Left Big 4 for AI: Why One Cybersecurity Leader Ditched Consulting

Ralph Chammah was on the fast track to partner at Deloitte. He'd been shortlisted for the partnership-ready program, was leading cybersecurity monitoring and detection practices, and had spent years deploying security tools for some of the world's largest organizations. By most measures, he'd made it.

So why walk away?

"I've been deploying a lot of different tools, but we also know there's a gap in the market that we could innovate on," Chammah explained in a recent conversation. "It was a question of — how can we build something quickly to address the current market need, but also the future market need?"

That question led him to co-found Blacklight AI, an AI-driven cybersecurity platform designed to solve the problems he'd spent years patching over with customization and manual effort.

The Pain Points That Sparked the Leap

Chammah is quick to clarify that his departure wasn't a rejection of consulting. It was a response to a structural limitation: Big Four firms don't build software. They evaluate, recommend, and implement what's available on the market; and when the available tools fall short, consultants fill the gaps with expensive, time-consuming customization.

"Customization translates into dollar signs, but it also translates into time," he said. "With AI as a tool to help you become more efficient and more effective, the question became: how do we incorporate that and make it more valuable for consulting firms to resell, and therefore bring quicker value to their clients?"

The war stories from those consulting years paint a vivid picture of why the existing tooling wasn't cutting it. Building parsers one by one, only to realize a critical field was missing. Pulling all-nighters to diagnose deployment failures. Spending hours building pivot tables and fixing PowerPoint decks for weekly client reports, then scrambling when the meeting got moved up a day.

But the deeper issue wasn't operational friction: it was a fundamental limitation in how traditional security tools work. Most legacy monitoring systems rely on predefined rules: define what you want to detect, configure the conditions, and wait for a threshold to trigger an alert. The problem is twofold. First, it's reactive, you only find out after something has already happened. Second, you can only detect what you've thought to define, and today's attackers aren't following yesterday's playbook.

"AI is being used by hackers," Chammah noted. "We have no idea today what the next type of attack could be. So we always have a gap between what we can actually detect and what we should be able to detect."

Why AI and Why Now

Chammah is emphatic that AI isn't new, nor is it a silver bullet. What's changed is the compute power available to run sophisticated models at scale and speed. At Blacklight, AI isn't a feature bolted onto an existing product; it's embedded in the architecture from day one.

The platform runs a mix of AI detection algorithms, machine learning models, and both large and small language models depending on the task. Critically, most of these models run locally in the client's own environment rather than reaching out to external services; a design choice that addresses both data privacy concerns and the risk of hallucination from uncontrolled inputs.

"We define AI as what a human should be doing, exponentially quicker," Chammah said. "It allows teams to have AI as a tool, not to replace someone, but to augment your skillset and capabilities."

The validation process backs this up. Blacklight can ingest historical data and run simulations against it, catching threats that legacy rule-based systems missed. This comes up frequently in incident response scenarios, where teams need to look back through months of logs to find where a breach started and how it spread.

Real-World Stakes: Jaguar Land Rover and Beyond

To understand why any of this matters, look no further than the Jaguar Land Rover cyberattack. In September 2025, JLR was hit by a devastating breach that forced a complete shutdown of vehicle production across its UK plants for approximately five weeks. The estimated cost exceeded £1.9 billion, with ripple effects hitting more than 5,000 businesses in JLR's supply chain. The UK government had to step in with a £1.5 billion loan guarantee to stabilize the situation.

Chammah also pointed to the Marks & Spencer and Co-op breaches earlier in 2025 as examples of how compromised credentials can have cascading, long-term consequences. In those cases, attackers used social engineering to trick IT help desks into resetting passwords, then deployed ransomware, a painfully simple entry point with enormous fallout.

"The impact is very complex and people underestimate it," Chammah said of these incidents. "There's immediate impact, medium-term impact, and long-term impact."

One of the most insidious patterns he sees is attackers who gain access and then simply wait. They take their time doing reconnaissance, quietly mapping out an environment before making a move, making detection far harder when activity is spread over weeks or months.

The Crowded Market Problem

Cybersecurity is one of the fastest-growing sectors in tech, which means it's also one of the most crowded. Chammah acknowledges this head-on. The market is flooded with acronyms — XDR, MDR, SIEM — and vendors who slap "AI-powered" on products that amount to little more than a wrapper.

But he sees a natural correction underway. Investors are starting to ask harder questions about whether a product is truly AI-driven or just AI-decorated. Clients are getting more sophisticated in their evaluations, too. And smaller, more agile companies can offer something the behemoths often can't: genuine support and rapid iteration.

As for the common enterprise strategy of stacking multiple overlapping tools for redundancy, Chammah pushes back. More tools can actually increase your attack surface by adding integration points and data streams that become targets themselves. Instead, he advocates for a principled approach: map your security needs across core pillars; network security, identity management, email security, data loss prevention; and select complementary, non-overlapping tools for each.

"Having a lot of tools is chaos to manage," he said. "It's finding the right balance. But in my opinion, it's not a strategic move to go all-in with one vendor either."

What Every Organization Should Do Right Now

When pressed for one piece of advice that requires zero budget, Chammah's answer was refreshingly practical: ask your security team what they're still doing manually, then figure out how to automate it. Every manual process is both a drag on efficiency and a potential source of human error.

His parting message was broader and more urgent: "Cybersecurity is not a nice-to-have, and you're never too small to be attacked. Doing investments early on could translate into preventing a breach, and preventing a breach means you've minimized operational disruptions, financial losses, and legal consequences that would have cost you five, six, or even ten times more."

It's a message that carries extra weight coming from someone who spent years on the consulting side watching organizations learn that lesson the hard way, and who ultimately left to build something that could change the equation.