Skip to content

The innovators: Nick Yonko - Hershfield Consulting LLC

Andrew Robinson |

December 13, 2021
The innovators: Nick Yonko - Hershfield Consulting LLC


In short, Nick Yonko is an Information Security superstar.

I could leave it at that, but here's a little more just to rub it in.

As an information systems and security professional and entrepreneur for well over 20 years, Nick's innovation in sustainment, development and solutions delivery has been felt in anywhere from retail and engineering to aerospace, banking and education.

A devout believer in the power of collaboration and creativity, Nick has developed high performing teams of information systems professionals by changing their self-perception and guiding their vision to drive business value.




Many companies right now are trying to get cyber insurance to protect their brands moving forward but understanding the risks to their organization in today's complicated world is something quite different.

In this chat, Nick Yonko covers everything from securing organizations and risk quantification to closing GRC gaps and regulatory concerns for the supply chain.

Let's get stuck in...


How can a business start making themselves more secure right now? 

That is exactly a start in determining what your risk exposure is. Not every organization has the same risk.

You look at what the risks are that you are exposed to, and then you measure your risk appetite. There are a lot of threats out there in cyber space, not to mention within businesses themselves.

However, you may not be vulnerable to every single threat that you see. Things like identity theft, for instance, which is a really hot topic today, is something that a lot of people are concerned about, but if your business does not store, transmit or process any personally identifying information then identity theft is probably not something that your company is necessarily exposed to.

Thus, it is important to understand how much of a threat a risk really is to your organization. And prosecute how much you are going to spend to mitigate or eliminate that threat. That is the place where every organization should start. 


I have identified the scope of my risks, now what? 

Well, a good place to start is to create a risk hierarchy. You gauge your risk appetite, and you look at which risks are most likely to be realized in your organization and which one of those risks would have the highest impact.

You do this to ensure that the next steps you take to mitigate that risk are the right ones because security if done improperly can be expensive. So, you really want to make the right investments in the right places to ensure the long-term security posture of your company.

Some of the risks you see while they are real, may be unlikely to ever be exploited.  


What's my first step to better security after this evaluation? 

The first step is governance. What I mean by governance is really just a process and an approach to quantifying all that risk.

When you start down the road to better security, the complexity, and the depth of what constitutes the makeup of your organization can be surprising sometimes.

There are a lot of organizations that do not know all the aspects of data that the organization is processing to do business and keeping track of that massive information is collected through that process can be really daunting.

It is a clear space where a GRC tool is a necessity, and 6clicks is one of those tools that really shines in this space. When you are identifying, implementing, and monitoring security operations, it cannot be done just via email and spreadsheets.

You are quantifying and qualifying risks, implementing controls, monitoring these controls, and working to improve your information security posture, which requires your security operations, IT security, development operations, all to be operating from a unified playbook.

This is why the tool that Hershfield Consulting uses to manage that playbook is 6clicks. 


Why choose Hershfield Consulting when considering uplifting GRC activities? 

It is always good to have a tool to manage the data and keep it coordinated. At Hershfield Consulting, we have experience in business, technology, and concerning security consulting. 

We bridge the gap between that knowledge, and the execution of a better security posture using 6clicks.

We align governance, security operations through a conversation with your organization. Governance, Risk, and Compliance alone can look like trying to boil the ocean. We work hard to make it consumable, while at the same time working to make your organization more secure.  

We have the capability to build your information security program in a way that will help you to develop a stronger security posture for the long term. Being compliant with the regulation, and being more secure, are really two separate things.

Hershfield's expertise bridges the gap between them. 


Many organizations are still struggling with supply chain risk management, is there a quick fix here?

There is not exactly an 'easy' button but there are ways to make it simpler, and this is one of the things that Hershfield prides at.

We pursue relationships with the organizations that we work with. We call this our longevity promise. We stay there beyond the engagement to ensure success.

We believe this approach is paramount when talking about a supply chain with an ever-changing environment and an ever-changing ecosystem of third-party suppliers and vendors that are supporting your organization.

Then it is all about the governance. The process that you are using to analyze those third parties is particularly important. You build a process to mitigate the risk to that supply chain, while at the same time complying with regulatory requirements through that governance process, and we at Hershfield bring our expertise in a variety of industries.

Diligence and planning are key. It is critical to not only develop the viability of your key suppliers but also a validation of their information security programs is important. This is what makes that chain of trust strong between you and your customers.

When you develop that assurance between what your security posture is, coupled with your supply chain, and then deliver that responsibility and accountability message to your customers - priceless. 


With your cyber hat on now, what are industries struggling with the most now? 

One of the areas that has been interesting to me recently is the executive order on zero trust architecture.

That impacts a variety of industries and a whole array of areas when you are talking about agencies that are government contractors to the US Federal Government.

I don't think it is a question of which 'industry'. More likely, it is a willingness to execute and awareness of the threat - in general.

Every organization has different risks, but not every organization realizes what those risks are what they are exposed to.

Most of the big cyber criminals out there that you hear about in the news have executed things like virus attacks or ransomware attacks. They have a specific profile of victims that they are looking for because they have a specific result that they are trying to achieve without going into a lot of detail about all of that.

In the end, every single company that has a customer that they are trying to provide a service to is at risk at some level. And it is just coming to an understanding of what that risk is and what is the best way is to mitigate it for your industry in your context.

There really is no way to do a peanut butter spread across an entire industry saying they are more or less reticent than another. 


Check out Nick dropping some knowledge on tickerTV here. 



Developing a holistic view of your organization’s GRC program utilizing 6clicks creates immediate value and ROI for your organization. Leverage your first-mover advantage with a renewed approach towards governance, risk, and compliance. Download this free eBook that explains the Paradigm Shift in Modern Governance, Risk & Compliance.

Ready to start building your top-down approach to GRC? How about a whistle-stop tour with one of our 6clicks maestros? Easy, just click the button below and let the good times roll.

Book your demo


All we want to do, every day, is make the world of GRC easier to manage. We can't do that without you, so we hope to hear from you real soon!


Team 6clicks

Fast, clear, smart, agile. #NoSpreadsheets 🚫

Andrew Robinson

Written by Andrew Robinson

Andrew started his career in the startup world and went on to perform in cyber and information security advisory roles for the Australian Federal Government and several Victorian Government entities. Andrew has a Masters in Policing, Intelligence and Counter-Terrorism (PICT) specialising in Cyber Security and holds IRAP, ISO 27001 LA, CISSP, CISM and SCF certifications.