Filter By:
Nick Selby for Fast Company: Tech debt isn’t an ‘IT issue.’ It’s a business strategy
This article by EPSD’s Managing Partner, Nick Selby, appeared in Fast Company’s “Ask the Experts” section on 21 August 2025. Read the excerpt below, and please click through for the full text.
Read more
Velocity’s Edge Podcast S1E2 - Huw Rogers on Tech Debt
If you’re leading a profitable, cash-flow-positive business, you’ve probably watched technical debt pile up: those accumulated consequences of choosing quick fixes over well-designed, long-term solutions. If you’re not carefully managing it, it can become overwhelming.
Read more
Velocity's Edge Podcast S1E1 - Sarah Wells on Strategy
What makes an effective product engineering strategy? In the debut episode of the Velocity’s Edge podcast, host Nicko Goncharoff speaks with Sarah Wells about the importance of strategy to engineering effectiveness.
Read more
Announcing Velocity's Edge: Where Speed Meets Strategy
We’re thrilled to announce the launch of Velocity’s Edge, EPSD’s new podcast premiering this Wednesday. Velocity’s Edge brings you to the pivotal point where speed meets strategy—that critical spot where the wrong decision can capsize your organization, while the right one propels you forward. Each 20-minute episode delivers insights from battle-tested experts who’ve guided C-suites and boards through moments when they’ve needed to navigate crises with speed and authority.
Read more
EPSD Announces Appointment of Nicko Goncharoff as Chief Operating Officer
Technology veteran brings 30+ years of experience building and scaling data-driven businesses across global markets EPSD, the authority on technical consulting that drives business transformation, is pleased to announce the appointment of Nicko Goncharoff as Chief Operating Officer. Nicko brings more than three decades of experience building, scaling, and leading technology and data-driven businesses, including co-founding three successful startups and serving in senior executive roles at global analytics firms.
Read more
Selecting a F-CISO, Part III: Making the Decision and Setting Up for Success
This is Part 3 of our series on selecting fractional CISOs. Part 1 and Part 2 covered evaluating experience, program-building skills, cultural change capabilities, and threat response experience. Now we’ll focus on avoiding common pitfalls, making the final decision, and ensuring your F-CISO succeeds.
Read more
Selecting a F-CISO, Part II: Assessing Cultural Change and Threat Response Capabilities
This is Part 2 of our 3-part series on selecting fractional CISOs. In Part 1, we covered evaluating experience and program-building skills. Today, we focus on the harder-to-assess but equally critical capabilities: driving cultural transformation and managing real-world security threats.
Read more
Selecting a F-CISO, Part 1: Evaluating Experience and Program-Building Skills
This is Part 1 of our 3-part series on selecting and managing fractional CISOs. Our previous post explored the strategic rationale for deploying a fractional CISO before hiring your first permanent Chief Information Security Officer. Part 2 covers evaluating experience, program-building skills, cultural change capabilities, and threat response experience.This series provides a comprehensive guide to finding the right change agent for your organization’s security transformation.
Read more
Strategic Deployment of a Fractional CISO
Before hiring their first Chief Information Security Officer (CISO), CEOs and boards should consider a fractional CISO (F-CISO) to build foundational security programs that set the permanent CISO up for success. This strategy addresses a critical disconnect: executives often view security breaches and compliance failures as technical problems, but these business-threatening issues typically stem from cultural and process deficiencies requiring organizational transformation, not just technical expertise.
Read more
How Strategic Tech Investments Cut Our Insurance Costs by a Third
In early 2025, as EPSD spun out into independent operations, we made some bold strategic technology decisions. We made initial up-front IT investments of less than 10% over “good enough” choices, and that increase delivered us a 31% insurance savings. Spending just a bit more on IT significantly raised the complexity and the cost attackers must bear to breach us, and resulted in measurable operational gains and user happiness.
Read more
The Currency of an Engineering Team Is Respect
The currency of an engineering team is respect, and this has nothing to do with position in the organizational hierarchy: instead, it’s about whether the person speaking knows what they are talking about. Do they make our work easier? Are the things they are asking us to do logical and consistent?
Read more
Succession Planning: A Surprisingly Common Business Risk
Fast-growing companies, particularly those in technology and high-stakes industries, often prioritize immediate operational needs over long-term planning. One critical area that frequently gets overlooked is succession planning—a business continuity essential that can create serious vulnerabilities if not properly addressed.
Read more
A CEO's Transparent Incident Response Communication
On May 11, Coinbase suffered a social engineering attack targeting their outsourced customer support department. Their SEC Material Cybersecurity Incident disclosure on May 15 revealed attackers obtained enough personal information to launch sucessful fake customer service attacks against Coinbase customers.
Read more
Security Incidents Aren’t “IT Problems”
Security incidents impact every part of an organization, not just IT. Companies that respond effectively are the ones that anticipate risks, plan ahead, and coordinate across departments—not just those that rely on technical teams to “fix the problem.”
Read more
The True Cost of Cybersecurity Incidents
Regardless of how it happens, when your customers can’t access your service, you can’t take payments, or you can’t pay suppliers, your business stops. Full stop.
Read more
The VW Group Data Breach is a Business Problem, not an IT Failure.
In December 2024, the Chaos Computer Club revealed that VW Group’s software unit Cariad exposed 9.5TB of sensitive data affecting 800,000 VW, Seat, Audi, and Skoda owners. The breach included personal information and location histories that, despite Cariad’s claims otherwise, were easily tied by researchers to individual customers.
Read more
Is Your Incident Readiness Plan Ready?
If your business relies on technology, security incidents are inevitable. That’s why a comprehensive, up-to-date incident readiness plan is essential. But incident response readiness isn’t something you can buy—it’s something you need to build, refine, and integrate into your organization’s culture.
Read more
Five Security Incident Readiness Steps to Take Now.
Security incidents are inevitable if your organization relies on technology, people, and data. The key to minimizing their impact is having an up-to-date, well-practiced incident response plan. Here are five essential steps to ensure your organization is prepared when—not if—a security incident occurs.
Read more
Measuring What Matters: Track Incident Response Performance and Prove ROI
Many organizations invest heavily in incident response (IR) capabilities, yet struggle to measure their effectiveness and return on investment (ROI). Without clear performance metrics, leadership lacks visibility into whether incident handling processes are improving over time or if teams are just repeating the same mistakes.
Read more
From Firefighting to Framework: Turning Incident Handling into a Strategic Advantage
If your business relies on technology, security incidents are inevitable. And all businesses rely on technology. That’s why a comprehensive, up-to-date incident readiness plan is essential. But incident response readiness isn’t something you can buy—it’s something you need to build, refine, and integrate into your organization’s culture.
Read more
Incident Preparedness: Less Expensive Than Incident Response
Security incidents are inevitable, but proactive preparation can significantly reduce their impact. The worst incidents— the ones that cause financial losses, brand damage, regulatory scrutiny, and prolonged recovery times— occur when organizations haven’t built and tested a comprehensive incident response plan. Investing in incident readiness before a crisis arises isn’t just a best practice— it’s a financial imperative.
Read more
Tech Debt in Scale-Ups
When tech companies hit hypergrowth, they face the challenge of evolving their software systems from minimally viable products (MVPs) to enterprise-grade platforms. These transformations extend beyond software development to affect entire organizations.
Read more
What Is Risk Assessment, and Why Does It Matter?
Risk assessment is a critical tool for identifying vulnerabilities before they escalate into business disruptions, security incidents, or operational failures. At EPSD, we help organizations understand their cyber and operational risk landscape, equipping leadership with the insights needed to make informed security investments and improve overall resilience.
Read more
Not Semantics: Why It Matters That the CrowdStrike Outage Was a Security Incident
When a faulty update to CrowdStrike’s Falcon endpoint detection and response product rendered Windows systems worldwide inoperable, it created a headline-grabbing IT outage. Airlines, hospitals, emergency services, and businesses were all affected—unable to access critical systems without complex, manual recovery efforts.
Read more