The 2026 Top Consultants: Dr. Jerome Farquharson

What would you say has been the biggest factor in your success so far?

The biggest factor in my success has been my unwavering commitment to understanding the industries I serve at a depth that goes beyond cybersecurity alone. Before MorganFranklin, when I joined Burns & McDonnell in 2006, I made a deliberate decision to embed myself within the critical infrastructure sectors and learn about their operational realities from the inside out. I did not approach cybersecurity as a technology problem to be solved in isolation, but as a business problem rooted in the specific regulatory, operational, and financial pressures these industries face.

That decision led me to serve on NERC standards drafting teams, sit on the Critical Infrastructure Protection Committee and Compliance and Certification Committee, and lead audits for all the NERC Regional Entities. It drove me to develop cybersecurity programs in partnership with the Department of Energy and Department of Homeland Security. It compelled me to architect an OT/IT convergence framework adapted specifically for industrial environments because I understood that operational technology and information technology could not be secured using the same playbook.

I championed the vision that creating security strategies is a business-driven and threat-based decision process. That philosophy became the foundation for everything – from the proprietary security maturity assessment methodology I created to the GRCaaS platform I designed. Deep domain expertise, combined with the ability to translate technical risk into business language that executives and board members understand, has been the single greatest factor in my career. Now at Arcova, I continue to apply that same principle to every engagement.

What do you enjoy most about your career in the consulting industry?

I enjoy the privilege of building something lasting within the organizations I serve. Consulting is not about delivering a report and walking away. It is about transforming how an organization thinks about risk, equipping its people with the tools and knowledge to sustain that transformation, and watching them carry it forward long after the engagement ends. I have had the opportunity to serve as virtual compliance officer for more than 100 organizations. Each one operates in a different context with different risk profiles, regulatory pressures, and organizational cultures. That diversity demands continuous learning and adaptation, and I find that intellectually exhilarating. I strategically designed and built an industry-leading compliance and security consulting practice within a traditional engineering firm, bringing together IT professionals, physical security consultants, compliance experts, engineers, and architects into a collaborative team capable of executing highly complex assignments. Watching that team grow and watching the business revenue grow from $1 million to $15 million annually to $160 million over 15 years has been deeply fulfilling.

I also value the opportunity to shape industry standards themselves. Serving on NERC standards drafting teams and industry committees means that the work I do does not just protect individual clients – it raises the security posture of entire sectors. I promoted a culture of collaboration and innovation among a diverse team, and that collaborative spirit extends to the broader industry. The consulting profession gives me a platform to drive change at scale, and that is what I enjoy most about this career.

What is your proudest achievement to date?

My proudest achievement is architecting and implementing the OT/IT convergence framework for industrial environments that has been adopted by 12+ major utility companies, reducing security incidents by 78% while enabling $15 million in operational efficiencies through safe automation. That framework represents the culmination of everything I have worked toward – the intersection of deep domain expertise, technical innovation, and measurable business impact. When I designed that framework, I incorporated zero-trust architecture principles adapted specifically for critical infrastructure, enabling secure remote monitoring while maintaining operational integrity. This was not a theoretical exercise. It addressed a real and urgent problem: the convergence of operational technology and information technology was creating attack surfaces that traditional cybersecurity approaches could not adequately protect. The framework bridged that gap in a way that was practical, scalable, and sustainable.

But beyond technical achievement, I am proud of the broader practice I built around it. I transformed cybersecurity services from a startup capability within Burns & McDonnell into a strategic growth engine. I grew business revenue by $10 million to $20 million annually and tripled sales in three years. I established a Security Champions Program that embedded 35+ trained security advocates within development teams. I created a specialized managed security service for industrial environments, generating $3.8 million in new annual recurring revenue. The convergence framework is the achievement I point to because it captures what I believe consulting should deliver: a solution born from deep industry knowledge that creates lasting, measurable value and can be replicated across an entire sector.

What's the best advice you've ever been given?

The best advice I ever received was to never be scared of hiring someone smarter than you. That single principle transformed how I built teams, grew practices, and ultimately delivered results for clients. When I set out to build the cybersecurity and compliance consulting practice at Burns & McDonnell, I knew that no single individual – regardless of credentials or experience – could possess the breadth of expertise required to serve energy utilities, nuclear facilities, pipelines, water systems, and data centers simultaneously. So, I deliberately recruited OT professionals, physical security consultants, compliance experts, engineers, and architects who brought specialized knowledge that exceeded my own in their respective domains. I promoted a culture of collaboration and innovation among that diverse team, and the results spoke for themselves: business revenue grew from $1 million to $15 million annually, and sales tripled within three years.

That advice also shaped how I approach current engagements. Serving multiple organizations simultaneously requires surrounding yourself with people whose expertise you trust completely. I set security and industry compliance requirements and implemented comprehensive risk management programs not because I wanted uniformity, but because I wanted every team member empowered to make decisions independently. Hiring people smarter than you demands confidence, not insecurity. It requires humility to recognize that your role as a leader is to set the vision, remove obstacles, and create the conditions for brilliant people to do their best work. That philosophy built every successful team and practice I have led, and it remains central to how I operate.

What does this recognition mean to you?

This recognition represents a validation of the belief that has guided my career: that deep industry specialization, when combined with genuine commitment to client outcomes, creates a form of consulting that transcends transactional service delivery. I have spent nearly two decades building a practice dedicated to protecting the critical infrastructure that communities and economies depend upon – energy grids, nuclear facilities, water systems, pipelines, and data centers. That work carries a weight and responsibility that I have never taken lightly.

I introduced a risk management culture at the world's largest utility, a company with $17.2 billion in revenue and 14,000 people across 33 states including Canada. I developed cybersecurity programs in partnership with the Department of Energy and Department of Homeland Security. I served on NERC industry committees and standards drafting teams, contributing to the very frameworks that govern how critical infrastructure is protected across North America. I carried out over 400 audits for Fortune 500 companies. Each of these engagements reinforced my conviction that the consulting profession, at its highest level, is about building trust and delivering enduring value.

Being recognized honors not just my individual contributions but the collaborative work of the teams I have built and led – the OT professionals, compliance consultants, engineers, and architects who have executed these assignments alongside me. It affirms that industry specialization is not a narrow pursuit but a profound one, and that protecting the systems our society depends upon is among the most meaningful work a consultant can do.