Risk never lives where you expect it – and more lessons from the streets
By Josh Fazio
When I hung up my badge after two decades as a police detective and SWAT team leader, I carried one conviction with me: the truly devastating failures aren’t one big, dramatic mistake. They’re slow-motion train wrecks born from blind spots. They come from the connections we missed, the assumptions we let slide, and the “small” risks that quietly grew until they compounded into a crisis.
Josh Fazio is SAFE’s Global VP of the Solution Architects.
Before his cybersecurity career, Josh was a Detective in the Will County, IL, Sheriff’s Police High Tech Crimes Unit.
When I moved to the world of cybersecurity and third-party risk, that lesson didn’t just translate; it hit me right between the eyes.
The setting was different. The dynamic? Identical.
Both law enforcement and cyber risk are battles fought in the fog of uncertainty. When you realize how tightly systems, people, and other organizations are interwoven, you stop pointing fingers. You start collaborating, recognizing that your blind spots are shared.
Here are seven lessons I’ve learned on my crossover journey:
Lesson #1 You’re Only as Secure as the Weakest Link, and You Don’t Own It
Out on the street, it didn’t matter how sharp or well-trained I was if the partners I relied on had a bad system or a gap in their coverage. A sloppy handoff, a misunderstood dependency, or an external failure could instantly unravel all my hard-won internal work.
Cybersecurity echoes this principle.
Companies pour millions into their internal security: identity management, endpoint protection, cloud config. That money matters. But increasingly, the crisis doesn’t start inside. It starts when a decision we made granting access to a vendor amplifies a failure that happened somewhere else entirely.
We’re bleeding risk through overly broad vendor access, old privileges that were never revoked, and systems tied to external services without a clear shutdown boundary.
You can have the strongest internal walls, but they mean nothing if you hand out the keys too freely.
Lesson #2 Risk Never Lives Where You Expect It
Some of the heaviest cases I worked didn’t start with the obvious suspect. They crept out of overlooked relationships, the people, the connections that looked totally harmless on their own.
It’s the same sickening surprise in cyber risk.
Teams obsess over their top-tier vendors and high-profile systems. And while they’re looking there, the real exposure quietly builds in the margins: a low-tier vendor whose access snowballed over two years; a cloud dependency everyone shares across dozens of services; an internal service account that hasn’t been reviewed since the last person quit.
The problem isn’t the single vendor or the single system. It’s the silent, hidden, and constantly evolving relationship between them.
That is where the danger lurks.
Lesson #3 Patterns Are the Map, Findings Are Just Noise
In police work, a single incident is noise. Patterns are the signal. They tell you where the criminal activity is headed and who will be hurt next.
Cyber risk is no different. A pattern of repeated vulnerabilities, shared control gaps across multiple vendors, is the only way to spot a systemic issue before it explodes. That’s how you identify systemic risk early.
One vulnerable system? Manageable. A repeating pattern of bad access exceptions across five different teams? That’s a crisis waiting to happen.
This is the collision zone of internal and third-party risk. Your internal architecture dictates how far a vendor failure can travel. Your vendor concentration determines how many systems go down when one thing snaps.
You don’t manage risk by mindlessly closing tickets. You manage it by recognizing the pattern early enough to feel the urgency to act.
Lesson #4 Speed Requires Clarity, Not Panic
Detective work demands restraint. Act too fast, and you make a mistake you can’t take back. Wait too long, and someone gets hurt.
Cyber programs are torn by this same painful tension. Teams either drown in activity—more alerts, more reports, more assessments—or they hesitate, waiting for a perfect dataset that is a total fantasy.
The most effective programs have a deep sense of balance. They automate the noise, cut the low-value work, and reserve human judgment for what truly matters. Strong internal controls shrink the blast radius. Clear third-party visibility eliminates the element of surprise.
Speed doesn’t come from volume. It comes from clarity.
Lesson #5 Documentation Is Not Busywork; It’s Your Shield!
In policing, documentation is not optional paperwork. It’s the armor that allows your decisions to stand up in court under intense scrutiny.
Cyber risk management is the same act of building defensibility.
When an incident hits, the question isn’t if you had a policy. It’s: What did you know? Why did you make that choice? What evidence was right in front of you? And how did you pivot when conditions changed?
The strongest teams don’t frantically try to piece decisions together after the fact. They capture the intent, the evidence, and the outcome as they operate, connecting the dots across internal systems and external dependencies.
That isn’t compliance theater. That is operational memory.
Lesson #6 Prevention Means Reducing the Pain, Not Achieving the Impossible
No seasoned detective believes every crime can be prevented. The true goal is simple: intervene earlier, disrupt the escalation, and limit the harm.
Cyber risk works on this principle.
You can’t eliminate your dependence on third parties. You can’t avoid shared infrastructure. But you can limit the access they have, monitor for subtle shifts in their posture, map how a failure will spread, and react before the damage becomes crippling.
This is why platforms like SAFE resonate with people who think like investigators. The value isn’t in a checklist. It’s in the deep, undeniable link between your internal health and your external exposure, all brought together in one defensible view.
Lesson #7 The Investigator’s Mindset Is the Only Way!
After twenty years in the trenches, the single principle that still screams at me is this:
Risk that is ignored does not disappear. It multiplies.
Modern cyber risk demands the same unflinching discipline as any serious police investigation: situational awareness, relentless pattern recognition, conviction and judgment under pressure, and a continuous reassessment as the facts change. The investigator’s mantra!!
Organizations that focus only on internal security will always be blindsided by external failures. Those who assess vendors without tightening their own internal access will always feel dangerously exposed.
The strongest programs do both. They are the only ones who survive.
Whether you’re investigating a crime or managing digital risk, the core question is always the same:
Did you see the full picture early enough to act, or only after the damage was done?
Experience autonomous cyber risk management with SAFE. Schedule your personal demo now.
Police Detective vs. Cyber Risk Analyst: Same Job, Different Beats
| POLICE DETECTIVE | CYBER RISK ANALYST |
| Investigates crimes with incomplete information | Assesses cyber threats with incomplete data |
| Looks for patterns across incidents, not isolated events | Identifies systemic risk across alerts, findings, and vendors |
| Tracks relationships between people, locations, and events | Maps dependencies between systems, vendors, and access paths |
| Knows the obvious suspect is often not the real cause | Understands risk often hides in low-tier vendors or shared services |
| Balances speed with restraint to avoid irreversible mistakes | Balances rapid response with thoughtful risk prioritization |
| Documents decisions to withstand legal scrutiny | Documents risk decisions for audit, regulatory, and board review |
| Accepts crime can’t be eliminated—focuses on limiting harm | Accepts breaches happen—focuses on reducing blast radius |
SAFE is the leader in agentic AI for cybersecurity – learn about agentic AI at SAFE.
SUBSCRIBE TO WEEKLY BLOG NEWSLETTER
SHARE THE PAGE
