Reg Harnish. PHOTO: Cybercrime Magazine.

MSSP GreyCastle Security Registers Four Consecutive Years of Triple-Digit Growth

CEO Reg Harnish on how to grow a cybersecurity company during a severe workforce shortage

– Georgia Reid

Northport, N.Y. – Nov. 19, 2018

When you meet Reg Harnish, you will be impressed by his entrepreneurial spirit and business acumen. Founder and CEO of  GreyCastle Security, Harnish lives in upstate NY and has a young daughter whom he gushes about. A bit of a cybersecurity renegade, he came into the industry when his first company was forced to do a cybersecurity audit in 2002.  This, he says, was the beginning of his “love” for cybersecurity.

Under his leadership, GreyCastle has experienced four consecutive years of triple-digit growth and countless industry accolades and is working with organizations in nearly every state in the United States. Harnish also serves as a cybersecurity advisor to several educational institutions, sits on numerous cybersecurity association boards, and is a fellow of the National Cybersecurity Institute, an academic and research center based in Washington, D.C.

Cybercrime Magazine interviewed Harnish to hear his thoughts on what is working and what isn’t in a time when companies are struggling to hire and retain cybersecurity talent, let alone cover all the bases needed to prevent a breach. Harnish has a business model that is hitting home runs. Making the Cybersecurity 500 list in the services category, the company’s model is simple: Supply their clients with what they need, when they need it, educate the leadership, and skip the unnecessary hiring of people who tend to leave within 8 to 14 months anyway.

So how does this work?  Read excerpts from our interview below, and watch the interview in its entirety: 

CM: So tell me about GreyCastle and how long you have been in business.

RH: We started the business in 2011 … and it’s been a good run so far. Seven and a half years of significant growth with the last three 650 percent. We’re pretty excited about what we’re doing, and I think the market has responded to our approach, which is a little bit unique to what we see out there.

CM: I want to talk about that approach you have, with the virtualization. First off, tell me a little bit about yourself. I know our audience loves to get to know the CEOs who are behind the “Small Giants” companies.

RH: I started a couple of businesses before GreyCastle, and the company directly before was also quite successful. In 2002, we had a huge client who was interested in buying our software and so the last step was to pass a cybersecurity audit. This was the first time I’d ever even heard of the term; we’d been doing security but we didn’t call it information or cybersecurity.  I loved the way the assessment worked, and I liked how risk assessment directly affected the business.

CM: Tell me a little bit about what GreyCastle does that makes it so different and your unique approach to cybersecurity.

RH: We believe that cybersecurity buyers need a new solution. If you look traditionally at what has worked in cybersecurity, it’s been simple solutions that address point areas of risk — things like firewalls and antivirus and intrusion detection. And that’s been great, but what’s happened is that the market, our threats, the complexities, regulations, these all are much more complex than they used to be. What works for an organization today is not what worked for them 10 or 20 years ago. So, we’ve built a program where we can address every area of cybersecurity. Along the way, we have married that with another real problem area in cybersecurity, which is the talent shortage. The average tenure of a cybersecurity expert these days is somewhere between 8 and 14 months. We have built some technology, methodology, around the delivery of cybersecurity solutions. It’s working well today.

Watch the video below to see the entire interview:



CM: I want to talk about the labor shortage. Cybersecurity Ventures predicts there will be 3.5 million unfilled cybersecurity positions by 2021. And you’re saying that it’s hard to retain talent if you are lucky enough to get good talent. So, what are you doing at GreyCastle to fight that?

RH:  The first is recognizing that this is not a technology issue and that cybersecurity is a much broader discipline than just firewalls and antivirus. If you look at governance policy, managing risk, the people issues, disaster recovery, these are all large areas of cyber that mostly go unaddressed. The average business needs an expert in encryption. They need an expert in access control, in incident response, but they generally don’t need them full time. What we figured out is how to take what they were paying in cybersecurity and essentially virtualize all that time so that they were getting experts working in every area of their business. But only when they needed them. We would manage that process as well because we are acting as their virtual CISO.

CM: Does GreyCastle have a curriculum that you develop to hire new employees, or to train employees?

RH: Yes, we did have one early on. Most of the folks coming out of college, university, or even from other organizations were not prepared for a career with us, because they didn’t think the way we did. So we worked very closely with a local community college to develop a 10-week certificate program. Anyone, whether they’re changing careers or they’ve been in cybersecurity for five years, goes through that course.

CM: You have a lot of growth going on right now. You’re going through a lot of acquisitions. GreyCastle just acquired Orange Parachute. Tell us a little bit about that and if you’re looking at any other companies.

RH: Part of our growth strategy is organic. We know we’re not going to get 650 percent growth over every three years unless we’re looking outside our existing environment. So what we do is every year we go through and we look at opportunities to grow the business. Some of them are very complementary in the sense that maybe it’s a direct competitor that does something very similar in some cases, like Orange Parachute.

CM: I know that you’re also working with the company Assured Information Security — tell me about that.

RH: Assured Information Security is essentially our parent company. They’re a majority shareholder in GreyCastle. We met many years ago and we started a conversation. They were looking to get into the private industry. AIS is really the leading offensive tools provider to the DoD and the Feds. They are there on the front lines of cyber warfare every single day. They’ve been a fabulous partner and have essentially taken what we had for growing plants and accelerated them probably 75 percent. So things that we were going to do in five years we are doing in two and a half or three years.

CM: At GreyCastle, how are you going about that when you talk to a CEO at a company and/or a CIO?

RH: A big part of it is just education. No one’s fault really, because we’re so new — very much the Wild West.  There’s a lot of people making money on selling technology, whether it works or it doesn’t. I think for businesses who are really committed to protecting data, protecting their customers, their reputation, their viability, this goes way beyond technology. So start with education. Some leadership teams are very open to it because they’re committed to survival and resilience and viability.

CM: How did you come up with the name GreyCastle?

RH: The Castle seems pretty obvious — the greatest security implement in human history. It’s survived for thousands of years. Grey — well it’s hard to communicate about cybersecurity because it is it a grey area. For us, a lot of this is about education, getting the message out, because there is a better way.

Keep an eye on this Small Giant — we have a feeling that GreyCastle will grow even more in 2019.


Cybercrime Magazine is recognizing a handful of growing and mid-sized companies in the “Small Giants in Cybersecurity” series launching Q4 2018. These relatively new or emerging firms — in comparison to household-name cybersecurity giants — have demonstrated longevity, innovation, and expertise in protecting against hacks and breaches, ransomware attacks, insider threats, and more. Both the companies and their leaders are highlighted in this ongoing feature series, showcasing their knowledge, commitment, and adept prowess in dealing with unique cybersecurity issues.

Read about more Small Giants here.

Georgia Reid