Skip to main content
Uncategorized

Storytelling, Cybersecurity & Entrepreneurship: WARGAMES Podcast

Avatar photo
March 7, 2025

What do cybersecurity, entrepreneurship, and Tolkien’s stories have in common? More than you might think. In the first episode of the WARGAMES Podcast, host Sean Eyre sits down with me to explore these connections. Our conversation delves into the role of storytelling in business, the complexities of risk in leadership, and the ethical considerations in entrepreneurship. I invite you to reflect on how these themes intertwine and influence modern business practices.

Table of Contents

Who I Am and Why This Conversation Matters

I am the founder of Tree and Leaf Partners, an independent search fund established to acquire and operate a single, exceptional small business. With a background that spans electronic engineering, theology, and business, I bring a unique perspective to the table. My journey began in England, where I started a web design firm during my school years, leading to a degree in Electronic Engineering from the University of Portsmouth and a subsequent role at IBM. My experiences in Uganda, training pastors, inspired me to pursue a Master’s in Theology from Chester University. Later, I earned an MBA from the Kellogg School of Management, where I met my wife, Jenna, and founded Tree and Leaf Partners. My multifaceted background equips me with a distinctive viewpoint on leadership, risk management, and the integration of storytelling in business.

Storytelling in Business and Cybersecurity

Storytelling is a powerful tool in business, shaping leadership approaches, guiding risk management strategies, and facilitating seamless business transitions. I emphasize that narratives help leaders articulate their vision, align teams, and foster a cohesive culture. Drawing inspiration from J.R.R. Tolkien’s “Leaf by Niggle,” I reflect on how the protagonist’s dedication to his art mirrors the entrepreneurial journey—filled with passion, challenges, and the pursuit of a lasting legacy. In cybersecurity, storytelling aids in translating complex technical risks into relatable scenarios, enabling stakeholders to grasp potential threats and make informed decisions. By framing cybersecurity challenges within compelling narratives, leaders can foster a security-conscious culture and drive proactive risk management.

The Role of Risk in Leadership

Risk is an inherent aspect of both entrepreneurship and cybersecurity. I discuss the various types of risks businesses encounter, from financial uncertainties to cyber threats. I underscore the importance of balancing necessary friction—implementing security measures that protect the organization without stifling innovation. Proactive planning is crucial; I advocate for regular incident response planning and security drills to prepare teams for potential challenges. By embracing risk as a catalyst for growth and resilience, leaders can navigate uncertainties with confidence and agility.

Entrepreneurship Through Acquisition: Building and Preserving a Legacy

Entrepreneurship Through Acquisition (ETA) involves acquiring an existing business and steering it toward new growth trajectories. Harvard Business Review explains how ETA offers a pathway for entrepreneurs to build upon established foundations, preserving the legacy of the original owner while infusing fresh energy and vision. For business owners considering transition, Stanford Graduate School of Business provides insights into ETA strategies that ensure a company’s values and culture endure.

I emphasize the significance of values-driven leadership and a long-term vision, ensuring that the acquired business continues to thrive and contribute positively to its community. For a deeper understanding of how ETA works, Acquisition Lab offers guidance on structuring successful acquisitions.

Faith, Ethics, and Business

Faith and ethics are integral to my approach to leadership and business stewardship. I share how my Christian faith informs my decision-making processes, emphasizing integrity, compassion, and service. Leaders often face the challenge of aligning mission-driven objectives with financial and operational realities. I suggest that grounding business practices in ethical principles fosters trust, loyalty, and long-term success. By aligning personal values with business goals, leaders can create organizations that are not only profitable but also purpose-driven and socially responsible.

Practical Takeaways for Readers

For business leaders, entrepreneurs, and security professionals, my conversation with Sean Eyre offers actionable insights:

  • Leverage Storytelling: Utilize narratives to communicate vision, align teams, and influence organizational culture.
  • Embrace Proactive Risk Management: Implement regular security drills and develop comprehensive incident response plans to prepare for potential challenges.
  • Consider ETA for Business Growth: Explore Entrepreneurship Through Acquisition as a strategy to build upon existing foundations and preserve organizational legacies.
  • Align Business Practices with Ethical Values: Ensure that decision-making processes reflect personal and organizational ethics, fostering trust and long-term success.
  • Balance Security Measures with Innovation: Implement necessary security protocols that protect the organization without hindering creativity and growth.

Conclusion and Call-to-Action

The inaugural episode of the WARGAMES Podcast featuring my discussion with Sean Eyre offers a rich exploration of how storytelling, risk management, and ethical leadership converge in the realms of cybersecurity and entrepreneurship. I encourage you to reflect on these themes and consider how they can be applied within your own organizations.

To delve deeper into this insightful conversation, listen to the full episode of the WARGAMES Podcast. Connect with me on LinkedIn to follow my journey with Tree and Leaf Partners and explore opportunities for collaboration. Reflect on your own leadership approach: How do you incorporate storytelling into your business practices? Share your thoughts and join the conversation.

Full Transcript

Sean: Thank you for taking the time to talk to me today. As some people may be aware, I’m Sean, the founder at Ericius Security Company. Andy Galpin, founder and CEO of Tree and Leaf Partners. Who are you? What do you do, and how’d you get here?

Andy: Thanks, Sean. It’s great to be here. I appreciate the opportunity to share some of my background.

I describe myself in four dimensions: I’m an entrepreneur, a storyteller, a husband, and a disciple.

As an entrepreneur, I focus on redemptive acquisition. I look for companies with the potential to drive change in society and the world. I’ve partnered with a group of investors to acquire and transition them into growth.

As a storyteller, I believe stories shape how we see and interpret the world. I love using them to communicate ideas and to better understand the world around us.

I’m also a husband—my wife, Jenna, and I recently celebrated our first year of marriage.

And finally, I’m a disciple. I’ve been following Jesus since I was around 12. I made that decision in an old cattle shed—no manger bed!—in Shepton Mallet, England.

Sean: No room at the inn, huh?

Andy: No room at the inn, yeah.

Sean: I think storytelling might be one of the places where you and I overlap, especially in the stories we like to read. You’ve probably seen my LinkedIn posts using Lord of the Rings quotes to talk about security.

How do you use storytelling in your work, and how does that connect to redemptive entrepreneurship?

Andy: Definitely. I think what we have in common is some shared material.

Tree and Leaf Partners is actually named after a collection of short stories by J.R.R. Tolkien. One in particular—Leaf by Niggle—really resonated with me.

Tolkien wrote it about 30 years before finishing The Lord of the Rings trilogy. At the time, he had just completed The Hobbit and was staring at the immense task of writing the trilogy. The task felt so big that he wrote this short story to capture how daunting it was and how much bigger his vision was than just himself.

The story follows a painter, Niggle, who has a vision for a grand painting but keeps getting interrupted by day-to-day life. Eventually, death comes knocking, and he hasn’t finished. I won’t spoil the ending, but it beautifully ties everything together.

For me, that story resonates with the journey of small business owners. They have a vision for their company—one that God has given them—that’s bigger than themselves. But a company is only truly a company if it can outlast its founder. If the owner can transition into something different and the business remains a self-sustaining entity, that’s true success.

That’s why I focus on helping small businesses through that transition.

Sean: That brings to mind two questions.

First, thanks for clarifying that it’s pronounced Niggle. There’s a debate—is it Nigel or Niggle? We’ll let our friends across the pond sort that out.

Second, do you think writing Leaf by Niggle helped Tolkien stay focused on his trilogy, or was he just admitting that he was getting distracted?

Andy: Maybe a bit of both.

It’s healthy for leaders to accept their limitations, and that’s one thing the story does really well. It’s Tolkien acknowledging that he’ll never capture everything he wants to.

Similarly, as business owners, we won’t achieve everything we want to in this life. But we can move toward the vision step by step.

Tolkien is known as the founder of modern fantasy. Even though he couldn’t write all the stories he wanted, he created a world and a system that has influenced generations. That’s a great legacy.

Sean: I could nerd out about Tolkien all day.

What’s interesting is that Tolkien once wrote that he was trying to create a system of mythology for Britain. He arguably failed at that, but in doing so, he launched modern fantasy.

Instead of creating one mythology that others could plug into, he created a foundation that allowed multiple universes to exist. Even the people trying to subvert the tropes he established are still shaped by him.

Bringing this back to business: in entrepreneurship, we talk about 0-to-1 leaders and 1-to-10 leaders.

Is part of your approach recognizing that you’re not a 0-to-1 leader, but rather a 10-to-100 leader? Are you looking for business owners who have topped out, are ready to retire, and want to pass their legacy to someone who will respect it but also take it to the next level?

Andy: Exactly. Leaders need to understand both their limitations and where their skills provide the most value.

I’m not a 0-to-1 leader—the kind that thrives in startups, constantly pivoting and finding product-market fit.

My background is in consulting at IBM, where I spent six years helping businesses improve their customer and employee experiences. I wasn’t creating something from scratch—I was analyzing what had already been built and making it better.

That skill set is ideal for scaling a business.

In startups, founders wear many hats. But at a certain point, they or their employees become the limiting factor for growth. That’s where I come in. I step in with fresh eyes, identify bottlenecks, and help unlock growth.

Sean: That’s interesting. What kind of roadblocks do you typically encounter, either in consulting or when evaluating a company for acquisition?

Andy: A common one is decision-making bottlenecks.

In many small businesses, the founder is still the key decision-maker for everything. If something unexpected happens—say, a customer service issue—the employees often have to go to the founder to get approval before taking action.

That slows things down. But more importantly, it creates dependency on the founder, making it impossible for the company to scale.

One way to fix that is by instilling clear values. I met a business owner recently who set strong company values and told his employees, If you make a decision that aligns with our values and can explain why, I will back you 100%—even if it turns out to be the wrong decision.

That’s a great way to empower employees while still maintaining control over the company’s direction.

Another common roadblock is a lack of proactive problem-solving.

I worked with a utility company in the UK that dealt with power outages. A power outage is always going to be bad, but the way you communicate about it can completely change the experience for customers.

For example, if you notify customers before they get home that their power is out, they can adjust their plans. They might choose to eat out instead of coming home frustrated.

That small change—providing proactive information—reduces stress and improves customer experience.

Sean: That makes sense. In cybersecurity, a breach is kind of like a power outage—it’s always going to be bad.

The challenge is how to make it less bad.

We once worked with a company that got breached through a chain of known companies. The phishing email came from a company they regularly worked with—because that company had been breached first.

When we contacted them, their response was, Oh, there’s nothing to see here, we had an incident, but it’s under control.

Meanwhile, because they had an incident, we had an incident. And they didn’t warn anyone.

A huge part of security is simply acknowledging reality. If the power is out, it’s out. If there’s been a breach, there’s been a breach.

Andy: Exactly. Acknowledging reality is key. And in cybersecurity, there’s an added challenge—liability concerns.

Saying the wrong thing at the wrong time can create legal risks. That’s why prior preparation is so important. Organizations need to sit down with legal counsel before an attack happens and create an incident response plan.

That way, when something does go wrong, they already have pre-approved language to communicate with customers, employees, and stakeholders—acknowledging the problem without creating unnecessary liability.

Sean: Right. And this is where training becomes essential.

If you’ve never experienced a cyberattack before, your brain defaults to fight, flight, or freeze—which may not be helpful.

It’s just like martial arts. Under stress, you revert to what you’ve practiced the most. That’s why we train, so when the adrenaline hits, our trained response kicks in instead of our emotional response.

Andy: 100%. And that loops back to values as a decision-making framework.

A lot of people struggle with decisions because they don’t have a clear framework for making them.

A few years ago, I took a weekend retreat and mapped out my personal values. I asked myself: What are the principles I want to guide my life?

One of mine is Integrity—doing the right thing, whether people are watching or not.

Another is Growth—constantly learning and improving.

These values shape my decisions. For example, I stepped into entrepreneurship not because I already knew how to do it, but because it challenged me to grow.

Sean: That’s a great perspective.

I push cybersecurity professionals to think in terms of teams, not heroism.

If you don’t have repeatable processes in place that make your job redundant, when are you going to sleep? When are you going to see your kids?

Security work is urgent, but you also need to be sustainable.

Andy: Exactly. That’s why systems and processes matter. They empower people to make decisions without waiting for approval.

For example, we once worked with a bank that had very strict security policies. But when we tried to share documents securely, we ran into issues.

      • Their policy blocked Google Drive.
      • Our system wasn’t compatible with their internal file-sharing tool.
      • Emailing sensitive data wasn’t secure.

We had to navigate multiple roadblocks just to securely share information.

The lesson? Security should empower people, not frustrate them. The best security is friction that makes sense—not just friction for friction’s sake.

Sean: Yes! I always tell people that not all friction is bad.

Take bank transfers, for example. When you enter a recipient’s account number, some banks let you copy and paste into both fields. Others force you to retype the second field manually.

That’s intentional friction—it forces you to slow down and double-check, preventing costly mistakes.

In security, our job is to make the right thing easy and the wrong thing hard.

Andy: Exactly. Security isn’t just about locking things down—it’s about guiding behavior.

That’s why I love the term “necessary friction”. It’s friction that serves a purpose—like two-factor authentication.

It’s an extra step, but it makes an attacker’s job 10 times harder.

Sean: Absolutely. And this brings us back to risk management.

In security, we tend to talk about perfect solutions—but perfection isn’t always necessary.

For example, some security pros say, Never use SMS for multi-factor authentication (MFA) because a hacker could clone your SIM card.

Yes, that’s true. But enabling SMS MFA is still a massive security improvement over no MFA.

Instead of getting stuck on perfection, we need to ask: What’s the biggest return on investment for security?

Andy: 100%. Security, like business, is about trade-offs.

If you make security too rigid, people will bypass it. If you make it too loose, it won’t be effective.

It’s about balance—creating strong protections while keeping people productive.

Sean: Exactly.

Alright, let’s shift gears a bit.

Your work focuses on entrepreneurship through acquisition. What are the biggest risks you deal with—both in the companies you acquire and in Tree and Leaf Partners itself?

Andy: Great question. There are two main types of risks we navigate:

  1. Company-Specific Risks – Every business we evaluate has unique challenges. Some common ones:
    • The founder is the bottleneck—everything depends on them.
    • The company lacks scalable systems.
    • There’s no clear transition plan for leadership.
  2. Tree and Leaf Risks – On our side, we handle:
    • Financial risk – Investors trust me to steward capital wisely.
    • Data security – We review highly sensitive financial information about companies before acquisition. Keeping that data secure is critical.

Sean: So you must handle a lot of sensitive information.

Do you use compartmentalization? Do you have, like, a giant burn bag in your office for shredding documents?

Andy: We try to avoid printing sensitive documents altogether. Most of our data is digital-first and securely stored.

      • We use cloud-based storage with encrypted backups.
      • Access is restricted—only necessary people can view files.
      • When someone leaves the team, we have a clear offboarding process to revoke access.

It’s all about balancing accessibility with security.

Sean: Makes sense. You’re dealing with classified-level business data.

Alright—time for a curveball.

You can’t say Leaf by Niggle. What’s a book you’d recommend?

Andy: I’ll give you two.

Nonfiction: Crucial Conversations – Every leader should read this. It teaches you how to handle difficult conversations in a calm, logical way.

Fiction: Chasing Francis by Ian Morgan Cron – It’s about a megachurch pastor who loses his faith and rediscovers it by retracing the steps of St. Francis of Assisi.

Sean: Love it. My go-to is The Code of Trust by Robin Dreeke. It’s about trust-building—even in the spy world.

Alright, Andy—how can people find and support you?

Andy: The best place is LinkedIn, or check out treeandleafpartners.com.

Sean: Awesome. And for everyone listening, I’m Sean, founder of Ericius Security.

We provide cybersecurity for people in dangerous situations—counter-human trafficking, missions, and more.

If you want to support us, visit ericiussecurity.org/support.

Thanks for listening!

Leave a Reply