Cyber Security Leadership

Security Strategy Starts With Deciding What You Won't Do

Interview with

Brad Gorka

February 13, 2026

Brad Gorka, CISO at Veritiv, describes how nearly 30 years in information security have reinforced one principle: assess the people first, then build the program. Running lean teams across organizations of every size, he explains why the essence of security strategy is deciding what you won't do, and why the CISOs who set honest scope build teams that actually deliver.

People First, Then the Mission

Brad Gorka has spent over a decade in information security leadership, following roughly ten years in IT roles that blended infrastructure and security work. He has moved between organizations that range from a few hundred employees to more than 300,000. He is now seven months into his CISO role at Veritiv, a leader in specialty packaging distribution, facility solutions and print products and solutions, with over 7,000 employees. Before Veritiv, he spent seven years at CommScope, where he served as CISO and built the information security function and team from the ground up.

His approach to every new role starts the same way: assess the people before touching anything else.

"I tend to address what's going on with the people first," Brad said. "Understand what the bench strength is, what the capabilities are, how long folks have been around, what each person's true capabilities are."

Tearing Down Silos Early

Brad looks for employees who have been boxed into narrow roles despite having broader skills. He has run lean security teams throughout his career, and lean teams require people who can move to wherever the work is.

"I pretty rapidly tear down silos," he said. "When you're running lean, you need a bunch of people that can float around wherever the need is at."

He estimates that eight out of ten people welcome the change. Most security and IT professionals prefer working across problems rather than staying locked into a single function.

Deciding What to Leave Undone

Running lean also forces a different kind of discipline. Brad has been citing a Michael Porter line to his team lately: the essence of strategy is deciding what not to do.

In security, the queue of work never fully empties. More items come in than get checked off. Pretending otherwise damages the team. Unrealistic objectives erode a team's sense of accomplishment. Honest scope gives them something they can actually deliver against.

"It helps settle the team's nerves a little bit," he said. "Have some realistic objectives that are achievable versus we're going to do it all. Because you're really not."

Credibility Across the Organization

Brad reports to a CIO he has worked with before. That relationship was one of the reasons he took the role. He is clear that the reporting line matters less than the person above you.

"It's the person more so than the title," he said. "There's some leaders that prefer to take a lot of the credit for themselves, and then there's others that let their people shine and get them plugged into the right conversations."

His approach to building credibility depends on the audience. With technologists, he leans on his technical background and spends time understanding their projects and daily challenges. With executives and business leaders, he shifts to business language. He sees himself as a member of the CIO's leadership team, there to help the entire IT function serve the business.

"You've just got to be able and willing to adjust that delivery as the situation requires," he said.

The Force Multiplier

Brad's LinkedIn recommendations are almost entirely written for people he managed directly. He has brought people into security from network teams, platform administration, account management, and twice from executive assistant roles.

"I see myself as a force multiplier," he said. "My success is really because of their success. And so if I can do that for them, I'm going to get it back tenfold."

He gives them the credit, the awards, the visibility. The return, in his experience, has always exceeded the investment.

Defending at AI Speed

Brad's primary concern with AI is the compression of attack timelines. The reconnaissance, vulnerability scanning, exploitation, lateral movement, and payload delivery that once took human adversaries days can now be chained together in minutes through agentic AI capabilities.

His worry is straightforward: defenders need AI-powered tooling that can respond at the same speed. He is uncertain which side is winning that arms race.

"I feel like we might be at parity at the moment," he said. "But that part kind of scares me, just trying to get there before they do."

B R I D G E T H E G A P

Turn Insight Into Executive Impact

Book a Call