Author
Jake Schaaf
Founder & CEO, Atticus Rowan
Two decades of managed IT and cybersecurity experience supporting manufacturers, financial services firms and private equity portfolio companies where compliance, customer security audits and cyber insurance carry real operational weight.
Published works
51 posts on cybersecurity, compliance, cyber insurance, PE diligence and managed IT.
Bakery customer audit deep dive: when the branded customer sends a 60 question security review
How small and mid-market bakeries answer a 60 question supplier security audit from a branded national customer without missing the renewal window.
Peanut and nut processing cybersecurity: FSMA, food defense and allergen segregation
Cybersecurity for peanut, tree nut and seed processors operating under FDA FSMA: allergen segregation system integrity, food defense plan IT alignment and customer-audit readiness.
Meat and poultry processing cybersecurity under USDA FSIS
Cybersecurity for meat and poultry processors operating under USDA FSIS continuous inspection: OT segmentation, FSIS reporting, recall posture and customer-audit readiness.
Dairy processing cybersecurity: OT, cold chain and USDA reporting
What dairy processors should expect from a cybersecurity program: OT segmentation, cold-chain monitoring resilience, USDA FSIS reporting and customer-audit readiness.
PE diligence in food processing: what sponsors look for
The 10 cybersecurity diligence items that move price or kill deals in food processing PE transactions. Where dairy, meat and nut processors typically fail.
When the customer security audit visit lands, a manufacturer's prep playbook
What changes when an enterprise customer's security team books an on-site or remote audit visit at a mid-market manufacturer, and how to be ready before the calendar invite arrives.
Detroit, PE portfolio cybersecurity in the sponsor-office corridor
Why the Detroit metro's sponsor-office density makes portfolio-company cybersecurity a different operating problem than it is in lower-density PE markets, and what works.
Walking through a customer security questionnaire, section by section
What enterprise customers are actually measuring when they send a vendor security questionnaire, and how to answer each section without overpromising or underselling.
Medical practice IT, HIPAA safeguards in 60 to 90 days
A practical 60 to 90 day plan for medical practices to bring HIPAA Security Rule safeguards to a defensible baseline, from risk analysis to access controls to incident response.
Application allowlisting for the small-business reality
A practical view of application allowlisting at the mid-market — what it protects against, why most mid-market firms don't need it yet and when the calculation actually flips.
Endpoint privilege management without breaking your users
A practical approach to removing local admin rights from workstations at mid-market firms, with just-in-time elevation, approval workflows and rollout sequencing that users will actually tolerate.
The IT transition from 25 users to 75 users
A practical playbook for the IT and cybersecurity transitions a small business has to navigate as it grows from 25 users to 75, with what breaks and what to build at each milestone.
Cybersecurity and enterprise valuation, how much it actually matters
A practical view of how cybersecurity posture affects transaction outcomes, deal multipliers and retrade risk at mid-market PE exits, with honest ranges for the magnitude of impact.
Security marketing vs. security evidence
Why enterprise buyers, auditors and cyber insurance underwriters discount marketing language in security questionnaires, and what audit-grade evidence actually looks like.
Post-incident review, what to document, what to change
A practical format for the post-incident review that produces operational improvements instead of blame, scar-tissue over-correction or a forgotten document nobody reads again.
How to build a cybersecurity program document your customers accept
The contents, structure and maintenance cadence for a cybersecurity program document that holds up to customer audits, cyber insurance renewals and SOC 2 readiness assessments.
Microsoft 365 security baselines, the 10 settings that matter most
The 10 Microsoft 365 security configuration changes that reduce risk most at the mid-market level, with honest notes on which require E5 and which work on E3 or Business Premium.
SIEM at the mid-market, when it's worth it, when it's overkill
A practical read on SIEM for mid-market firms — what the technology actually does, when the cost is justified and the three alternatives most firms should evaluate first.
Incident response when you don't have an in-house team
How small and mid-market firms actually respond to cybersecurity incidents without a dedicated security team, from MDR coverage to IR-firm retainers to executive decision-making during the first 4 hours.
Breaking free from break-fix, what changes with managed IT
A practical look at what changes when a small business moves from break-fix IT to a managed services engagement, from cost predictability to security posture to the 3 AM call.
Vendor risk management at 40 employees, without a GRC tool
A practical vendor-risk program for small and mid-market firms that cannot justify a GRC platform, built around a maintained spreadsheet, a tiered review cadence and a clear escalation path.
Network segmentation, when a flat network becomes a liability
A practical view of network segmentation for small and mid-market firms, what it actually means at this scale, what it protects against and how to phase the implementation without disrupting operations.
Your first ransomware tabletop, a sample script
A working sample script for a mid-market firm's first ransomware tabletop exercise, including agenda, scenario, injects, decision points and the artifacts it should produce.
Cybersecurity for community banks and credit unions, the examiner's list
What FDIC, OCC, NCUA and state examiners actually look at when they review a community bank or credit union's cybersecurity posture, and what a credible program looks like at the mid-market asset level.
CIS Controls v8, the practical prioritization most MSPs skip
A working guide to the CIS Controls v8 Implementation Groups, why most MSPs ignore the prioritization and how a mid-market firm should actually sequence the 153 safeguards.
MDR vs SOC-as-a-service vs running it yourself
A practical decision framework for mid-market firms choosing between managed detection and response, SOC-as-a-service and building an in-house SOC.
Law firm data protection, matter segregation and encryption practices
The practical data protection obligations a modern law firm carries, from client confidentiality and matter segregation to encryption, access controls and the new wave of enterprise-client security requirements.
Insurance agency IT, what your carrier expects from YOU
The cybersecurity and IT expectations insurance carriers, E&O underwriters and state regulators increasingly place on independent insurance agencies, and how an agency should actually comply.
Carve-out IT, separating systems from a Fortune 1000 parent
The practical IT and cybersecurity workload of a PE carve-out from a Fortune 1000 parent, from TSA planning to standalone environment build to post-close operation.
What a ransomware incident actually costs
The real cost categories of a modern ransomware incident, why the ransom is usually the smallest line item and how mid-market CFOs should frame the exposure.
IT for senior-care operators, HIPAA, multi-site and the state inspection
The practical IT and cybersecurity workload a multi-site senior-care operator carries, from HIPAA safeguards to the state inspection readiness the corporate office rarely thinks about.
What actually lowers your cyber insurance premium
The specific control changes, evidence artifacts and broker moves that actually lower cyber insurance premium at renewal, and what does not.
Tested restores, how to verify your backup strategy is real
A working runbook for backup restore testing, what each cadence should cover and why a backup that has never been restored is not a backup.
OT cybersecurity for mid-market manufacturers
Why operational technology needs a cybersecurity program distinct from corporate IT, what the IEC 62443 framework expects and how a mid-market manufacturer should sequence the work.
HIPAA for business associates, what's in a BAA and what's not
What a Business Associate Agreement actually commits a vendor to, where the common misreadings surface and how a BA should build the program the BAA promises.
MFA, EDR and offline backups, the cyber insurance triage list
The three controls that carry the most weight in modern cyber insurance underwriting, why they became the triage list and how to confirm yours are actually operating.
Zero Trust for small and mid-market: what to do first
A practical Zero Trust sequence for companies of 50 to 500 employees, honest about what is achievable without an enterprise identity team and what is not.
SOC 2 readiness vs. audit and why your MSP doesn't do audits
Why SOC 2 readiness and the SOC 2 audit are distinct engagements, why one firm cannot do both and how to sequence the two without burning budget or credibility.
3-2-1-1-0: the new backup baseline
The updated 3-2-1-1-0 backup rule, what each digit actually requires and why the classic 3-2-1 guidance is no longer enough for modern ransomware threat models.
Your cyber insurance renewal questionnaire is getting harder, a walkthrough
A walkthrough of the modern cyber insurance renewal process, why the questionnaire has doubled in length since 2022 and what the underwriter is actually measuring behind each section.
The 25 questions you'll fail on your next cyber insurance renewal
The 25 cyber insurance renewal questions most mid-market firms answer weakly, what each one is really measuring and how to close the gap before your carrier notices.
The 100-day cybersecurity plan for a newly acquired portfolio company
A practical 100-day cybersecurity playbook for PE operating partners and portfolio-company CFOs, covering the assess, stabilize and execute phases of post-close.
Your first enterprise customer security questionnaire, what to expect
A practical walkthrough of the enterprise customer security questionnaire, what the buyer is actually measuring and how to respond without burning the deal.
SOC 2 Type I vs Type II: what your enterprise customer actually wants
A practical breakdown of SOC 2 Type I and Type II reports, what each one proves, and how to decide which to pursue for your first enterprise customer review.
Cybersecurity diligence for a PE sale: what buyers actually check
A practical field guide to the cybersecurity evidence buyers, operating partners and lenders review during a lower-middle-market PE transaction.
Phishing-resistant MFA: FIDO2, passkeys and what's coming next
SMS codes and push notifications are no longer enough MFA for serious cyber insurance or customer review programs. The move to FIDO2 security keys and passkeys is underway, here's how it works and what to deploy.
Ransomware-hardened backup: what 'immutable' actually means
Your backup strategy is only as good as your last documented successful restore. A practical explanation of immutability, the 3-2-1-1-0 rule and what ransomware-hardened actually requires.
NIST 800-171: the 110 controls and which ones eat the budget
A practical breakdown of the NIST 800-171 control families, which controls take the most effort for small and mid-market organizations and how to sequence the 90-120 day compliance arc.
EDR vs antivirus: what actually changed and what still matters
Your cyber insurance carrier is asking about EDR because traditional antivirus stopped being enough around 2017. Here's the practical difference and what to deploy.
NIST CSF 2.0 in plain English: what changed and why it matters
NIST CSF 2.0 added Govern as a sixth function and reorganized how small and mid-market organizations should think about cybersecurity. A practitioner's translation.
Password managers for small business: why, which and how to roll one out
A 25-person firm can deploy a business password manager in under two weeks and eliminate the worst category of credential risk. Here's the plan.