Kathleen Hurley
We sit down with Kathleen Hurley, Founder of Sage Inc in New York, to discuss her unique approach to technology and business in the cybersecurity space.


We sit down with Kathleen Hurley, Founder of Sage Inc in New York, to discuss her unique approach to technology and business in the cybersecurity space.
We sit down with Kathleen Hurley, Founder of Sage Inc in New York, to discuss her unique approach to technology and business in the cybersecurity space.
From English major to tech communications specialist, your career path is unique.
How did your background in English shape your approach to technology and business?
I think there are 2 threads that are worth pulling here. One is that I wasn’t just an English major -I was an English major intending to be a teacher. This theme revolves around education and the translation of ideas. No matter what room I’m in, I find myself explaining some esoteric nerdy nonsense to human beings in human being language because I speak both languages, and I love that. I can come up with some crazy analogies! The latest one I remember compared a tired three-year-old’s pre-logical brain to the way an AI can sometimes go off-track, given enough iterations without re-training.
The other thread that could apply is the theme of communication.
I believe that computers and the technologies that connect them together, whatever other good and bad they bring to our lives, help us to communicate. They are tools that democratise the spread of thoughts, just like the printing press was some few years back. Just like the printing press, these tools are used for good and not so good. In my view, those of us who understand how people communicate with each other and who also understand how computers can work have a responsibility to try to help each other exist safely and to try to understand the possibilities.
You’ve witnessed significant technological shifts, from the early days of email to modern cybersecurity challenges.
What key factors do you use to differentiate true innovation from industry hype?
I really have! When I started my first real job after college, nobody was sure that e-mail was going to have large implications for business. What was wrong with the fax machine!? This is where the MBA comes in handy, I think. Having taken a very global program, I was fortunate to sit in Zurich and then study in the United States at an HBS class! No irony there, honestly, because it was an amazing program about the Microeconomics of Competitiveness. Some people say this doesn’t really apply anymore, but I disagree. When clusters of businesses begin to look a certain way, look in a certain direction or gather in a certain area, there’s something happening. I pay attention. Some think it may be harder to see these days because we don’t operate in a physical world all the time. I think it’s easier because I don’t have to be in Manhattan all the time to see it.
Another differentiator is how many cycles out of the gate we’re seeing focus on one factor versus how much wide-spread conversation is happening about adjacent topics. For instance, with AI, we are not focused just on Chat-GPT. We are talking about data centers, cooling, transit, and all manner of adjacent technologies, logistics, and life impacts. That isn’t hype; it’s long tail. It doesn’t mean it will work out, but it’s not hype.
How did pursuing an MBA with a global perspective at the University of Wales broaden your understanding of technology's role in different cultural and business contexts?
I think that the program of study acted as intended. It forced me to think about technology in the context of business strategy, as any good MBA should. Then the layer of globalisation made me think about business strategy in the context of the different perspectives we bring to our day-today lives. Because it was a well-designed program that encouraged a great deal of interactivity among the students and with the professors and required a lot of each of us in the program, those differences naturally became apparent. It was embedded within some cultures that bribery and graft were required in order to get permitting and functional work done. In some cultures, DEI was a no-go if approached overtly but could be handled covertly within sub-cultures. As we began exploring the nuance, it became (as it so often does, I think) apparent that we have so, so much more in common to bring us together than we do differences to drive us apart. That inspires me and drives me forward every day.
It forced me to think about technology – in the context of business strategy
Navigating through crises like ransomware attacks, SEC audits, and the global pandemic is no small feat. What leadership principles or strategies do you rely on in critical moments to keep businesses on track?
Oh, it was nothing (waves hand). That was not a small year! I think there are two core things that are helpful to keep in mind no matter how much is going on at once. First, it’s all possible to break down into smaller problems, and you can work things one stage at a time. If you’ve done a reasonable job learning the foundations of, for example, cybersecurity, then you will probably see even the largest problem in terms of its foundational principles, anyway.
Given that baseline education, it’s likely that you set up the cyber program with a lot of riskbased and reasonable monitoring, prevention and mitigation measures in the first place so that when the bad day does come – as they do – you are not as poorly off as you might be. This is one of the things I’m pleased to bring to our customers at Sage, who are small businesses and have often been in a really reactive position on a bad day. We don’t want them there. We can help them stand as ready as the biggest firm, thoughtfully prepared, and perhaps even better prepared than those big guys because they care a great deal about every one of their customers, just as we do. We all want to keep each other safe and well. Caring goes a long way to doing cybersecurity well, in my experience.
That’s the second thing which I learned through my experience working with, I believe, the finest Compliance team ever to comply. We sought to protect the company from risk in a very reasonable and thoughtful manner, and I believe that we extended a high level of institutional thought and protection to a firm that is a class act. It was a privilege to work with this group – we helped each other reach for our best. What I learned, and take as a strategic leadership principle, is that you can outperform your wildest expectations and generate some amazing feats of business through the magical power of caring about your team, your clients and your business.
If you combine those two things—a really firm foundational education and a really basic level of care and investment in what you are doing and who you are doing it with—I think you come up with a recipe for a delicious business.
It was a privilege to work with this group – we helped each other reach for our best
You have been passionate about process definition for decades. Could you share an example of how your process-driven approach transformed a company’s operations or profitability?
When I was but a young(er) IT professional, I was honoured to serve at CBRE in the Mid-South region with a team of dedicated Asset Management and business strategy professionals who were very smart, had an incredible level of integrity and saw the GFC coming. One of the things that we undertook was an operational review to see where we might find synergies and solutions that could help us go faster, move smarter and harness technology and new ideas. It was brilliant. We were able to define the work that we were doing and how we were doing it, and with the blessing of senior leadership, we were able to brainstorm and transform the business – not only with technology but certainly that was a big part of it – ahead of the storm. I see us, culturally, at a similar moment now with the advent of AI. I think that the opportunity exists for businesses to take a serious look at where they are and what they are doing and define themselves again before the business cycle defines them.
Cybersecurity and compliance are crucial in today’s landscape. What have you learned about seamlessly integrating these two elements, and how does teamwork play a role in developing these solutions?
Cyber and compliance go together like chocolate and peanut butter, but without good old information technology, the whole thing gets sticky and melts. Or some analogy that works better. You see, compliance is about regulation, and that’s so important. Cybersecurity is about managing risk, and that’s so important. Put those two together, and you’ve sort of got a governance package that’s missing anything in the real world! You need IT to stick it all together and give it a shape. Technology is what connects us to reality in this scenario. The programmers, the computers, the software and the infrastructure – it’s where the cyber, the regulatory, and the technology touch the humans. A friend of mine used to say the darn computers were perfect until the people touched them. So a Governance program without IT works great unless there are people involved!
When I talk with people about cyber and risk, I advocate for a GRC-based platform. This isn’t a vendor-driven thing – there’s no GRC company or anything like that. It just stands for Governance, Risk and Compliance. It gives us a way to talk about Risk with the Lawyers, Governance with the Business and Compliance with the – well, sometimes more Lawyers, but you get the idea! We all need to contribute to the conversation. It’s gotten too big, even in a smaller business, for one voice to be the only voice.
Sage Inc. focuses on small and midsized businesses often overlooked by larger tech providers. What unique challenges do these companies face, and how does Sage tailor solutions to their needs?
It’s become obvious through some really nice research recently that the smaller companies around the world are being shut out of not just high-quality information technology support services but any services at all. And it’s not just services like how to improve themselves: they are missing out on what I consider basic cybersecurity hygiene. What small company can afford to sink $10,000 on a firewall? That’s a part-time employee’s salary in some places.
And then there’s the fact that this cybersecurity and regulatory stuff is straight terrifying to some people. When you just read about it – what percentage of small businesses can survive if they get attacked by ransomware? – it makes you want to never use email again. And you read stuff that’s contradictory or doesn’t make any sense, and why would the Russians really be trying to hack me if I sell purses in Norfolk, Virginia? How can that be real in any way?
So, faced with the decision to spend money they don’t have on something they don’t understand, most people ignore the problem, hoping it doesn’t apply to them. That’s not only dangerous for their own company; it makes the whole ecosystem more dangerous for everyone. We are only as strong as our weakest link.
So, I started Sage with a focus on SMBs. We have no “territory” because SMBs are the same all over the world. We help companies with all of their technology, cybersecurity, automation, and AI needs, and we do it all in a bespoke manner. There is nothing you don’t need—no package solutions—and we do it at a price that’s realistic for a small business.
"The darn computers were perfect, until the people touched them"
In your experience, what are some of the biggest misconceptions small businesses have about cybersecurity, and how do you help them overcome these challenges?
There are two big myths I still hear – one is that Apples and Macs can’t be infected. Not true! The other is that there isn’t any way their small
business will get hit because they’re too boring/unsuccessful/insignificant. This isn’t true, either. Now it’s a numbers game, and the bad guys will hit you just to have you in their stable.
A lot of what we do is education, helping people understand what’s going on in an approachable—we hope sometimes fun—way and breaking down the barriers to understanding.
As someone who thrives on facilitating discussions that lead to effective business operations, how do you approach getting stakeholders aligned on complex IT or compliance decisions?
I think that is the same answer as above. If you’re doing the right job of breaking down the problems so they are understandable – get it into bitesized chunks – and you’re aligning to the core business strategy that’s driving your client’s business, there’s no way you aren’t already aligned. If it doesn’t sound like you’re aligned, or you seem to be butting heads on something, there’s a communication issue, is my guess. I think that the simplest path to figuring those out is sometimes drawing the problem. Flow-chart what it is that you’re saying, and have the other party do the same. Where they start to divert, you’ve found the miscommunication.
do you envision Sage Inc.’s role evolving as technology and regulatory environments continue to shift? What trends or innovations are you most excited about for the future of small business technology?
Keeping up to date with the various regulatory requirements and technologies out there is certainly part of our remit. As certified professionals, we’re required to stay abreast of that sort of evolving topology and keep up with our continuing education. I think that’s a good thing. I think that the business will need to remain as agile and responsive as we are today, even as we grow because our clients will need us to be right beside them. Things are going to continue moving more quickly.
I think that there is great promise in what genAI brings to the table. It will take a little longer than some people thought for that potential to be realised, but not that long, and for those businesses that are able to plan now, it won’t be long at all. I also think that there is promise in the further evolution of the personalisation revolution. Some people think that’s over; I don’t think it’s really started, particularly for the smaller firms. I’m also excited about where we go with the future of battery technology. It’s been a long time coming, and now we are having some real breakthroughs. That could unlock whole mountains of innovation that make us all more portable and revolutionises how we work again.
Looking ahead, how