We promise not to sell or misuse your information. By signing up for our newsletter, you'll receive ongoing tips, thoughts, and resources about how your organization can run an effective cybersecurity program. You are also giving us permission to contact you via email or phone.
TECHNOLOGY
OBJECTIVE: Declare management’s intent & expectations re: cybersecurity.
Set forth ‘who, what and when’ for all major controls.
RESULTS: Introduced and anchored to the NIST Cybersecurity Framework
Thirteen customized, dated, approved, and footnoted policies.
Customer-friendly overview on the public website
Published in employee handbook
WHY IT MATTERED: Went from templates to reality/accurate.
Required to reach HIPAA and SOC2 compliance goals.
Established control baselines to measure against.
TECHNOLOGY
OBJECTIVE: Establish “tone at the top” (e.g., “walked the talk”)
Get top executives enrolled & engaged.
RESULTS: Active review & approval of key infosec deliverables (policies, assessments, metrics)
Active risk registers / risk management.
2+ years of meeting materials,minutes, action items
Customer-friendly overview on the public website
Published in employee handbook
WHY IT MATTERED: Provided ‘proof’ for HIPAA, CCPA and SOC2 compliance tests.
Cross-company coordination (“silo-busting”)
TECHNOLOGY
OBJECTIVE: Ensure cloud controls were in place and performing at or above baselines
RESULTS: Implemented AWS Security Hub to monitor security in the cloud (5 accounts, 42 policies)
Achieved baselines in <3 months.
WHY IT MATTERED: Created repeatable SecOps and DevSecOps Processes
Custom “ChatBot” to accelerate remediation
Provided ‘proof’ for HIPAA, CCPA and SOC2 tests
TECHNOLOGY
OBJECTIVE: Find and fix high risk vulnerabilities in new web/mobile applications and services
RESULTS: Selected a partner with right skills and methods
Integrated testing with Risk Management Process.
WHY IT MATTERED: Became a standard step in product launch process
Established threat scoring system
INSURANCE
OBJECTIVE: Evaluate the design and effectiveness of Third Party Risk Management activities & report of Board of Directors
RESULTS: Updated vendor security standards by linking to external best practices.
Partnered with the CISO increase program efficiency and compliance
WHY IT MATTERED: Created new standards, based on external best practices.
Expanded policy to include previously-exempted vendors
TECHNOLOGY
OBJECTIVE: Flagship customer required a signed HIPAA Business Associate Agreement (BAA) as a condition of doing business.
RESULTS: Completed assessment, gap report and remediation roadmap
Closed gaps & achieved compliance goals ahead of schedule
WHY IT MATTERED: Signed HIPAA BAA with confidence & ability to backup claims.
Continuous risk governance & compliance monitoring established.
RETAIL
OBJECTIVE: Respond to alarming outside audit report received by Board of Directors (re: inadequate InfoSec controls)
RESULTS: Categorized and closed >50 controls deficiencies.
Chartered and facilitated Cybersecurity Governance Committee.
WHY IT MATTERED: Saved $4 million on remediation costs by leveraging PCI controls.
TECHNOLOGY
OBJECTIVE: Understand delta between the current state and a SOC 2, Type 2 attestation.
RESULTS: Selected Audit Partner
Defined System and Boundaries
Cataloged and demonstrated > 90 controls.
WHY IT MATTERED: Created remediation roadmap and timeline.
Implemented baseline cloud controls.
TECHNOLOGY
OBJECTIVE: Select partner and stand-up threat & vulnerability management capabilities.
RESULTS: Replaced non-performing incumbent solution.
Established security baselines, and implemented SOPs to ensure performance.
WHY IT MATTERED: Enabled SOC2 Type 2 compliance.
Automated controls to enhance DevOps efficiency.