Why Security Should Drive Outcomes — Not Fear

Our founder Michael Kennedy joined the IT in the D podcast alongside Mel Kolinski, director of sales and partnerships, for a conversation on what cybersecurity should look like for real-world organizations, especially small and mid-market teams that do not have a full security department on staff.

The big theme: security works best when it is transparent, practical, and tied to business outcomes — not fear, uncertainty, and doubt.

Building Ostra: The Moment That Sparked It

After years of enterprise work, Michael began seeing a consistent gap: smaller and mid-sized organizations knew security mattered, but did not have the time, staffing, or ability to run a full security operation.

That gap became unmistakable when he heard a story that still sticks with him: a business that experienced ransomware was told by their MSP that there was “nothing you can do. It is going to happen, just plan to pay it.”

Michael’s take is direct: Nothing is 100%, but that mindset is wrong. Organizations can reduce the likelihood of ransomware and improve resiliency without turning cybersecurity into an endless tool-buying exercise.

Selling Security Without FUD

One of the most important points in the episode: Ostra does not sell fear. Michael calls himself “anti-FUD,” and the team emphasized a simple reality: if an organization is not interested in improving security, you cannot scare them into it with breach headlines.

Instead, we start with a trusted-advisor conversation:

• What is the business trying to do?

• Where is it growing?

• What risks could derail those goals?

• How should security support that journey?

From there, the focus becomes guidance and partnership, not “here’s our tool, sign by Friday.”

Clarity in a Noisy, Overcrowded Market

Michael and Mel also talked about how confusing the cybersecurity space has become, with jargon, acronyms, “next-gen everything,” and vendors that feel like black boxes.

Mel shared how she often translates security concepts into real-world examples (like locking the front door but leaving windows open), while keeping the message honest: customers deserve to understand what they’re buying and why it matters.

That transparency is not just a talking point. It is the operating philosophy behind how we work with clients and partners:

• Clear explanation of what is happening

• Visibility into actions taken

• A focus on remediation and long-term improvement

• Measurable progress toward better outcomes

AI, Zero Trust, and the “Shiny Object” Cycle

The episode also dug into how quickly security trends shift from “zero trust everything” to “AI everything.”

Michael’s view: AI can absolutely help security teams move faster (correlating events, speeding investigations, reducing false positives), but a human still needs to be in the loop. He’s also increasingly focused on the security side of AI adoption: What data employees are feeding into AI tools, what agents have access to, and how organizations set guardrails without slowing innovation to a halt.

Why “Truth in Cyber” Exists

The conversation closed with a look at Truth in Cyber, a nonprofit started by Michael to push for greater honesty and transparency across the cybersecurity industry.

It began as a pledge — a commitment to clearer communication and accountable services — and has grown into a broader educational effort: podcasts, roundtables, and community conversations designed to make cybersecurity less opaque and more practical.

Because when the industry is confusing, customers lose and the wrong people win.

Listen to the Full Episode

Want the full conversation (including Detroit food recommendations, vendor acronym chaos, and a few very honest takes on cybersecurity marketing)? Listen to the full episode of IT in the D featuring Michael Kennedy and Mel Kolinski.

‍