The Practitioner

Both sides of the coin.
Simultaneously.

Most practitioners in this space came up one side — protection or growth. Twenty years operating both at the same time is not a pivot. It is the discipline.

Thomas Jones
Founder · Materialiti Risk Advisory
The Hipster CISO

Security is a business enabler. Risk should be quantified in financial language, not fear.

Twenty years of executive leadership spanning cybersecurity, data governance, and AI strategy — not as three separate careers but as one discipline viewed from different altitudes. The person who spent two decades protecting enterprise data is uniquely qualified to unlock its value. That convergence is not a positioning exercise. It is the accurate description of the work.

The CDAIO credential from Carnegie Mellon is not a rebranding exercise. It is the institutional recognition of what the work has always been: Chief Data, AI, and Information Officer responsibilities operating simultaneously, because in practice they cannot be separated without losing something essential in each.

Materialiti was built on a single structural premise: that a practitioner who has no vendor relationships, no platform affiliations, and no consulting parent with conflicting engagements will reach different conclusions than one who does. That independence is the product. Everything else follows from it.

The practice operates at governance altitude — PE diligence, board advisory, C-suite translation. Not because that is where the fees are highest, though they are, but because that is where the decisions with real consequence get made and where honest, unconflicted analysis is most scarce.

Thomas Jones

Security is a business enabler. Risk should be quantified in financial language, not fear.

Twenty years of executive leadership spanning cybersecurity, data governance, and AI strategy — not as three separate careers but as one discipline viewed from different altitudes. The person who spent two decades protecting enterprise data is uniquely qualified to unlock its value. That convergence is not a positioning exercise. It is the accurate description of the work.

The CDAIO credential from Carnegie Mellon is not a rebranding exercise. It is the institutional recognition of what the work has always been: Chief Data, AI, and Information Officer responsibilities operating simultaneously, because in practice they cannot be separated without losing something essential in each.

Materialiti was built on a single structural premise: that a practitioner who has no vendor relationships, no platform affiliations, and no consulting parent with conflicting engagements will reach different conclusions than one who does. That independence is the product. Everything else follows from it.

The practice operates at governance altitude — PE diligence, board advisory, C-suite translation. Not because that is where the fees are highest, though they are, but because that is where the decisions with real consequence get made and where honest, unconflicted analysis is most scarce.

Credential & Experience

The evidence behind the claim.

Credential
Carnegie Mellon CDAIO Program
Chief Data, AI, and Information Officer. The credential that describes the actual work, not a rebranding of an existing one.
Experience
20+ Years Executive Leadership
Both sides of the enterprise value equation — protection and growth — in the same career, simultaneously, not sequentially.
Practice
AI Integrity Agency
Active practice in AI training data integrity and model poisoning defense. The convergence is not theoretical. It is operational.
Domains
Security · Data · AI
Cybersecurity leadership, data governance, AI strategy, and AI governance — not adjacent claims but a single integrated discipline.
Independence
No Vendor Relationships
No platform affiliations. No consulting retainer conflicts. The analysis reaches the conclusions it reaches regardless of who is in the room.
Voice
The Hipster CISO
Publisher of Uncomfortable Intelligence — practitioner analysis for PE operating partners, board members, and C-suite executives navigating security, data, and AI convergence.
Belief System

What governs everything produced here.

On Risk
Risk should be quantified in financial language, not fear. FUD is intellectually lazy and professionally harmful. Compliance is the starting point, never the standard to aspire to.
On AI
Most AI strategies are vendor strategies wearing a disguise. AI governance without security architecture is theater. AI strategy without data strategy is building on sand.
On Independence
Any commercial relationship is disclosed immediately and unambiguously. Independence is the primary asset of this practice. It cannot be partially maintained.
On Certainty
Performative certainty is the most dangerous lie in the field. Everyone pretends to understand more than they do. The practice names this in any room, at any level, regardless of the cost.
On Quality
Every piece of work produced passes one test before any other: is it honest and is it mine? If the answer to either is no, it does not ship.
Published Work

The credential is in the published analysis.

Standard · Part 1
Cybersecurity Evidence and Measurement Standard (CEMS)
A structured framework for defining, validating, and governing cybersecurity indicators across all layers of an organization. Built on ISO 22400 principles. Designed for board members, auditors, and executive teams.
Version 1.0 · January 2026 · CC BY 4.0

The right conversation starts with the right question.

No pitch. No deck. A single conversation to determine whether there is a genuine fit.

Request a Conversation