The Guardian’s Mindset: Ernesto Lopez on Systems Thinking, Risk Advisory, and Growing at Echelon

In line with Echelon's value of People with Personality, we are excited to continue our Cybersecurity Champion series, where we spotlight the incredible individuals who make up our team. Each month, we share the stories of professionals whose talent, dedication, and unique perspectives help keep organizations secure. 

Meet Ernesto Lopez, a Cybersecurity Consultant at Echelon Risk + Cyber. Ernesto's path into cybersecurity began with a childhood curiosity for breaking systems to understand how they work, a mindset that led him from computer science toward risk advisory, where technical depth meets strategic decision making. Now one of the longest-tenured members of Echelon's Risk Advisory team, Ernesto brings a systems-first perspective and a passion for bridging technical complexity and business risk. 
 

1. Tell us about your background and how your studies and early career shaped your path into risk advisory at Echelon.

   When I decided to study computer science, it was driven by my perception of software engineering as modern-day architects capable of transforming abstract ideas into complex, tangible systems through code.  

   As my career progressed and I gained exposure to real-world projects, I reconnected with a long-standing curiosity I had as a child, experimenting with things and breaking systems to understand their behavior. This perspective reshaped my way of thinking, leading me to question not only how systems are built, but how they can fail and be exploited. That's when my direction shifted. 

   While many of my peers were driven to create, fewer focused on safeguarding the confidentiality, integrity, and availability of those systems. I recognized that my strengths and interests were aligned with the security of those systems. Rather than creating systems alone, I chose to focus on protecting them. Positioning myself not as a creator, but as the guardian. 

   I decided to explore risk advisory in particular because it allows me to develop an end-to-end understanding of those systems while assessing how technical vulnerabilities translate into real business risk. It provides a real understanding of the bridge that exists between technical complexity and strategic decision making. 

    

2. You've been at Echelon for three years, starting as an intern and growing into a consultant. What shifts or trends have you observed in the industry during that time?

   AI is definitely a trend in cybersecurity. AI expands all of the threat vectors and amplifies the existing cyber risks. It's been a long path in terms of different technologies, different solutions, a lot of tools, and a lot of vendors. 

   I am concerned about the rapid pace and strength of AI’s growth without the consistent implementation of adequate safeguards. Many organizations appear to be underestimating AI-related risks simply because they lack a formal governance posture regarding its use. However, the absence of official adoption does not mean that AI is not being used. On the contrary, its presence is often observed in blind spots created by shadow IT, shadow governance, and increasingly autonomous systems operating without proper oversight. Banning AI is simply not realistic. 

   I’ve also been closely monitoring the software development industry during this surge in AI adoption; the resulting increase in code velocity is contributing to a form of technical debt that is beginning to impact the quality and reliability of production systems, and of course, their security.  

   At the same time, I’ve noticed a shift how organizations think about cyber risks. They really understand that these are not just cyber risks, they are business risks. It's been really interesting to see how organizations across the globe are taking cybersecurity and privacy seriously.  
    

3. What advice would you give to students or early-career professionals looking to break into cybersecurity?

   First, build a strong foundation in systems before specializing. Cybersecurity sits on top of networking, operating systems, cloud, and applications. The better you understand how systems work, the more effectively you can identify and contextualize risk. 

   Second, build evidence of practical capability, not just knowledge. Focus on tactical outputs: documented labs, risk assessments, or security analyses of real systems. Being able to demonstrate how you think and approach problems is significantly more valuable than listing completed training. 

   Third, learn to think in terms of risk, not just vulnerabilities. Many focus on finding issues, but fewer understand their impact. Shift your mindset toward assessing likelihood, impact, and business relevance. 

   Fourth, instead of focusing only on isolated vulnerabilities, study how systems are interconnected: cloud services, identity providers, APIs, and third-party dependencies. Many critical risks arise not from a single flaw, but from how components interact and create unintended exposure. 

   Last but not least, develop your ability to communicate and translate risk. Technical depth alone is not sufficient. The ability to clearly explain risk, trade-offs, and recommendations to non-technical stakeholders is a valuable differentiation.  
    

4. Are there any resources, communities, or tools that have been particularly helpful in your journey?

   There are a lot of cybersecurity communities out there. Be curious and do not be afraid to explore new sides of the internet. 

   I make a conscious effort to stay informed by incorporating cybersecurity news into my daily routine. I begin my days reading Krebs on Security, which is a really valuable source for me, and Dark Reading, which provides valuable insights into current threats and trends. 

   I also regularly listen to Darknet Diaries, a podcast available on Spotify and Apple Music, which tells real-world stories that deepen my understanding of adversarial tactics and incidents. And I follow the Lex Friedman podcast, which, while not exclusively focused on cybersecurity, provides a broader perspective on technology, artificial intelligence, and their social implications.  
    

5. What do you appreciate most about being part of Echelon?

   When I joined Echelon three years ago, I really connected with the core mission of the company: treating security and privacy as fundamental human rights. I firmly believe that the widespread and practical adoption of this principle is critical to shaping a more secure, resilient, and equitable digital future. 

   As technology continues impacting every aspect of society, ensuring the protection of digital identities and information is a foundational requirement for trust, stability, and progress. I'm particularly driven by the opportunity to contribute to this vision by helping organizations and individuals not only understand risk, but to embed security and privacy into the core of their operations and daily lives. 

   Another thing I deeply value is the opportunity to work alongside highly skilled and experienced professionals who continuously motivate me to grow as a professional and as an individual. The mentorship I have received throughout these years has been truly invaluable, shaping not only my technical capabilities but also my perspective and approach to my career. 
    

6. Outside of work, how do you like spending your time? 

   I enjoy pushing my limits through sports, particularly weightlifting, which challenges my physical and mental discipline.  

   I have a strong passion for coffee, which I consider my daily ritual. I enjoy experimenting with different extraction methods, beans, and varieties. I find it fascinating how subtle changes in preparation can significantly influence flavor profiles. I also consider myself a food enthusiast. Whenever I visit a new city, I enjoy exploring its culinary scene, seeking out local cuisines, and connecting with people through shared experiences. 

   I enjoy reading and I have a personal blog where I write and reflect on various topics. And music is another important interest of mine; I'm particularly drawn to how it enables connection through sound.  

   

7. What does being a Cybersecurity Champion mean to you?

   To me, being a Cybersecurity Champion is about being present and taking ownership to promote a culture of security, awareness, and accountability. I feel grateful for the opportunities, knowledge, and remarkable people I have met along the way; individuals who not only shaped my professional growth but also made it possible for me to contribute to their journeys.