shift-left practices, joint threat modeling, and tabletop exercises put engineering inside the program rather than adjacent to it.

I translate risk into the boardroom. Exposure, likelihood, financial impact.
Not CVE counts and forty-slide decks.
I prepare narratives that drive decisions, not anxiety.

I move fast, then make it stick. Quick wins first to earn credibility. Then the governance, the controls, and the culture that keeps running after I’m out of the room.

When I leave an organization, the program keeps running.
That’s the standard I hold myself to.

What I Own

Ground-up security programs: frameworks, controls, culture.
Certifications that close enterprise deals: SOC 2, ISO 27001, CMMC.
Security that ships with the product, not after it.
AI governance that is enforceable, not aspirational.
Decision-ready risk narratives; exposure, likelihood, financial impact.
Not dashboards, not noise.
Risk communication that gets boards to act, not just listen.

My Work

SOC 2 in 86 Days

Zero to certified. The enterprise pipeline followed.

Built Security from Zero

First security leader at a Series B technology company. Built the team, the frameworks, and the culture. Left behind SOC 2 Type II, ISO 27001, and a program that ran without me.

AI Governance from Day One

Enforceable policies, tool controls, MCP gateway, DLP across AI channels, vibe-coding guardrails in CI/CD. In production before the regulators asked.

See the full case studies →

Insights

Board-level briefings on risk, AI governance, and security program design.

MCP Gateways and Agent Security: A Practical Governance PatternApril 15, 2026
A practical pattern for governing agent-to-system access: gateway authentication, least-privilege scoping, audit logging, DLP, CI/CD guardrails, and lifecycle controls.
What I Brief Boards on About AI Risk in 2026March 16, 2026
A board-level briefing on the AI governance shift that turned model risk into agent-action risk — and the 30/60/90-day ramp for organizations behind on it.
SOC 2 Type-1 in 86 Days: The Decisions That MatteredJanuary 15, 2026
Most SOC 2 timelines fail at scoping, not execution. The five operating decisions behind an 86-day path to certification — and the three lines I refused to cut.

More insights →

Contact

Liron Golan
CISO
New York Metro Area

For board conversations, executive roles, and introductions:

Email: liron@golantek.com
LinkedIn: linkedin.com/in/golantek