Our origin story
Letter from the CEO
Our story starts in 2009. At the time, I was the Chief Information Security Officer (CISO) for a company in Vermont and was aspiring to be a respected company executive. I’ve always been enamored with information security, and I worked diligently to establish my place in the profession. I completed certifications and did everything I could to establish credibility. I wanted to prove I was worthy of this opportunity. I believed a security leadership role in a growing company would be the pinnacle of my career, and I had arrived.
As a new CISO, I quickly learned the job wasn’t all about security. There was a lot of politics. People stepped on others to advance their careers, and budget dollars were scarce. I learned my new job was to be the political face of the security team and to evangelize the need for security to internal business units.
In 2013, I had a small budget that was OpEx (operational expenditure), not CapEx (capital expenditure). I could hire consultants (OpEx) but couldn’t arm them with security tools (CapEx). So essentially, I had a bunch of farmers with pitchforks fighting an army with automated cybersecurity weapons. To make matters worse, I couldn’t find a single security company or partner to help me deliver my security program. I could find security partners to do security testing, but they couldn’t do any security engineering. I could find companies to help me implement Splunk, but they weren’t that good at Splunk and didn’t know anything about security. I could find incident responders, but they couldn’t do anything else security-related. I quickly realized that the security industry was, and still is, a very fragmented market full of niche vendors. The sum of these vendors didn’t equal a full security program.
It was around 2013 when I’d had enough. After all the years I spent evangelizing for budget and receiving half-baked solutions from a fragmented security vendor market, I was at a point where I was bad-mouthing an industry that I grew up loving. My watershed event came that same year when my management made me hire a Big Four company to do an ISO 27001 security assessment. That Big Four company charged me a lot for the assessment, but from the company management standpoint, it was the safe bet because no one can refute what the Big Four suggests. My question to management was: “Why are we having an accounting firm assess our security? You would never have an information security professional suggest an appropriate chart of accounts or do someone’s taxes!”
The short story is that the assessment was a disaster. That Big Four company sent me staff members fresh out of college. Their lead assessor had never done an ISO 27001 assessment. Having been an auditor in the past, I understood the auditee has an obligation to feed the auditor information to arrive at mutually beneficial recommendations, so I helped with the audit, as it was an opportunity to push the security agenda and highlight the issues I needed to be fixed for the management team. But for the big price tag, I expected the auditors to be practiced in the standard. I was, again, disappointed. I helped teach ISO 27001 to their organization. After helping my Big Four partner write the report and do the board presentation, I had transitioned to completely cynical.
In late 2013, I took two weeks off to reset my career. I traveled to Australia with my wife who was speaking at a conference. With the time zone change and alone time, I reflected with uninterrupted thoughts on the last few years. Completely cynical and hating security, I realized I had two options: I could complain and let the issue persist or I could take action. I chose action, and NuHarbor Security was born. When I returned from Australia, I quit my job as a CISO and began NuHarbor’s mission.
Today NuHarbor means “a new understanding of the harbor.” Harbor is a synonym for someplace safe. We do security differently – the right way, and the way it should be done. We’ve walked a hundred miles in your shoes. We’ve sat on your side of the table, we understand the challenges, we understand the frustrations. There’s a better way to do security. Today our mission is to be the absolute best information security service firm in the industry. We provide end-to-end security services and are continually evaluating our portfolio to deliver relevant security services. We’ve developed a best-of-breed philosophy around security technology and deep industry expertise around those technologies. Our approach to security, our comprehensive offerings, and our client-first perspective make us a long-term security partner for our clients.
— Justin Fimlaid, CEO & Founder