NuHarbor makes it easier to secure what matters to you. Here’s what matters to us.

Our Company Values

Lots of people ask about our values. We have three – they are our core business tenets for creating purpose and mission. They’re not esoteric company jargon that no one really understands, or some regurgitation from a 1990 HR handbook designed to make people feel warm and fuzzy.

Our values are simple; they’re easy to remember and easy to understand.

If you continue reading, you must know that this is our code and it drives decision-making within the company. These three values are in priority order, which means #1 supersedes #2, and when faced with a conflict of values we self-select and prioritize the higher-ranked value.

Here are our values:


#1. Protect the House

This means we take care of our employees first. Yes, contrary to the “customer first” business trend, our first priority is our staff not our clients. Major airlines frame it best with their directive, “Please secure your own face mask before assisting with the face mask for others.” It’s a simple example but if you ignore that guidance and take care of everyone else first, you’ll pass out – then how helpful will you actually be?

There are many ways we demonstrate Protecting the House. All paths start with empathy. Someone needs help? Take a minute and give them assistance. Someone needs to make it to their kid’s school event? Help cover – you could be in the same spot someday. Someone is underperforming? Take time and ask questions to understand rather than casting judgement. We all fight internal battles that are private to us as individuals but have a major bearing on how we operate day-to-day. There’s a side effect to this behavior. When you put your hand up to ask for help you expose a level of vulnerability that can be uncomfortable. But when it’s returned with warm reception and assistance, trust is created. Trust is critical for strong teams and strong cultures.

We’re human. Business is human. Be respectful. Don’t be an a-hole.

The question we ask now, when we have healthy employees, healthy work environments, healthy families, do you think we’ll do a better or worse job taking care of our clients? We’ll do a better job. Which leads us to our second value.


#2. Help our Clients Win

Pretty simple. Our clients partner with us because of our exceptional reputation. They hire us to achieve a specific business goal and help their organization thrive. We strive to provide positive outcomes. We commit to and promise to deliver those outcomes the best we possibly can.

Implicitly this means we operate internally with urgency to complete tasks and artifacts on time with the highest level of competence possible. Here’s the best analogy to illustrate this point. On a vehicle manufacturing line, a promise is made to the client that they’ll receive the vehicle they paid for by a certain date. It’s imperative that everyone in the supply chain operate with urgency and do what they said they’d do. Otherwise, delays are created, shoddy parts are used, and the client ultimately suffers.

What about exceeding expectations and all the other things big companies say? Do we exceed expectations? Sure, we make every effort to. That said, at some point the exceeded expectation becomes the actual expectation and you technically can’t “exceed” anymore. People who are always looking for folks to exceed can be left feeling empty with nobody to live up to their expectations. Realistically the achievement bar is always moving.

If you’re a current or prospective client reading this, know that we seek true partnership. We’re going to stand back-to-back and together we’ll deliver on your cybersecurity program. Here’s the thing about standing back-to-back – if one person ducks, the other gets hit in the back of the head. No one wants that.

This takes us to our third and final value.


#3. Always Improve

We’ve been doing cybersecurity for a long time. The number of our cumulative years of experience is really, really high. The threat landscape is shifting quickly, and new cybersecurity technology is coming out, seemingly, daily. We don’t expect our staff to know everything, but we ask them to be intellectually curious and make an effort to learn and improve based on the demands of today’s threat landscape.

Education, improvement, development – that’s not a destination, it’s a journey. It’s a race that never ends. If you expect to see the finish line, you’re going to be disappointed. Instead, we commit to the process of improving – we know the outcomes are more satisfying.

These are our values. They are in priority order. If faced with the decision of protecting our team or helping our clients win, we’ll take of team member first so the whole team can band together and take care of our client. If faced with the decision of helping clients win now or always be improving, we help clients win first because there is always time to continually improve.

Are these real values? Yes, absolutely. Don’t believe us? We don’t care that you don’t believe us. But we’ll happily connect you with any one of our team members – hands down, they will vouch for these values in practice.

Our Origin Story

Our story starts in 2009.  At this time, I was the Chief Information Security Officer (CISO) for a company in Vermont and was aspiring to be a respected company executive.  I’ve always been enamored with information security.  I worked diligently to establish my place in the profession. I worked to get into the field, established certifications, and did everything to establish credibility. I wanted  to prove I was worthy of this opportunity in the information security field.  I believed a security leadership role in a growing company would be the pinnacle of my career, and I had arrived.

As a new CISO, I quickly learned the job is not all about security.  There were a lot of politics.  People stepped on others to advance their career, and budget dollars were scarce.  I quickly learned my new job was to be the political face for the security team and to evangelize the need for security to internal business units.

In 2013, I had a small budget that was Opex (operational expenditure), not Capex (capital expenditure).  I could hire consultants (Opex), but could not arm them with security tools (Capex).  So essentially, I had a bunch of farmers with pitchforks fighting an army with automated cybersecurity weapons.  To make matters worse, I couldn’t find a single security company or partner to help me deliver my security program.  I could find security partners to do security testing, but they could not do any security engineering.  I could find companies to help me implement Splunk, but really they weren’t that good at a Splunk and didn’t know anything about security.  I could find Incident Responders, but they couldn’t do anything else security-related.  I quickly realized that the security industry was, and still is, a very fragmented market full of niche vendors.  The sum of these vendors didn’t equal a full security program.

It was about 2013 when I had enough.  I was disgruntled.  After all the years of evangelizing for budget and receiving half-solutions from a fragmented security vendor market, I was now at a point where I was bad-mouthing an industry that I grew up loving.  My watershed event came that same year when my management made me hire a company in the Big 4 to do an ISO27001 Security Assessment.  That Big 4 company charged me a lot for the assessment, but from the company management standpoint it was the “safe bet” because no one can refute what the Big 4 suggests.  My question to management was: “Why are we having an accounting firm assess our security? You would never have an information security professional suggest an appropriate chart of accounts or do someone’s taxes!”

The short story of the assessment was that it was a disaster.  That Big 4 company sent me staff members just out of college.  Their lead assessor had never done an ISO27001 assessment.  Having been an auditor in the past, I understood the auditee has an obligation to feed the auditor information to arrive at mutually beneficial recommendations–so I helped with the audit as it was an opportunity to push the security agenda and get the issues I need fixed highlighted to the management team.  For the big price tag, I expected the auditors would be practiced in the standard.  I was, again, disappointed. I helped teach ISO27001 to their organization.  After helping my Big 4 partner write the report and do the board presentation, I had transitioned to completely cynical.

Late 2013, I took two weeks off to reset on my career.  I traveled to Australia with my wife who was speaking at a conference.  With the time zone change and alone-time, I reflected with uninterrupted thoughts on the last few years.  Completely cynical and hating security, I realized I had two options–I could complain and let the issue persist or I could take action.  I chose action, and NuHarbor Security was born.  When I returned from Australia, I quit my job as CISO and began NuHarbor Security’s mission.

Today NuHarbor means a New Understanding of the Harbor, and Harbor is a synonym for someplace safe.  We do security differently–the right way, and the way it should be done.  We come from a place of having walked a mile in your shoes, we’ve sat on your side of the table, we understand the challenges, we understand the frustrations. There’s a better way to do security.  Today our mission is to be the absolute best information security service firm in the security services industry.  We provide end-to-end security services, and we are continually evaluating our portfolio to deliver relevant security services.  We have developed a best of breed philosophy around security technology and have developed deep industry expertise around those technologies.  For many of our clients our approach to security, our comprehensive offerings, and our client-first perspective makes us a long term security partner.

Justin Fimlaid

CEO & Founder