About — Positioning

I build systems for organizations that can't afford to be wrong.

That's not a slogan. It's a description of the work. The organizations I've served — defense contractors navigating federal compliance mandates, enterprise technology companies managing nine-figure partner ecosystems, cybersecurity firms building AI-native governance infrastructure — share one characteristic: the cost of a wrong decision isn't a missed quarter. It's a structural failure that takes years to recover from, if it's recoverable at all.

My operating principle: Trust, but verify. And if you can't verify, learn enough so that you can. I've applied it to revenue architecture, AI governance, compliance systems, partner strategy, and the tools and systems I build to run my own work. The principle doesn't change by domain. The methodology it demands does.

What I Do

An enterprise systems thinker.

I operate at the intersection of strategy, technology, and execution — building solutions that work not just architecturally but organizationally, under real constraints, with competing stakeholder priorities and incomplete information.

My work follows three phases. They're inseparable.

Phase one: Find the unregistered risk. Name it. Begin managing it to resolution.

Most organizations discover structural risk when it becomes a structural failure. I find it before it does — and I stay until it's managed to resolution.

In one engagement, standard financial reporting showed no red flags. Revenue was tracking. But the architecture of how that revenue was being generated contained a design flaw with exposure in the tens of millions — invisible in the numbers, visible in the system. Finding it was the beginning of the work, not the deliverable. What followed was a structured response across finance, partnerships, and executive leadership: mapping the exposure, sequencing the decisions, rebuilding the model architecture before the market conditions that would have triggered the failure arrived. The risk was managed to resolution before it became a crisis. That's the difference between risk enumeration and incident response. Most consultants specialize in the second.

[→ which requires:]

Phase two: Organize the people who each hold part of the answer.

The hardest part of managing unregistered risk to resolution is rarely the analysis. It's the organizational work — getting the right people aligned around a problem they each see differently, with different stakes and different constraints.

Enterprise transformation fails most often not because the technology was wrong, but because the organizational environment couldn't hold it. The CEO sees revenue risk. The technical team sees execution risk. The client sees delivery risk. None of them are wrong. None of them can see what the others see. I've led initiatives where the conditions were hostile — CEO mandate, resistant technical teams, absent management layer — and the path forward required designing an execution sequence that advanced every stakeholder's legitimate constraints simultaneously toward something none of them could reach independently. That organizational work is where I do the clearest thinking.

[→ and produces:]

Phase three: Reduce risk to tolerable bands. Manage it to resolution.

Risk that has been named, bounded, and assigned a mitigation path is manageable. Risk that hasn't been registered is indistinguishable from manageable risk until it isn't. I build the governance infrastructure that makes that difference visible — for partner ecosystems, compliance campaigns, and the AI systems I design and run myself.

In 2026, as AI moves from pilot projects to production infrastructure across every enterprise, the governance gap — the space between what organizations are deploying and what they can actually verify — is where the most consequential unregistered risk lives. The organizations that will operate with confidence are the ones that built the infrastructure to see their own risk clearly before they needed it. That sequencing is consistent across everything I've built.

Governance before code·Enumeration before execution·Resolution before impact

The Arc

Career Arc

My career started in the U.S. Navy — and the work I did there set the terms for everything that followed.

I served as Information Security Officer for Navy and Marine Corps maintenance commands across the Southwest region, based in San Diego. The timing was not incidental. My tenure ran through the rollout of the Navy Marine Corps Intranet — a $6.9 billion contract that was, at the time, the largest IT infrastructure outsourcing initiative in DoD history, consolidating thousands of disparate legacy networks into a single enterprise system across the entire Department of the Navy. Managing information security governance across all maintenance commands in that region, during that transition, meant operating at the intersection of unprecedented infrastructure change and zero tolerance for security failure.

Then September 11, 2001 happened. Every security posture, every access protocol, every assumption about threat landscape changed overnight. The work continued, under those conditions, without pause.

I carried that function forward as a civilian, serving as Information Security Officer for the 3rd Marine Air Wing. The uniform came off. The responsibility didn't.

My rank during that period was junior. The scope of what I was accountable for was not. That gap — between title and actual consequence — is something I've navigated in every role since. It's also where I learned that risk governance isn't a function of seniority. It's a function of clarity, discipline, and the willingness to stay until the problem is managed to resolution.

From there: network analyst, security engineer, solutions architect — each role adding technical depth to a foundation built under operational consequence. I progressed through that depth before moving into leadership, which means I don't manage engineers by translating between them and a business. I speak both languages natively.

At Alert Logic, I served as VP Global Sales Engineering — inheriting and leading a global SE organization across three geographies, US-West, North America, and Global, over a four-year tenure. Running an established organization at that scale, through multiple market cycles and competing internal priorities, is a different discipline than building one from scratch. It demands operational fluency, not just vision.

Brief assignments at Anitian and Palo Alto Networks gave me exposure to the enterprise security product market from both the vendor and advisory sides. Then at Coalfire, I built the solutions architecture and partnership practice from the ground up — constructing the AWS and Microsoft alliance portfolio, the partner governance frameworks, and the enterprise systems architecture function that now serves clients across federal, defense, and commercial sectors. Coalfire is where I built. Alert Logic is where I led. Both matter. They're different credentials.

Selected Work

Risk, managed to resolution.

Revenue Architecture Risk — Managed to Resolution Before Impact

Identified a structural failure in a business model not visible in standard financial reporting. The risk was embedded in how revenue was being generated — a design flaw, not a performance problem — with exposure in the tens of millions. Worked across finance, partnerships, and executive leadership to rebuild the model architecture before the market conditions that would have triggered it arrived. The risk was managed to resolution before it became a miss. Enumeration before execution.

CMMC Compliance Campaign — Governance Before Outreach

Designed the governance infrastructure for a 60-day compliance campaign targeting defense contractors during a displacement window created by a major MSP's dissolution. Resolved the foundational legal distinction — lapse situation versus never-compliant situation — before a single outreach reached field sellers, because that distinction changes the entire notification strategy and the downstream liability profile. Getting it wrong doesn't cost the campaign. It creates False Claims Act exposure. Governance before code. Every time.

AI Governance System — Fabrication Risk Managed to Resolution

Built and documented a production AI governance architecture — behavioral contract, decision register, source attribution hierarchy, canon register, pre-flight verification protocol — after a fabrication event demonstrated the failure mode that emerges when AI systems operate in undefined states. The system was designed to manage that class of risk to resolution before it could recur in production. It has governed 47+ sessions of live AI-assisted development with zero subsequent fabrication events. The thesis applied to my own systems.

AWS Partnership Economics — Verified, Not Assumed

When three simultaneous structural changes to AWS partner economics broke the prior investment model for services firms, I built a four-question ROI scorecard that graded each APN program element atomically — Pass, Conditional, or Fail — against a 10:1 return threshold. The result was a defensible hold/reduce/exit recommendation with explicit reversibility analysis, produced before the partnership investment decisions were made. Trust the partnership. Verify the economics.

Credentials

Where the work is grounded.

Current Role

VP of Solutions Architecture · Coalfire · AWS & Microsoft Alliance Portfolio

Education

Western Governors University · B.S. Information Technology

U.S. Navy · Information Security Officer · Navy and Marine Corps Maintenance Commands, Southwest Region

Certifications

AWS Certified Solutions Architect — Associate (SAA-C03) · renewal in progress via certifiably.ai

AWS 5x certified · targeted EOY 2026

Note: The SAA-C03 renewal is being approached the same way I approach every system: by building the infrastructure that makes the learning real. certifiably.ai is the cert prep application I built to study by doing — every AWS service in the curriculum learned by building with it, not reading about it. The 5x goal by end of year is a public commitment. It's on this page because accountability belongs where it can be verified.

Availability & Contact

What I'm available for.

VP / SVP Enterprise Architecture or AI Governance roles — full-time, at organizations where the work is consequential and the team understands what that means.
Fractional advisory — enterprise systems architecture, AI governance infrastructure, partner strategy, and risk enumeration for organizations that need senior judgment without a full-time seat.
Speaking and expert commentary — AI governance, cybersecurity risk, enterprise compliance architecture, the "Trust, but verify" methodology applied to AI systems in production.

Direct

[email protected]

https://www.linkedin.com/in/cjohnsoninfosec/

GitHub

github.com/ckj9779

Enterprise hiring managers and procurement leads: I don't use contact forms. Email is the right path. Every substantive inquiry gets a response within 24 hours.