Whoa there!
Looks like you’re getting a lot out of our resources — awesome! Want to get even more tailored insights that fit your specific needs? Let’s book a discovery call so we can help you achieve your goals faster.
.svg)
Introduction
Meet Tom Brennan, Managing Partner at Proactive Risk, where expertise and experience converge to safeguard critical national infrastructure (CNI) organizations. As a co-author of multiple cybersecurity titles, Brennan possesses unmatched knowledge, enabling him to effectively secure CNI organizations against emerging threats.
We recently sat down with Brennan to explore Proactive Risk's bespoke approach, leveraging a small, seasoned team to deliver tailored solutions. Learn about the challenges they're addressing in the CNI space and how their consultative expertise is driving meaningful impact.
Key Takeaways
1. What does Proactive Risk do? What is your role?
As Managing Partner at Proactive Risk, I lead a team of experts dedicated to helping governments and critical national infrastructure organizations navigate complex risk landscapes. Our boutique consultancy specializes in risk management, security assessments, and compliance solutions, delivering tailored technical advisory services to support our clients' most pressing needs.
2. What solutions/services does Proactive Risk offer?
We offer a range of solutions and services, but my expertise lies in advisory, assessment, and operations. Our advisory and assessment services involve evaluating organizations against established frameworks and providing guidance on best practices, regulatory compliance, and government controls.
What sets us apart is our hands-on experience. We don't just provide checklists. We offer expert consulting rooted in real-world experience. With 20 years of experience in the field, including hands-on keyboard time, I bring a depth of knowledge to high-level consulting. My focus is on strategic guidance, spanning multiple areas, rather than just checking boxes or offering generic advice.
3. Do you specialize in any specific areas (industries, services, frameworks, etc.)?
We specialize in serving the CNI industry, with expertise aligned to the CISA's Cross-Sector Cybersecurity Performance Goals and Center for Internet Security (CIS) controls. While we guide organizations through compliance journeys, we emphasize that compliance is merely the foundation — true security demands a more nuanced and comprehensive approach.
4. What differentiates Proactive Risk from others in the space? How do you stand out?
As a boutique consultancy, we've built a sustainable business model, free from investor pressures, with a strong cash flow and a loyal client base. We're selective about the clients we work with, prioritizing those who share our values and are committed to safeguarding CNI.
Our expertise spans 16 areas within CNI, including chemical, water, and gas; first responders; telecom; secure buildings; law enforcement; and real estate. With our consultative approach, we focus on people, processes, and technology, delivering tailored solutions that address unique client needs.
As a veteran-owned small business and patriot partner, we're proud to bring our experience and expertise to the table, fostering strong relationships with our CNI clients and making a meaningful impact in the industry.
5. How do you stay ahead of a rapidly evolving threat landscape?
As a seasoned security expert and curious hacker, I believe staying ahead of the rapidly evolving threat landscape requires a unique combination of hands-on experience, ethical awareness, and historical context.
With a background in building secure software and contributions to the security community, I've developed a keen understanding of the threat landscape. I emphasize the importance of ethics in hacking, distinguishing between genuine threats and marketing hype.
While some threats may evolve, others remain unchanged. For instance, website vulnerabilities to direct object parameter manipulation and SQL injection have persisted since 1998.
To effectively protect against threats, one must adopt the mindset of a hacker, scrutinizing the entire attack surface, including physical and process-based vulnerabilities. This comprehensive approach is rooted in hands-on experience, lending itself well to regulatory review, assessment, and understanding the intricacies of secure software.
At Proactive Risk, our team possesses this context and expertise, enabling us to provide nuanced guidance on navigating the complex threat landscape.
6. How do you scale your services to accommodate a growing list of customers and regulatory requirements?
To scale our services and accommodate a growing list of customers and regulatory requirements, we rely on our team's extensive experience and expertise. As a boutique consultancy, we're intentional about our growth, focusing on quality over quantity.
To amplify our impact, we leverage partnerships like Apptega, which enables us to efficiently manage and scale our services. We also invest in capacity building, collaborating with top universities and participating in industry working groups to advance best practices.
Our commitment to giving back is reflected in our support for underserved communities. We provide pro bono guidance and expertise, contributing to the greater good and empowering positive change.
7. How do you bundle your security and compliance services (pricing, packaging, positioning, etc.)?
Proactive Risk offers flexible security and compliance services tailored to meet the unique needs of our clients. Our services can be engaged on a one-time assessment basis or as part of an annual program management agreement.
Our annual program includes virtual CIO/CISO oversight, with a predetermined number of hours allocated to support clients in addressing their people, process, and technology needs. This can range from 10 hours per quarter for strategic guidance to several hundred hours per year for more comprehensive support.
We intentionally separate our security and compliance services to maintain objectivity and avoid conflicts of interest. This means we can provide independent assessments, roadmaps, and recommendations without the influence of potential product sales. Clients can engage us for assessments and then seek implementation services elsewhere, or vice versa. Our goal is to provide transparent, unbiased guidance that prioritizes our clients' needs above all else.
8. How are you delivering your compliance services? Is it offered as a formalized compliance offering?
We deliver our compliance services through tailored assessments that address specific regulatory requirements. Organizations seeking to ensure compliance with relevant standards and regulations can engage us for a formalized compliance assessment. However, we also recognize that security concerns often take precedence over compliance, and some clients may only require a maturity assessment to meet minimum regulatory requirements and mitigate potential liabilities, such as SEC penalties for non-compliance.
9. Do you have a favorite compliance framework? Why?
I have a strong affinity for the CIS Controls and the Open Web Application Security Project's (OWASP) Application Security Verification Standard (ASVS). These frameworks offer comprehensive, industry-recognized guidelines for securing critical infrastructure and applications. I appreciate their emphasis on actionable, risk-based approaches that prioritize the most critical controls and vulnerabilities. By leveraging these frameworks, organizations can establish a robust security posture and demonstrate compliance with regulatory requirements.
10. What are the most common gaps or pitfalls you see when it comes to cybersecurity and compliance management?
The most common gaps we see in cybersecurity and compliance management are documentation and resource allocation. Many organizations struggle to keep up with documentation, particularly in fast-paced environments. This is why many turn to tools to help with logging, recording, and policy management.
From a compliance perspective, having a framework in place is just the starting point. Without formal documentation and a clear understanding of your assets, you're exposed to unnecessary risk. Inadequate patch management is another common pitfall.
As a seasoned cybersecurity expert, I know that attackers look for vulnerabilities to exploit. Controls are put in place to limit access to these vulnerable areas. However, if you don't allocate sufficient resources — including budget, people, technology, and processes — you'll struggle to maintain effective controls.
This resource gap is a common challenge many organizations face. It's essential to recognize that compliance comes with a cost, and that cost must be factored into your overall business strategy.
11. What are your thoughts on compliance as a growth area for Proactive Risk (and for other providers)?
Compliance is a strategic growth area for Proactive Risk and the industry at large. We view compliance as the “brakes” that empower businesses to accelerate with confidence. Just as reliable brakes are crucial for safe driving, effective compliance controls are essential for mitigating risks and avoiding costly setbacks.
In today's fast-paced business landscape, companies must balance their need for speed with the need for control and risk management. Compliance provides a framework for achieving this balance, enabling organizations to innovate and grow while maintaining the trust of their customers, partners, and stakeholders.
We're committed to helping our clients navigate the complex compliance landscape and demonstrate commercially reasonable security practices. By doing so, we enable them to achieve their business objectives while minimizing the risk of non-compliance and its associated consequences.
12. What's your outlook for the provider space over the next several years? What does it mean for Proactive Risk?
The provider landscape will continue to evolve over the next several years, with a growing emphasis on accreditation and demonstration of competency. Buyers will increasingly seek out providers who can validate their expertise through certifications and proven track records.
At Proactive Risk, we're committed to solidifying our position as a trusted niche provider, delivering specialized security and compliance services to organizations that prioritize these critical aspects. Our goal is to empower clients to make informed, risk-based decisions, thereby protecting themselves against an ever-evolving threat landscape.
13. Are you seeing increased financial pressure within the industry? If so, what does it mean for providers, specifically regarding the need to meet revenue goals?
Yes, the industry is experiencing increased financial pressure, primarily driven by buyers seeking lower costs. This creates a challenging dynamic, where providers are caught between delivering high-quality services and meeting revenue goals.
The reality is that buyers often face a trade-off between cost, speed, and quality. While they may desire all three, it's often impossible to achieve. As a result, providers must navigate this tension and make strategic decisions about their service offerings, pricing, and investment in talent and technology.
14. Why did you decide to partner with Apptega? What challenges were you trying to solve?
We partnered with Apptega to address a key challenge: effectively communicating complex risk and compliance information to both technical and non-technical stakeholders. Apptega's innovative platform provides an intuitive, visual dashboard that simplifies risk management and compliance.
Apptega's solution enables us to provide our clients with a clear, high-level view of their risk posture, as well as the ability to drill down into specific control areas. This flexibility is invaluable in helping our clients understand and address their unique risk and compliance challenges.
By leveraging Apptega's platform, we've been able to overcome the limitations of traditional spreadsheet-based approaches, streamlining our risk and compliance management processes and delivering more value to our clients.
15. How are you using the Apptega platform? Why is it important?
We've seamlessly integrated the Apptega platform into our assessment services, delivering comprehensive 30- to 45-day evaluations for our clients. Apptega serves as a unified data repository, streamlining the collection, analysis, and management of compliance and risk data. For clients requiring ongoing support, we offer annual subscription-based program management services, ensuring a robust security posture and adherence to regulatory requirements. Additionally, we leverage Apptega's API capabilities to connect disparate data points, rapidly delivering value to our clients and empowering informed decision-making.
16. What has been your experience working with Apptega?
My experience working with Apptega has been outstanding. I've been impressed with the company's vision and direction, and I appreciate the value their platform brings to my clients.
One of the features I find particularly valuable is the cross-mapping capability, which enables me to help clients navigate multiple compliance frameworks and regimes. By creating customized assessments, we can focus on the specific challenges and risks they face and deliver actionable insights that drive meaningful security improvements.
Apptega's platform has become an essential tool in my toolbox, helping me to effectively communicate what “good” looks like to my clients and guide them toward achieving robust security and compliance postures.
Related Posts
