Every executive eventually has a serious conversation about regulatory compliance. It begins in one of two places. You either reach a scale that forces you to consider the real risks of a security threat, or you see a compelling business opportunity that requires compliance.
Usually, it’s some mix of both.
For more than two decades, I’ve been on every side of this technology conversation. I’ve been the CEO and investor weighing the costs and benefits of IT and security for my own organizations. I’ve advised companies as a neutral third-party consultant, helping organizations navigate hard compliance decisions.
And of course, as an investor and CEO of several security and IT services companies (most recently: RedZone), I’ve provided IT services to countless mid-market through enterprise organizations.
These are the four questions every regulated CEO should ask when talking about compliance.
1. What signals are we not seeing that we should be seeing?
No news is good news, right?
Not remotely. The most dangerous risk is the invisible one you don’t know to check. The average cybersecurity breach goes undetected for 181 days. What you don’t see can harm your business.
CEOs must distinguish between passive versus active cybersecurity monitoring.
- Passive monitoring means setting up alerts and hoping they never go off.
- Active monitoring means asking yourself why those alerts aren’t firing.
The hard reality of security in 2026 is that AI has supercharged automated attacks. These tools probe your systems continuously for weaknesses, at a scale and speed no human operator matches. No signal should be a meta signal of a potential blindspot.
Active monitoring in the form of regular check-ins means staying ahead of the data. It means being constantly informed about your environment, no matter when the signals are all firing or silent. Passive monitoring, on the other hand, is evidence of a lack of maturity and investment in your security posture. Don’t fly blind.
2. Who owns our data, and how easy is it for us to walk away with it?
Imagine you want to switch banks. You ask the teller to issue a check for your remaining balance and to close your accounts. The teller blinks at you for a moment, then says they can’t do it. You’re free to move banks, but the money in your existing accounts will stay at this bank. If you want your money, you must keep banking with them.
You’d call the police. Yet this same thing happens to data every day. IT and security service firms hold your data hostage as a retention tool.
This became a massive topic for technology leaders in recent years. Now that most software lives in the cloud, software companies have resorted en masse to an anti-customer business model. They make it easy to onboard and upload data into their system, and nearly impossible to leave without sacrificing your vital company data.
They take your data hostage and call it retention.
What we’re talking about is data sovereignty: Who owns your data?
A true partner operates on a model of goodwill and retention-by-value. You should have total portability of your compliance evidence and logs. A reliable provider designs their platform so that you can simply click a button, get a package of all your data, and walk away whenever you want, ensuring your asset remains clean, portable, and ready for future scale.
3. When something breaks, who do I call?
When you invest in IT and security services, you should be buying a crystal-clear desired outcome to make your life easier. Any security provider can show you alerts on a dashboard. What you really want is a phone number you can call to promptly get the problem fixed.
If you are juggling a cloud vendor, a security vendor, and an on-site tech, you end up firefighting. During a tech or security incident, the last thing you want is for your vendors to play telephone hot-potato with you. The cloud vendor tells you that’s a security vendor issue, who tells you to talk to your engineers, who tells you to talk to the cloud provider, and so on.
Your business comes to a grinding halt. If you have 200 people on an office floor unable to work, you are generating zero revenue while incurring massive costs.
True accountability means partnering with a team that looks to actively remove operational blockers for your people. They take ownership of problems and help you solve them. Consolidating to one accountable partner eliminates vendor friction, giving you a unified team that operates on a single page and owns the whole problem until it is completely resolved.
Or put another way: You know who to call to fix the problem.
4. How can we turn security and compliance into a strategic advantage?
Security and compliance are prerequisites for going to market. Many customers won’t buy from you without a demonstrably mature security program with the appropriate third-party certified credentials. Many nations and states won’t let you sell your products or services without following their specific compliance.
This deters some entrepreneurs from even getting started. Others see this as an opportunity.
If you want to enter highly regulated verticals or win the business of respected brands, customers will demand to see clear, audited evidence of your compliance maturity.
We see this play out clearly in mid-market acquisitions. Take RedZone, for example.
When we acquired RedZone, I knew exactly what we were getting: a rock-solid, stable foundational platform with fantastic customer retention and a talented team. But as an organization operating in highly regulated verticals, we faced an immediate, non-negotiable hurdle. If we even dreamed of expanding our market reach, we needed to show airtight security controls to our enterprise customers.
We took the reins in September 2025 and immediately increased investment in our security standards. Sure, these checked a few compliance boxes. But we did this because in modern business, a robust security posture is the ultimate competitive advantage. It’s what allowed us to later merge Passpoint’s AI-native solutions into RedZone’s stable foundation as the next piece of the puzzle in creating a dominant, high-growth platform.
If you want to drive customer revenue, protect your assets, and sleep soundly at night, you have to stop managing by assumption. It starts by confronting your IT and security partners with four critical questions:
- What signals are we not seeing that we should be seeing?
- Who owns our data, and how easy is it for us to walk away with it?
- When something breaks, who do I call?
- How can we turn security and compliance into a strategic advantage?
A lot goes into IT and security decisions. These questions should help you cut through most of the complexity to find the few points that matter for your business.