Greg Schaffer: Hi, I’m Greg Schaffer and welcome to the Virtual CISO Moment. Today’s guest is Jonathan Weaver. He is a seasoned cybersecurity and compliance leader with a passion for turning risk into resilience and security into trust. Based in Middle Tennessee, Jonathan brings deep expertise across governance, risk, and compliance, supported by certifications including CISA, CISM, CEH, and CDPSE. I don’t even know what that stands for. I’ll have to ask him in a moment.
He’s a partner at ProInsight where he works with executive teams and boards to strengthen security programs, navigate regulatory requirements, and build practical value-driven GRC strategies. He serves as president of the Middle Tennessee ISSA chapter, helping grow and support the cyber community through locally and beyond, including InfoSec National Conference coming up this September.
Outside the corporate world, he’s also the founder and CEO of Reindeer for Hope. We’ll talk about that as well.
Jonathan, welcome to the show.
Jonathan Weaver: Thank you for having me.
Greg Schaffer: So that’s a lot of stuff there. So CDPSE. What is CDPSE? That’s one acronym I didn’t get.
Jonathan: That’s the Certified Data Privacy Solutions Engineer.
Greg: Oh! I should have known that. I should have gotten the DP as data privacy. Shame on me. Shame on me.
So as we start every time, I already know a lot of your story, but I’m sure most in the audience don’t. So I’d love to hear your story. Part of what I don’t know is why and how you got involved in information security and cybersecurity. And just take us all the way up today to where you’re at.
Jonathan: Yeah. So I, you know, I graduated University of Tennessee in 2010 — go Vols.
Greg: Yeah. Go Vols.
Jonathan: And networks at a kind of a meet-the-firms event that was at the University of Tennessee and met an individual there that connected me with Kraft CPAs, which is now Baker Tilly here in Nashville. And that’s where I started.
I’ve always had an interest in computers and security. At the time when I was in college, it was always just audit and accounting. It was never a thing — nothing information systems. So, you know, my collateral in college was information systems.
I always had an interest in computers, technology, and really there was this kind of back channel through the college that there were these roles called at the time IT Risk and Assurance. It was really understanding technology risk, impact, compliance to organizations, and I was just really interested in doing that.
I figured the biggest place to do that was Nashville because of the firms, the access, the learning, everything. So came up here in 2012, started there, and moved — did that for about four years and then moved into working for Foremost Consulting. And after that, for about three, three-and-a-half years, moved into starting what is now ProInsight.
So then it’s been kind of a roller coaster ride because I think I’ve learned a lot through all those experiences that eventually enabled me to start my own firm, which I’ve been at for just over six years now. So it’s been a really great space to get into.
But the biggest thing is just the interest that I had in knowing about it through college and then getting into it and really marinating myself into all that it is and all that it’s become over the last fourteen years.
Greg: First of all, I did not know that you were a graduate from the University of Tennessee. I don’t know if you know, but I actually worked at the University of Tennessee, Knoxville. I actually worked for the hospital across the river there. My office was at the Henley Street building, the old Hess department store downtown. You may or may not know where that is.
But it was that job that brought me down to Tennessee before I came to Middle Tennessee. That was before you were a student there — just a couple years. It was like 1995 to 1998. So you were probably a little younger back then.
But yeah, I love that area.
So when you were at Kraft and Foremost, what were your primary responsibilities there? Were you more on the audit side or on the security side? What did that look like?
Jonathan: Yeah. So when I started with Kraft initially, it was all on the risk advisory side. It was working largely with FFIEC regulatory, and then we got into SOC 2 attestation and eventually penetration testing.
Helping take over that piece and kind of help run that function within the organization.
Greg: I think that’s when we first met. We met at FirstBank.
Jonathan: Yep.
Greg: Because we were looking for pen testing, and I think that was when you were with Kraft.
Jonathan: Yep, we were doing the FFIEC regulatory.
Greg: That’s when your FirstBank operations were in Lexington, Tennessee.
Jonathan: Lexington.
Greg: I always call it Lewisburg for some reason.
Jonathan: Yeah, Lexington.
Greg: And for those who don’t know, Lexington is a very small southern town. It’s near one of the cool state parks in the region, Natchez Trace.
There’s really nothing there for the most part except for FirstBank. People are like, why was FirstBank’s headquarters there? It’s because the owner at the time, Jim Ayers, came from Parsons, Tennessee, not too far away.
One of the things Jim taught me through example was entrepreneurship and giving back, and we’ll get to that in just a few minutes.
What made you decide to take that leap to become a security solutions provider entrepreneur? And for someone wanting to do that now, what’s some advice you would give?
Jonathan: You know, for me, I was first-generation college for my family. I always felt like success for my family history was on my shoulders to excel and grow and what that meant to me.
I’ve always had a passion for wanting to start a business, but I think it starts with knowing how the business works and how to operate it effectively.
Through the experience I gained with my previous organizations, I think that I gained enough to know how to run a business effectively, know how to price engagements appropriately, and really know how to communicate and build relationships with people so those relationships would turn ultimately into consulting jobs and engagements that would allow me to build and grow the organization.
I think entrepreneurship starts with understanding the business — understanding what was successful, what was not successful. I’ve had plenty of conversations and plenty of lunches with people that have told me their successes and their failures. I’ve had plenty of lunches and conversations with people that told me their successes and failures, and I used a lot of that to understand how I should approach things.
And obviously overlay all that with patience. Know that sometimes everything doesn’t work out, but not to get bogged down in that, but to use it as a way to build a more strategic approach to come at it at a different angle to make yourself more successful.
Greg: I think you pinged on something vitally important in the security field that a lot of folks overstep, and that’s the relationship aspect. We’re selling our experience, but we’re also selling trust.
Can you speak to how important trust and relationships are in our field?
Jonathan: Yeah. So I think it’s helping organizations understand things that they may not understand. That’s where consulting is so great because we see things across organizations all the time that have worked and have not worked.
Knowing those things allows us to communicate and show them, “Hey, this is how things work.” We can build a level of trust with helping them solve complex situations.
Trust is answering a phone call, answering an email, and not expecting an invoice at the end of the day. Trust is somebody I can call and know that I’m going through something and ask, “How should I go about this?”
And trust is saying — is admitting — that you can’t do things sometimes, and helping the organization find a resolution through your own time to help build that, “Okay, this is a valued partner.”
It’s really building relationships that allow people to feel like they can just have conversations with you without having any kind of strings attached.
Greg: I love one of the lines from your LinkedIn profile where you describe your work as “turning risk into resilience and compliance into confidence.”
What does that realistically look like in practice when you’re working with an organization?
Jonathan: Well, I think when you think about risk into resilience, it’s really anticipating, right? We’re anticipating threats. We’re adapting quickly. We’re recovering effectively.
We can’t eliminate all risk, right? That’s impossible. I mean, we can’t do that. So it’s about really how can we manage it intelligently enough to mitigate exposure in a specific incident.
The thing that I’ve always put into perspective is it’s like a ship, right? These large ships that float above water have kind of big metal doors that if they get hit — they hit an iceberg, they hit a big rock, they hit whatever — they can shut compartments down in the ship to keep it from sinking.
So it’s the same thing that we think about in an organization. It’s not that, you know, if the adversary gets on our network, on our environment, on our application, have we addressed enough risk to allow them to only go so far? Have we reduced our overall exposure?
Okay, they can get to this point, but then the door comes down and the water doesn’t go any further.
So it stops them where they need to go so we can float, get to safety, recover, and continue serving customers.
Greg: That’s a great visual.
A lot of organizations understand compliance. They understand frameworks and things they have to do to maintain business. But when you start talking about risk, that’s more nuanced.
What’s one of the biggest misconceptions about risk in information security, and how do you navigate through that?
Jonathan: So I think it’s communication. It’s getting the right people in the room to talk about risk and understand how this specific risk is impactful to the organization.
Because I think a lot of times when you don’t have the right people in the room to have those conversations, there can be misunderstandings, there can be misinterpretations, there can just be overall confusion when it comes to understanding what needs to be done and how this might be impactful to the organization.
At the end of the day, we don’t want organizations to be functionally siloed, right? We don’t want this fragmentation that isolates departments from departments where security doesn’t know how to work with finance and finance doesn’t know how to work with security.
It allows cross-functional collaboration so people know that they can trust security and that they can work with technology and be part of having these conversations to truly understand how risk impacts their department.
Because IT and security may not know everything that relates to financial risk. And that’s when it’s important to have these trust relationships because when you open the doors for these groups that you may not understand one hundred percent of what they do, they open up and have conversations with you about what they do. It helps you see risk differently because you learn more about what they do.
Greg: That’s so powerful.
Regulatory compliance is still a necessary aspect. Sometimes compliance can be the seed that helps organizations build security programs.
I want to go back to financial services because that’s where we first met. The FFIEC retired the Cybersecurity Assessment Tool not too long ago, and they’ve been recommending NIST CSF.
What’s your opinion on that shift?
Jonathan: Any framework only goes as far as it’s designed.
Frameworks are trying to address multiple organizations, but organizations operate differently.
For example, a framework might ask whether an organization has a firewall or uses default deny. Those are basic controls.
But beyond that, organizations need to expand on those concepts. How often are firewall rules reviewed? How long do notifications stay? All those underlying controls matter.
Frameworks help identify areas of risk that could be impactful, but organizations still need to dive deeper.
I think the FFIEC CAT was great because it helped organizations understand inherent and residual risk.
NIST CSF doesn’t focus as much on that.
I still use inherent and residual risk because there will always be some risk left over.
It’s like sweeping a floor with dust. You’re never going to get everything. You’ll be sweeping all day trying to get that last little bit.
Greg: We just throw it into a corner and get it later because we don’t want to go get the vacuum.
Jonathan: Exactly.
Greg: So I want to shift gears for a moment.
One of the things I admire about you is your heart for giving back. You’ve been president of Middle Tennessee ISSA for three years now, and you’ve also founded Reindeer for Hope.
Tell us about that.
Jonathan: Yeah, so it really came from when I moved here to Nolensville. The realtor we worked with one Christmas — I guess he pulled it out of his attic because he didn’t want it anymore — had this old wooden reindeer and set it on my front porch.
Marie and I came out one day and were like, “Oh man, that’s kind of — I wonder who set that out here. That’s kind of weird.”
So I took it back and I was like, “You know, I can make a better version of this,” because I like to do woodwork.
So I made a better version out of Eastern Red Cedar.
One day I was sitting there brainstorming and praying and things, and I was like, “What can I do with this?”
I’ve always had a passion for Angel Tree and helping provide underprivileged families and kids with toys and gifts, but I was never part of the experience that gave those gifts to the children.
Coming from my family, my mom and dad, they’re always hard workers. They struggled sometimes, but they never made us feel like we struggled.
So Reindeer for Hope helps us provide — we try to meet those families who are in poverty, through the schools and all over Middle Tennessee that need help. We provide clothing, toys, and shoes to those children and families.
We just want to be one small part of helping people.
Greg: That’s awesome.
And you have an event coming up in the fall, right?
Jonathan: Correct. We’re doing a 5K and a 1K here in Nolensville to raise money to provide gifts to children.
We did seventy-two kids last year through the organization and we’re trying to do over a hundred this year.
We got sponsors and people signing up. I used ChatGPT to create a really cool medal design and got it manufactured.
Anyone who participates gets the medal.
Greg: That’s excellent because I was concerned the only way I’d get the medal is if I won a division.
Jonathan: If you win a division, I have pins made that go on your lanyard.
Greg: Well I can tell you that’s not happening with me.
I know all this stuff — cybersecurity, entrepreneurship, nonprofits — comes with stress.
What are some of the things you do to decompress?
Jonathan: So, you know, in the pastime I do all my kids’ activities. Anytime that they have swimming, flag football, baseball, all kinds of different things they do, I try to coach as much as I can.
I’ve got two kids — they’re six and eight — and so they keep me running around with Nerf battles or things going around the house or breaking dishes and picking up messes and learning from those things.
You know, I do woodworking.
My dad was sort of a master craftsman in wood, and he builds all kinds of cool stuff. I grew up building chairs with him — little Adirondack chairs. I was his sander as a kid, so I sat there and sanded the chairs before we stained them and sent them out.
That’s where I really got interested in woodworking.
So that’s why I do a lot of work with Eastern Red Cedar wood. I make reindeer and tables and chairs and different things.
That’s kind of the things I do to get myself outside, get my body moving, and really get away from everything a little bit.
Greg: Awesome.
Outside of Reindeer for Hope and the upcoming race, what else have you got planned?
Jonathan: So we’ve got — with ISSA Middle Tennessee — InfoSec coming up in September.
So that’s a conference at Music City Center downtown. It’s the twenty-fifth anniversary of information security.
That organization is in my heart. I’ve met friends there that I hope to have for a very long time.
And I think beyond making clients — even though getting clients are hard and some of these people I meet could be potential clients — to me it’s the friendship. It’s the friendship we have.
And I think a lot of times when it comes to entrepreneurship and getting clients and building, the most important thing is building relationships and letting people know what you do. In entrepreneurship and consulting especially, you fight for what’s two years ahead sometimes.
You build the relationships now for things that you may get two or three years down the road.
So patience is key, and understanding sometimes things may not work out the way that you want them to, but there’s always hope and there’s always something to be learned from that.
Greg: Well, it’s amazing all that you’re able to fit into a day, it seems like.
And particularly on that note, really appreciate you spending the time to sit down and chat with us for a little bit.
Always love chatting with you. Always learn something from you.
Again, like I said, really thankful that you’re out there not only helping to lead in the InfoSec world, but to lead in the human field.
Jonathan, thank you so much for joining us today.
Jonathan: Thank you.
Greg: And everybody, stay secure.