Andrew Amaro is a co-author and principal instructor in the Catalyst’s Cyber for Startups program, as well as a mentor for ELCI. As the founder of Klavan Security, Andrew built the Mission Ready SOC 2 Success Path™, a five-step system that helps early-stage companies get audit-ready without killing momentum. Before this, he was on the ground as a TECHOPS in Canada’s national security community (CSIS—Canadian Security Intelligence Service) with military and red-team experience. He brings a hacker’s mindset to solving business risk — focusing on what actually works, not just what looks good in a policy binder.
Most startups don’t ignore cybersecurity because they don’t care; they neglect it because they’re overwhelmed.
Andrew Amaro, Cyber for Startups co-author and principal instructor at the Catalyst, says time and financial constraints are significant barriers to entry for small startups looking to build a security plan.
His goal is simple: to have people leave a little bit more secure, even if it’s only by 20%. In developing the six-week Cyber for Startups program, Andrew distilled five years of his experience helping startups build practical security habits. Just as importantly, he works to ensure teams actually buy into the process, rather than feeling disrupted by it.
“I noticed that the earlier I got involved with startups, the easier it was for them to scale,” says Andrew. He noticed a pattern: the companies that struggled most weren’t necessarily careless. They had simply grown too quickly with bad habits baked into their operations. By the time security became urgent, changing behaviour was exponentially harder.
It’s hard to introduce good security habits after a company has already scaled.
“Once people are used to doing things a certain way, changing behaviour becomes difficult,” and this is a foundational aspect of his approach to Cyber for Startups.
Andrew compares security to boxing: one bad habit can take thousands of repetitions to undo. Even something as simple as moving from personal email accounts to company-managed systems becomes harder once a company has grown. For this reason, he believes in keeping things simple and systematic. A policy doesn’t have to be complex or drawn out, so long as it’s effective.
I’d rather have a policy written on a napkin that everyone understands than a perfect policy nobody reads.
Andrew’s approach is informed by years spent thinking like an attacker. Through military, national security, and red-team work, he learned to identify weaknesses in systems before others did. Today, he applies that same mindset to startups — to help founders identify vulnerabilities before growth turns them into larger problems.
When talking about creating good habits from the start, Andrew refers to an insurance policy. “It’s almost how you help your future self,” says Andrew. “It might cause some pain or discomfort today, but your future self will thank you.”
He compares cybersecurity to car insurance: most people don’t expect to crash every time they drive, but they still prepare for the possibility. The same goes for cybersecurity. You hope you never need protection, but you’ll be grateful it’s there if something goes wrong.
Long before cybersecurity, Andrew was fascinated by systems, boundaries, and how people navigated them. When asked where his interest in security comes from, he says it started when he was younger, and he would climb fences and cut the bolts off locks to turn on the lights at a ski hill so he and his friends could build jumps. He skateboarded with his buddies and tried to break into the school. And he snuck into a hockey arena to see the Bruins play the Senators by dressing like the Hagen-Daaz sales staff.
Those breaking-and-entering moments later evolved into a deeper interest in cybersecurity and the psychology behind how people interact with rules, systems, and risk. Eventually, Andrew’s proclivities toward security led to his work with NSA, CIA and Unit 8200 while at and after his CSIS Role, along with underground hackers from around the world. But his skills were seeded in his earliest passions.
Skateboarding remains one of the clearest links to his founder mindset. For Andrew, it taught resilience, persistence, and the value of failing repeatedly until you improve. He explains that when you’re trying to land a kickflip, you can spend hours failing before you ever succeed consistently. “It taught me perseverance,” he says. “It taught me that whatever is worth doing takes time. You start breaking your goals into modules.”
In his experience, skateboarding also teaches people how to recover from failure. “When people say, ‘What if I fall?’ I’m like, ‘Of course you’re going to fall.’” Good skateboarders, he explains, learn how to fall properly because they know falling is part of the process. That same mindset applies to cybersecurity. Breaches may happen, but preparation, resilience, and strong practices determine how well a company recovers.
You’re going to fall, the important thing is knowing how to recover.