Risk Journeys with Brendan Fitzpatrick

Published by Axio

As one of Axio’s first core team members, Brendan Fitzpatrick has been involved in the evolution of our expert methodology. He has served many crucial roles, including helping guide new features for the Axio360 platform, leading the sales team, and now launching our global partner program. We are very pleased to have Brendan as our guest this week.


Axio:

How about we begin the interview by going back to the beginning of your cybersecurity career. How did it all start?

Brendan:

I’ve always been interested in technology and graduated from college with a computer science degree. I began my professional career as an officer in the Army. I didn’t do much work with computers at first, as I was more focused on passing Ranger School and leading Soldiers in the Middle East.

Axio:

That sounds dangerous but exciting. Where were you based out of?

Brendan:

My very first assignment was of course Fort Benning, GA (aka the Benning School for Boys) where I went through basic officer training and Ranger School. Later I was stationed in Italy, Arizona, Colorado, and Virginia.

Axio:

What was the turning point towards doing cybersecurity work?

Brendan:

Things changed in 2011 when I picked up a specialty through an intensive training program the Army offered. I became a telecommunications system engineer, learning from the country’s foremost experts on network engineering.

Axio:

What happened after the intensive training program?

Brendan:

I went to Army Cyber Command and served as a network engineer. That’s how I got into the world of cybersecurity specifically.

Axio:

What kind of cybersecurity things were you doing at Army Cyber Command? Or is that top secret?

Brendan:

No, I can talk about my role there. At Army Cyber I was managing the access control lists for the whole Army, managing their continuity of operations plan and exercises, deployment of the Joint Regional Security Stacks, and configuring the Splunk instance for portions of the network.

Axio:

Sounds like it was a great place to build a solid base of cybersecurity knowledge. But you ended up leaving the army and transitioning to the academic world. Can you describe that transition?

Brendan:

Yes, in 2014 I left the Army to work at Carnegie Mellon University. They have a federally funded research and development center called the Software Engineering Institute (SEI). I worked in their CERT division.

Axio:

Does CERT stand for anything particular, these days?

Brendan:

Back in the 1980s, in the days of the Morris worm saga, CERT stood for Computer Emergency Response Team. The institute’s role and priorities have changed a lot since then, but it has always been associated with the birthplace of cybersecurity. They do a great deal of research that shapes the future of cyber.

Axio:

What kinds of initiatives were you involved with at CERT?

Brendan:

Well, originally, I thought I was going to be doing all this exploitation work. But I actually ended up leading projects in cyber risk management. At CERT, I met Nader Mehravari, who later became Axio’s chief scientist and an early employee. Interestingly enough, I was building and using risk management processes in the Army, I just never formally put a name to it until I was at the SEI.

Axio:

And then you left CERT to join Axio. That must have been a pivotal moment, and a “risky” one, joining a new startup?

Brendan:

I learned a great deal from Nader at CERT in a very short period of time. When he left CERT to join Axio, it felt like I lost access to a valuable mentor. He had great things to say about Axio’s co-founders, and that meant a lot coming from him. I didn’t have to think twice when the opportunity to join Axio presented itself.

Axio:

What were you doing at Axio when you started?

Brendan:

In the early days of Axio, I did professional services consulting. I was out in the field working with our clients, leading risk assessment and quantification workshops.

Axio:

Your role has changed throughout the years, shifting from consulting and professional services, to leading the sales team, to now launching our partnership program. What was that journey like?

Brendan:

To be fair, I was always doing sales work from day one, because that’s what consultants do to grow the business. I was on a lot of calls trying to identify pain points and align them with Axio’s solution offerings. As time went by and the Axio360 platform gained a large user base, I was able to provide feedback to help with product development. I was closely involved in the platform sales process from those early client conversations to working on the proposals for larger enterprises. There was a need to facilitate a bridge of knowledge in a rather complex and personalized sales cycle.  For our go-to-market, I was closely involved with Axio360 as both a user and a source of feedback and recommendations to the development team. So, in June of 2019, I transitioned to VP of Sales.

Axio:

That was a little over a year ago and a lot has changed since then. We now have a Chief Sales Officer, Jason Adair, leading sales and you have migrated to leading our partner program. How do you see that initiative evolving?

Brendan:

I’m still involved in the sales cycle but my focus has changed significantly. My focus is on building a world-class partner program with thought leaders in every vertical, from energy, manufacturing, financial services, healthcare, and education. We have several partners in our certified network already, such as NetFriends and Archer, as well as many more to be announced in the coming months. These organizations will not only be certified in the Axio methodology but will use their specialized knowledge (sometimes a hundred years of collective experience) to provide expert attention and customer services for our clients.

Axio:

As we have transitioned to a software vendor, do you envision this partner model to be our modus operandi in the future?

Brendan:

Yes, that is what we envision. Our partners will be trained to provide the same excellent service and even provide unique value as subject matter experts in a particular domain. I think that Axio will never lose its roots, as our founders have created the methodology Axio360 is powered by. This kind of expertise is well suited for unique use-cases for clients with complex needs. This way, we get timely feedback on new features that can influence our product roadmap.

Axio:

What do you think is the biggest pain point our customers are experiencing today?

Brendan:

I’m going to go high level with my response. There are a million things cybersecurity leaders need to do. But with limited resources, they often struggle to prioritize what is more important. And when they actually complete these tasks, they need to make sure they got value out of them. Often times companies purchase technology to solve a “problem” and realize that the issue was not solved, or that the “problem” wasn’t worth the investment in time and resources.

Companies need help understanding what’s truly at risk and what they should do. When a cyber leader is in the thick of things, fighting a tactical battle, it’s hard for him or her to come up for air and really see the big picture and decide if it’s aligned with where the organization needs to go to be secure. This is our ultimate goal with Axio360, to have the platform be easy, intuitive, and a light lift, enabling a single point of truth, an operating system for cybersecurity management.

Axio:

What’s your favorite feature(s) of Axio360?

Brendan:

My favorite features in the platform are milestones and the Kanban board for improvement planning.

Axio:

How about we start with the milestones feature?

Brendan:

I like the milestones feature because it’s like having the lifecycle of the cyber program at your fingertips. I can immediately have a complete view of the past and see whether or not the organization has been making improvements or just treading water. With milestones there’s no need to go searching for spreadsheets of various cyber risk assessments done for different points in time. These snapshots in Axio360 can also be used for comparative analysis when reporting out to the board on cyber posture improvement. It’s all part of our vision of having continuous assessments for cyber risk, an ongoing process you can return to and save great amounts of time. Imagine a company that is doing a NIST CSF assessment.  Let’s say they only focused on 15 subcategories in a given year. If they later decide to bring in a vendor like a Big 4 consulting firm for an assessment, they can save a great deal of time and money by focusing the vendor only on the practice areas they improved since the last assessment. This will save both time and money.

Axio:

How about the Axio360 Kanban planning board?

Brendan:

I really like the Kanban board because it’s the most effective way for cybersecurity organizations to collaborate on and maintain an improvement roadmap. Once you complete an assessment and get a “diagnosis” you can then easily build a plan of action. There’s no need to worry about spreadsheet version control or not capturing the timeliest information in the right place. But most importantly, it encourages real-time changes that reflect what is happening at the organization with regard to resources and budget. You can see how your future score improves as you drag and drop subcategories into different milestone columns. Everything is tied to the assessment so there’s no extra work or steps involved to keep the target dates up-to-date.

Axio:

And our final question, what’s your favorite thing about the job?

Brendan:

I have to give you two answers. Internally, it’s the people at Axio, the camaraderie I experience. As a small company, we have always worked closely to overcome any challenges that were thrown at us. It’s really good to have that kind of close support system. Externally, it’s the organizations we get to help every day. It’s really a unique opportunity and an honor to be granted access to the inner workings of a client’s security program, and be shown all the flaws, gaps, processes that need to be improved. There is a high level of trust organizations have in us, and I cherish that.


This concludes our Risk Journeys interview with Brendan Fitzpatrick, Axio’s SVP of Partnerships and Channel. If you’d like to learn more about Brendan’s recommendations and insights on the continuous assessment process, you can download our eBook coming out soon on building a Future Proof Cybersecurity Operating System.