Discover how our cybersecurity team tackles complex challenges by prioritizing communication and collaboration. Their role-based expertise provides insight and support into every area of cybersecurity – even the ones you may not realize you needed.
In brief:
The takeaway: Centric Consulting’s cybersecurity team has the right expertise and the right approach to solve your toughest cybersecurity challenges.
Like, what kind of challenges?: With today’s ever-evolving cybersecurity threats and regulatory landscapes, you’re pressured to meet cybersecurity compliance deadlines or react quickly to emerging threats, but you may not have a chief information security officer (CISO) or employees with the right skills to do the work.
Finding those people can’t be that hard, right?: There’s no shortage of companies offering cybersecurity services. The larger ones come with lots of bodies and a high price tag. Smaller firms offer cookie-cutter solutions that don’t meet your needs.
Give it to me straight!: Centric Consulting Cybersecurity Senior Manager and Technical Lead Mike Hamilton says, “I have a lot of clients who have been sold some snake-oil solution guaranteed to stop 100 percent of all breaches. We see this all the time. The marketing in this field is criminal.”
OK, so now what?: Read this blog to learn how Hamilton and three of his colleagues — Jamie Rucker, Matt Kipp and Shane O’Donnell — work collaboratively to be the right cybersecurity team with the right solutions for your most valuable digital assets.
We Start With Conversations, Not Assumptions
“The first step is understanding the organization’s regulatory landscape and stakeholder needs,” said Jamie Rucker, senior manager and governance, risk management and capability (GRC) lead. “We meet with key personnel across departments to build consensus about what security means for their specific organization.”
In Rucker’s view, a successful cybersecurity project starts with a conversation — or dozens of them — not assumptions.
“In a recent Centric engagement, I was blessed to have the person I was working with say, ‘You need to talk to these 30 stakeholders and get an understanding of the perception of our risk team,” he recalled. “That’s how I would prefer every single engagement to happen. Invite us in so we can get a good understanding of what’s going on in the organization.”
Rucker, a former senior program manager for security GRC at Salesforce and director of compliance management information systems at Navient, uses those interviews to build a framework for the assessment. He has experience with HIPAA, PCI DSS, GDPR and other leading security frameworks. Decision points include:
- Which systems contain sensitive data
- How leaders currently make security decisions
- How the organization defines and measures risk
With the framework identified, Rucker uses his expertise in issues management, regulatory and compliance training, and policy management to help determine his client’s GRC vision and develop their strategic roadmaps.
“Without understanding what matters most to the business, even the most technically sound security analysis can miss the mark,” Rucker added.
We Cut Through the Jargon
With the framework, vision and roadmaps in place, Director of IT Risk and Cybersecurity Matt Kipp — who is also an identity access management (IAM) and security frameworks expert — can then evaluate the organization’s existing security structure against industry standards.
“My role is to boil things down to what makes sense in the real world,” Kipp explained. “Many organizations get overwhelmed by security frameworks because they seem abstract. I make them practical and implementable.”
Kipp’s ability to simplify comes from his deep understanding of modern security challenges, built over his 20 years of risk-control experience. Those decades included serving as lead analyst for SAP GRC for General Motors, which gave him even deeper insight into enterprise-level security requirements.
In his IAM role at Centric, Kipp:
- Conducts gap analyses between current practices and required controls
- Ensures control framework alignment to ISO, NIST, PCI, and CMMC standards
- Maps critical data and processes
- Performs IAM reviews and process updates
- Tests internal controls against Sarbanes-Oxley and Information Technology General Controls standards
“There’s a lot of jargon, abbreviations and acronyms in the security field,” Kipp said. “My goal is to help clients understand what we are testing for and then present our recommendations in clear, understandable terms.”
Rather than overwhelming clients with security jargon, he presents findings in clear, understandable terms with realistic expectations.
We Put Security to the Test with Penetration Testing
While Rucker and Kipp focus on frameworks and governance, Mike Hamilton puts his clients’ systems to the test. Centric’s senior manager and technical lead for pen testing, Hamilton brings a criminal justice background and mindset to identifying and exploiting vulnerabilities in clients’ networks to show where the weaknesses lie.
“Most companies focus on flashy, advanced threats while neglecting the basics,” Mike notes. “Our job is to show them how attackers actually get in, which is usually through simple vulnerabilities and human error.”
In addition to pen testing, Hamilton’s technical expertise includes:
- Network and system reconnaissance, scanning, and enumeration
- Social engineering (manipulating employees to gain access)
- Vendor solution validation (testing if security products deliver on their promises)
He uses both manual and automated techniques to thoroughly test client systems, networks, web applications, and infrastructure components. Regarding AI, Hamilton pointed out that its relationship with cybersecurity is complicated.
“AI is everywhere now — in our phones, in apps, in every Google search,” he said. “As security experts, we do see how we can use it for offensive security and penetration, and it can automate many tasks.
“However,” he continued, “we also see AI as a huge attack surface and something that bad actors can abuse and manipulate. A hands-on keyboard threat actor probably needs to be dealt with by hands-on keyboard smart defenders who know how to use AI.”
Besides, many attacks don’t involve much technology at all. That’s where Hamilton’s experience as a correction officer comes into play.
“We’ve successfully gained unauthorized access to secure facilities, including bank vaults and server rooms, by posing as repair personnel or using other social engineering tactics,” he said. “Companies often have a false sense of security from expensive alarm systems, for example, which they haven’t properly tested. We kick the tires on those products to see if they actually do what they claim.”
Seek a Cybersecurity Partner Who Values Results, Not Checklists
As vice president of Cybersecurity Consulting Services, Shane O’Donnell brings nearly 20 years of experience in GRC to coordinate the work of cybersecurity experts like Rucker, Kipp and Hamilton. His goal: to translate the team’s findings into actionable business decisions.
“Our clients need cybersecurity that balances protection with practicality,” O’Donnell said. “We’re that middle ground between the big firms that charge premium rates and the budget providers that just throw bodies with cookie-cutter solutions at the problem.”
Through his leadership, O’Donnell ensures that:
- Assessment findings align with business objectives
- Recommendations are prioritized based on risk and feasibility
- Clients receive a clear, jargon-free report that they can act upon
- The assessment provides genuine value rather than checkbox compliance
O’Donnell’s background makes him especially suited for this leadership role. With extensive experience growing and mentoring high-performing technical teams, he understands both the technical and human aspects of cybersecurity challenges. However, he says Centric’s unique culture and approach to teamwork help the cybersecurity team achieve these objectives.
“At previous places I’ve worked, the employees competed against their peers,” he said. “They were told, explicitly and implicitly, ‘You’re being measured against the person sitting next to you,’ and the metric often came down to speed. That doesn’t lead to the right team environment.
“When you’re looking for the right team,” O’Donnell concludes, “you need to find a place where everyone can succeed, not a place where people are judged on how quickly they appear to wrap up projects or the number of hours they log. Our focus on outcomes creates a healthier, more sustainable approach that leads to more secure systems for our clients.”
User access management isn’t a one-and-done step within your organization. We look at the dangers of user access complacency and how you can combat it.
Do you need to bridge your cybersecurity talent gap right now? Find out how we’ll build the right team to deliver the scalable, on-demand expertise you need to future-proof your cybersecurity model.
