Cookie-Einstellungen
schließen
One More Thing...

On March 26, join us for Go Further, a product launch event tailored to security providers that includes: 

🚀 Exclusive product reveals 
✨ New partner perks  
🎁 Stellar prizes and swag 

Spots are filling up fast—secure yours now before it’s too late! 

Register Now

Partner Perspectives: Q&A with Josh Fleming of Echelon Risk + Cyber

Apptega
March 31, 2025
 

Introduction

At the heart of Echelon Risk + Cyber is a commitment to helping organizations feel confident about their security postures, and the company works closely with clients to build solutions and relationships that empower organizations to thrive securely in an increasingly digital world.

We recently sat down with Josh Fleming, Risk Advisory Practice Leader at Echelon, for a brief Q&A to learn what sets the company apart, why compliance is a growth opportunity for providers, and what’s next for Echelon and the industry.

Key Takeaways

1. What does Echelon Risk + Cyber do? What is your role?

Echelon Risk + Cyber is a cybersecurity services consulting firm dedicated to helping organizations build resilient security programs. Our services span governance, risk, compliance (GRC), incident response planning, penetration testing, vCISO, and security assessments. As the Risk Advisory Practice Leader, I oversee our GRC and incident response planning service offerings, develop strategies to expand our services, and manage a team of consultants dedicated to supporting clients across multiple industries.

2. What solutions/services does Echelon Risk + Cyber offer?

We provide comprehensive security solutions, including:

  1. vCISO-Led Security Team as a Service (STaaS)
  2. Risk Advisory & Governance, Risk, and Compliance
  3. Offensive Security & Adversary Simulation
  4. Defensive Security Services & Hardening

3. Do you specialize in any specific areas (industries, services, frameworks, etc.)?

Our expertise is in delivering tailored cybersecurity solutions across various industries, including financial services, healthcare, higher education, technology and SaaS, manufacturing, professional services, retail, and nonprofit organizations. Our capabilities extend to aligning organizations with compliance frameworks such as ISO 27001 and NIST, ensuring robust security postures and regulatory adherence. By offering services like vCISO-led Security Team as a Service (STaaS), offensive security and adversary simulation, defensive security services and hardening, and risk advisory and governance, risk, and compliance, we address the unique challenges faced by each sector, enhancing our clients' cybersecurity resilience.

4. What differentiates Echelon Risk + Cyber from others in the space? How do you stand out?

Echelon Risk + Cyber distinguishes itself in the cybersecurity landscape through a combination of unwavering commitment to core values, a client-centric approach, and a team of seasoned experts. Our foundational belief is that security and privacy are basic human rights, driving us to tailor our services to meet each client's unique challenges. We prioritize honesty and transparency, ensuring that our solutions are customized and actionable, rather than generic. ​Our team comprises professionals with extensive experience across various industries, bringing a wealth of knowledge and expertise to every engagement. This diverse background enables us to address complex cybersecurity challenges effectively.

5. How do you stay ahead of a rapidly evolving threat landscape?

At Echelon, we proactively address the rapidly evolving threat landscape through a multifaceted approach. By offering continuous penetration testing, we emulate threat actor activities at machine speed, ensuring that vulnerabilities are promptly identified and addressed. Our Managed Defensive Security Services provides a comprehensive suite of proactive defense strategies, including cloud security and advanced vulnerability management, ensuring cybersecurity platforms are continuously updated and optimized to counter emerging threats. Echelon's Governance, Risk, and Compliance as a Service (GRCaaS) offers an all-in-one solution to build, manage, and scale governance, risk, and compliance programs, adapting to changing threats and regulations. The expert-led offensive security team conducts simulated cyber-attacks to identify vulnerabilities within an organization's systems, helping to strengthen defenses against potential real-world threats.

6. How do you scale your services to accommodate a growing list of customers and regulatory requirements?

We leverage scalable frameworks like NIST and ISO to create repeatable processes that can be customized for individual clients. Tools like Apptega enable us to manage assessments efficiently and deliver insights faster, ensuring we can meet increasing client demands without compromising quality. Additionally, staying current with industry trends, shifts in the regulatory landscape, and evolving best practices allows us to accommodate the changing needs of our clients.

7. How do you bundle your security and compliance services (pricing, packaging, positioning, etc.)?

We offer flexible service packages tailored to clients' specific needs. Our pricing structure balances fixed-fee engagements with customized options to accommodate businesses of various sizes and complexity levels. For example, our cybersecurity maturity assessments can be expanded to include penetration testing, tabletop exercises, and additional advisory support. This modular approach allows clients to build a tailored security program that scales with their organization's growth. We also provide flexible retainer models for clients seeking ongoing advisory support, ensuring they can access our expertise as new threats or regulatory changes arise.

8. How are you delivering your compliance services? Do you have a formalized compliance offering?

Our compliance services are delivered through a structured and formal approach designed to provide clients with clear insights into their current security posture and guidance on achieving regulatory compliance or security certifications. This approach includes comprehensive assessments, detailed gap analyses, and readiness reviews that align with industry best practices and recognized frameworks such as NIST, ISO, SOC 2, and HIPAA. By leveraging tools like Apptega, we enhance the efficiency and accuracy of our engagements. Apptega allows us to streamline data collection, track progress, and generate transparent reports that outline compliance status, identified gaps, and actionable recommendations. Our structured methodology ensures consistency across our engagements and empowers clients to confidently pursue their compliance goals with clear visibility into their journey toward improved security and regulatory adherence.

9. Do you have a favorite compliance framework? Why?

NIST CSF 2.0 is one of our preferred frameworks due to its flexibility, scalability, and alignment with industry best practices. It provides a comprehensive structure that helps organizations address cybersecurity risks while remaining adaptable to various industries and maturity levels. NIST CSF’s alignment with other frameworks such as ISO 27001, SOC 2, and CIS 18 makes it a practical foundation for developing integrated security programs. Its five core functions — Identify, Protect, Detect, Respond, Recover, and Govern — provide a clear roadmap for organizations to improve their security posture.

10. What are the most common gaps or pitfalls you see when it comes to cybersecurity and compliance management?

Common gaps I see include a lack of documented policies, insufficient security awareness training, and failure to align controls with actual business risks. Additionally, organizations often struggle with asset visibility and tracking, which typically leaves security gaps unnoticed.

11. What are your thoughts on compliance as a growth area for Echelon Risk + Cyber (and for other providers)?

Compliance presents a significant growth opportunity for Echelon, as organizations increasingly view regulatory adherence as not just a requirement, but a strategic advantage. Businesses are under mounting pressure to demonstrate robust security practices to secure partnerships, attract investment, and expand into new markets. By enhancing our compliance offerings, we position ourselves to help clients achieve key certifications such as SOC 2, ISO 27001, and HIPAA, which can serve as powerful differentiators in competitive industries. Additionally, providing clients with tools and frameworks to demonstrate security maturity helps build trust with stakeholders, customers, and regulators alike. As the regulatory landscape continues to evolve, proactive compliance support also opens opportunities for recurring engagements, continuous improvement services, and advisory partnerships. By investing in our compliance capabilities, Echelon can strengthen client relationships, drive long-term value, and establish itself as a trusted partner in navigating complex security and regulatory challenges.

12. What's your outlook for the provider space over the next several years? What does it mean for Echelon Risk + Cyber?

The cybersecurity provider space will see continued demand for services as organizations face new regulatory pressures, increased attack surfaces, and evolving threat tactics. Providers that focus on automation, scalability, and improved client experience will thrive. For Echelon, this presents an opportunity to expand our services further by investing in technology platforms like Apptega, enhancing our reporting capabilities, and building strategic partnerships to meet the growing demand for integrated security solutions.

13. Are you seeing increased financial pressure within the industry? If so, what does it mean for providers, specifically regarding the need to meet revenue goals?

Yes, financial pressure is rising as organizations evaluate security investments more critically. For providers like Echelon, this means we must demonstrate clear ROI by aligning security improvements with business objectives. Our flexible service offerings, bundled solutions, and strategic use of tools like Apptega enable us to provide cost-effective yet impactful services that meet client expectations and support revenue growth.

14. Why did you decide to partner with Apptega? What challenges are you trying to solve?

We partnered with Apptega to streamline our assessment, readiness, and gap analysis processes. The platform enables us to manage multiple frameworks efficiently, deliver clear reporting, and improve client engagement. This has allowed us to scale our services effectively while reducing administrative overhead.

15. How are you using the Apptega platform? Why is it important?

Apptega plays a critical role in our compliance engagements, allowing us to track client progress, identify control gaps, and generate comprehensive reports. The platform's intuitive interface and customizable framework capabilities enable us to deliver meaningful insights faster, improving the client experience.

16. What has been your experience working with Apptega?

Our experience with Apptega has been excellent. The platform has enhanced our ability to manage complex projects and improved efficiency in delivering assessments. The Apptega team has also been highly supportive, helping us tailor the platform to meet our unique needs.