tomas.kracmar
64f73371c9
New documents: - core/engagement-model.md: Full client-facing engagement lifecycle (Sections 1-6) plus consultant delivery discipline (Section 7) - core/consultant-field-guide.md: Decision models, client qualification, module selection, 10 common mistakes, technical onboarding, proposal writing - core/about-cqre.md: Company overview template with [PLACEHOLDER] markers for client-facing use - core/about-cqre-cs.md: Czech version of company overview (O společnosti CQRE) - core/executive-summary-cs.md: Czech translation of the board executive summary - assessment-templates/nist-csf-baseline.md: Full Brownhat Diagnostic workshop methodology (NIST CSF 2.0) - assessment-templates/nist-csf-baseline-cs.md: Czech version of Brownhat Diagnostic (for Czech-language workshops) - assessment-templates/module-completion-report.md: Module completion package template - assessment-templates/risk-register-example.md: 8 fully populated risk entries (Meridian Logistics GmbH fictional engagement) - playbooks/privileged-access-architecture.md: Module 13 - Teleport, Tailscale/Headscale, JIT access, vendor governance - playbooks/sovereign-communications.md: Module 14 - Delta Chat chatmail relay, Matrix/Element, crisis channels Updated documents: - playbooks/sovereign-tool-stack.md: Added Elysium, CAExporter, E8-CAT, macOS_IntuneManagement, IntunePolicyParser, M365-Scripts; updated capability matrix and module pairings - core/modular-engagements.md: Module 2 now includes CAExporter as first step; Module 6 includes Elysium password audit - reference/nist-csf-mapping.md: Added back-reference to nist-csf-baseline.md - assessment-templates/README.md: Changed Q1/Q2/Q3/Q4 to Phase 1/2/3/4, added Status column - index.md: Registered all new documents; restructured consultant navigation into three labeled groups (1-25) - README.md: Updated directory tree; updated Quick Start for Consultants Czech localization pointers: - executive-summary.md: Added Česká verze pointer - nist-csf-baseline.md: Added Česká verze pointer - engagement-model.md: Added note that client-facing Czech translation is planned Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
5.0 KiB
Executive Summary: The Antifragile Enterprise
For the Board, the CEO, and the Executive Committee. One page. Five minutes. A decision that determines whether the organization survives its next disruption.
The Problem in One Sentence
Your organization is currently engaged in a massive, unpaid research project for its competitors—sending proprietary data, strategic reasoning, and operational intelligence to cloud platforms that are incentivized to commoditize your industry.
What Is at Stake
| Asset Category | Current Risk | If Compromised or Extracted |
|---|---|---|
| Strategic intelligence | Rented from cloud AI providers | Competitors replicate your edge; your strategy becomes public model training data |
| Customer trust | Protected by compliance theater | Regulatory fines, class-action liability, irreversible reputational damage |
| Operational continuity | Dependent on vendor stability | Single API change or geopolitical event halts revenue-critical workflows |
| Technical talent | Wasted on maintenance of fragile systems | Burnout, attrition, inability to attract security-conscious engineers |
| Regulatory license | Assumed, not proven | DORA, NIS2, PSD2, and national regulators now demand demonstrable resilience—not paperwork |
The Antifragile Alternative
An antifragile organization does not merely survive shocks. It grows stronger from them. Every incident produces structural improvement. Every competitor's failure creates market opportunity. Every regulatory demand is met with evidence, not promises.
The Five Pillars (Business Translation)
| Pillar | What the Board Hears |
|---|---|
| Structural Decoupling | "We will never again be held hostage by a single vendor's pricing, terms, or existence." |
| Optionality Preservation | "We maintain the right to change direction in 90 days, not 9 months." |
| Stress-to-Signal Conversion | "Every failure makes us smarter and structurally stronger." |
| Sovereign Intelligence | "Our proprietary data improves our own models, not our competitors'." |
| Asymmetric Payoff Design | "Small, focused investments protect us against existential risks." |
The Strategic Mandate: AI Sovereignty
The current AI paradigm is extractive. Every prompt sent to a cloud AI teaches that system how to replace you. By running artificial intelligence on infrastructure you control, you:
- Protect your intellectual property from becoming public training data
- Ensure operational continuity regardless of vendor decisions, geopolitics, or API changes
- Reduce long-term costs from unpredictable per-token pricing to fixed infrastructure
- Demonstrate regulatory maturity to auditors who increasingly scrutinize data residency and third-party risk
"If our company's intelligence were a physical pile of cash, would we store it in a public bank that takes a 'training fee' off every dollar and reserves the right to change the currency? Or would we keep it in our own vault?"
Local AI is the vault.
The 180-Day Commitment
We do not propose a three-year transformation. We propose four phases, 180 days, measurable outcomes:
| Phase | Timeline | Business Outcome |
|---|---|---|
| Hygiene | Days 0-30 | Visibility. We see every identity, every asset, every gap that could end the company. |
| Control | Days 30-60 | Containment. We close the highest-risk exposure with existing tools—no new procurement. |
| Sovereignty | Days 60-90 | Ownership. We reclaim proprietary intelligence and validate that we can recover from disaster. |
| Antifragility | Days 90-180 | Advantage. We convert disruption into learning, and learning into market position. |
The Investment Framing
This is not a cost centre. It is optionality insurance.
- Cost of the program: Primarily configuration and process—existing tools are leveraged first.
- Cost of inaction: A single ransomware incident averages €4.5M in recovery. A single regulatory fine under DORA can reach 2% of global turnover. A single competitor trained on your data renders your proprietary advantage worthless.
- ROI timeline: Risk reduction is visible in 30 days. Regulatory evidence is demonstrable in 90 days. Competitive advantage from sovereign intelligence compounds over 12-24 months.
The Decision Required
We need one executive sponsor with authority, one steering committee meeting per week, and tolerance for temporary disruption in the first 30 days. The alternative is to continue operating with unseen dependencies, unmapped risks, and an intelligence strategy that enriches competitors.
For the detailed strategic argument, see The Antifragile Manifest. For the board conversation guide, see C-Suite Conversation Guide. For financial justification, see Business Case Template. Česká verze: Výkonné shrnutí