Cyber Risk is Business Risk: A Georgia Tech Alum on What Leaders Must Learn in 2026
When Christopher Craig arrived at Georgia Tech as an undergraduate in 1995, the campus and the field of cybersecurity looked very different.
“It was the era of look left and look right, and one of you will not be here at graduation,” Craig said.
Craig worked hard and graduated with his computer science (CS) bachelor’s degree in 2000, just as the dot-com bubble burst. He returned to Georgia Tech about a year later and has been here ever since.
Craig is the enterprise cybersecurity architect in the Office of Information Technology and has spent nearly three decades at Tech as a student, employee, and instructor.
Along the way, he has earned three degrees from the Institute and helped shape how Georgia Tech approaches cybersecurity in an increasingly complex digital landscape.
Craig began his career at Tech supporting student registration and other core IT systems. He moved fully into cybersecurity about 15 years ago. His technical background was strong, but he saw a gap in his experience.
“I had a lot of technical background and work experience, but not much policy experience,” he said.
Craig enrolled in Georgia Tech’s Master of Science in Information Security to fill in this gap. He said his decision to enroll in the policy track was intentional.
“If you’ve been doing the technical work for 10 years, a technical master’s helps some,” Craig said. “But it is much more useful to study the areas you do not already know well.”
Craig moved into management as his GT career progressed. This path led him once again to the classroom. This time, he pursued an MBA from Georgia Tech’s Scheller College of Business.
Craig believes the combination of cybersecurity and business education is increasingly important for leaders and others.
“There is a big gap in the industry,” he said. “You need people who understand cybersecurity and the business side, and people in business leadership who understand cybersecurity risk.”
Craig is an instructor in the online Master of Science in Cybersecurity program. He teaches incident response and often sees this gap among his students.
“Many business professionals do not know how to respond to a cybersecurity incident,” Craig said. “They are not trained in it. At the same time, many cybersecurity professionals are learning business impacts on the job.”
Craig said business knowledge is essential for aspiring chief information security officers.
“At that level, understanding how cybersecurity supports business goals is more important than deep technical detail,” he said. “You still need the basics, but you also need to talk to the CFO.”
At Georgia Tech, Craig focuses on cybersecurity architecture. His work centers on the design and protection of enterprise systems.
“For example, student information systems have a design,” he said. “We look at how firewalls and other controls fit into that design to protect the data.”
His role continues to evolve as the Institute’s cybersecurity needs change. That evolution mirrors the field itself, especially with the rise of artificial intelligence (AI).
“AI has impacted cybersecurity for longer than people want to admit,” Craig said. “Understanding what is unusual is a big part of security, and AI can be very good at that. It can also be very good at avoiding detection.”
Craig said AI introduces new architectural risks, particularly around data privacy. Tools that analyze student or employee data must be carefully designed to prevent sensitive information from leaking through training or outputs.
“You have to understand the inputs and outputs,” he said. “Otherwise, you can accidentally release data you really care about.”
Privacy has been a recurring theme throughout Craig’s career. He credits courses such as the privacy policy class taught by Professor Peter Swire, the J.Z. Liang Chair in the School of Cybersecurity and Privacy, with shaping his thinking.
“So much of security is about personal data,” Craig said. “Understanding what actually makes data anonymous or not is critical.”
Craig believes that privacy protection depends on training and system design within an institution as large and decentralized as Georgia Tech.
“Training can only get you so far,” Craig said. “People make mistakes. Strong processes limit exposure even when human error happens.”
Looking back, Craig describes his time at Georgia Tech as one of constant growth.
“The industry has massively changed,” he said. “What you learn becomes outdated quickly. You have to keep growing.”
From undergraduate student to cybersecurity leader, Craig’s career reflects both the evolution of Georgia Tech and the fast-changing world of cybersecurity. For him, the learning never stops.
