I'm not ignoring you. I'm just not available.
There's a difference, and it took me longer than I'd like to admit to understand it.
I run ContrailRisks — a boutique cybersecurity advisory firm. I work with technology companies, SaaS founders, and regulated organisations on the things that actually matter: building security programmes that hold up under real pressure, preparing for audits that have consequences, designing governance structures that don't collapse the moment something goes wrong.
The work is strategic. It requires thinking. It requires time that is mine to protect.
The Math
I wake up. I have a day. Let's account for it.
Client delivery takes four to six hours on an active engagement — that's not email, that's actual work. Frameworks. Reports. Architecture reviews. Board materials. Strategy sessions. This is the product. This is what clients pay for.
Then there's the business side: writing content, developing methodologies, managing proposals, handling contracts, staying current on regulatory developments (and they move fast — NIS2, DORA, AI Act, CMMC — the landscape doesn't pause because you're busy).
Add basic life administration, deep reading, exercise, and the kind of thinking that happens away from the screen — the long walks where the actual insight happens.
What's left? Not much. Certainly not fifty conversations with strangers about "synergies."
Deep Work Is Not Negotiable
Cybersecurity strategy isn't a commodity. You can't produce it in five-minute windows between notifications.
When I'm working on a client's risk programme, I need to hold their entire context in my head — their architecture, their threat model, their regulatory exposure, their politics, their gaps. Interrupting that is not neutral. It costs me thirty minutes of re-entry time for every break. Do that ten times in a morning and you haven't had a morning — you've had a sequence of false starts.
The messages arrive anyway.
Forty to Fifty Messages a Day
LinkedIn tells me something is waiting. Every day, consistently, forty to fifty messages.
Let me be honest about what's in them. Roughly:
- Thirty are what I'd call "ambient outreach" — virtual coffees, intro calls, "I'd love to pick your brain," connection requests from people who immediately want something.
- Ten to fifteen are partnership proposals (more on those in a moment).
- A handful are actually interesting.
If I gave each message three minutes of genuine attention — reading it carefully, thinking about it, writing a considered reply — that's two to two and a half hours a day. Gone. Into messages that mostly lead nowhere.
That's not a communication problem. That's a resource allocation problem.
What I'm Not Looking For
Let me be direct. These requests arrive daily and the answer is consistently no:
Virtual coffees and intro calls. If we haven't met and you want to talk for thirty minutes without a specific agenda, I'm probably not the right fit. I'm not a network to be tapped. I have a small number of meaningful professional relationships and I invest in those.
"Can I send you some information?" The information usually arrives whether I say yes or not. If you have something specific that's relevant to what I'm building, lead with that.
Ghostwritten content partnerships. I write my own content. That's not a policy — it's the point. My thinking is the product.
"We'd love to feature you / have you speak / write for our publication." Possibly, but not through a cold LinkedIn message. The organisations I speak with earn trust before they earn time.
Vendor evaluations and demos. I'm not the buyer for technology vendors. I advise clients on their technology decisions. This isn't the same thing.
The Partnership Requests
This deserves its own section because the volume is significant and the patterns are consistent.
"Partnership" is a word that arrives in my inbox with three different meanings, none of which I've agreed to.
"Call us when you have a software or services need and we'll take care of it."
This is a referral arrangement dressed as a partnership. The idea is that when a client needs a tool, a penetration test, a managed security service, or a software implementation, I steer them your way.
Here's the problem: I don't do that. My independence is not a feature I'm willing to sell.
When I advise a client on their security architecture, the only criterion is what's right for them. The moment I have a financial relationship with a vendor — even an informal one — that independence is compromised. The client hired me because I have no skin in the game except theirs. That's the entire value proposition. I won't trade it for a referral fee or a "preferred partner" badge.
If your product is excellent, I'll mention it when it's genuinely the right answer. That will happen on its own merits. You don't need an arrangement with me to make it happen.
"Use our solution with your clients."
This version is more sophisticated. The proposition: integrate our platform, framework, or tool into your consulting delivery. Bundle it. Your clients get access to our product as part of your engagement.
I understand the appeal from your side. You get distribution through an advisor's relationships. The clients trust me, so they extend that trust to what I bring.
But I don't bundle third-party products into my advisory work. My methodologies are mine. My frameworks are developed to fit each client's context. Adding a product layer changes the engagement model in ways that usually benefit the vendor more than the client.
There are rare cases where a specific tool genuinely improves what I deliver — not because it's convenient for a commercial relationship, but because it's the right answer for that client at that moment. That assessment happens on a case-by-case basis. It doesn't happen because we signed a partner agreement in January.
"Refer us to clients in exchange for a fee."
This is the most direct version. You pay me a percentage of contract value when I introduce clients to your services.
No.
Not because the numbers don't work, but because the incentive is wrong. If I'm receiving a fee for sending clients in a particular direction, I am no longer giving independent advice. Full stop.
My clients are making decisions about security programmes that affect their business continuity, their regulatory standing, and in some cases the safety of their customers' data. They deserve advice that isn't shaped by my commission structure.
I don't do paid referrals. I don't do undisclosed referrals. If I recommend someone it's because I've seen their work and I believe in it, and I'll say so plainly, and there's no money changing hands because of it.
What I'm Actually Interested In
Peer conversations. If you're a security leader, a founder navigating a regulatory challenge, or a practitioner thinking about the same problems I think about, I'm genuinely interested in that. Not in a scheduled thirty-minute call designed to extract something, but in a real exchange where both of us come away having thought more clearly.
Clients who have a real problem. If your organisation is scaling and security governance hasn't kept up, or a regulatory requirement just became urgent, or you're going through an acquisition and need someone who's done this before — reach out. That's exactly what I'm here for.
Long-form thinking and writing. I'm building the ContrailRisks body of work — frameworks, articles, perspectives on where cybersecurity strategy is heading. If something I've written sparked a thought you want to explore, tell me that. That's a conversation I'll make time for.
The Honest Thing
I know this reads as cold. I know that some messages I don't reply to are from people with something genuinely valuable to offer, and I'm sorry for that cost.
But the alternative — treating my inbox as a first-come, first-served queue that I'm obligated to clear — produces something worse. Work done in fragments. Clients who get less than they deserve. An advisor who is everywhere in shallow form instead of somewhere with depth.
The cybersecurity problems my clients face don't get solved in five-minute windows. They get solved when someone puts in the full thinking, without distraction, over the time it takes.
That's what I'm protecting.
If what you're working on is genuinely aligned with that — I hope you'll find a way to show me.
Fabrizio Di Carlo is the founder of ContrailRisks, a boutique cybersecurity and resilience advisory firm based in Berlin. He works with technology companies and regulated organisations on security strategy, governance, and regulatory compliance.