Virtual CISO - Case Study #3

Software Startup requires Governance on a Budget

Industry:  Insurance Tech

Location: Toronto, Ontario, Canada

Size:  15 employees

Reason: Client required Governance Certification

Effort:  Ongoing 1 day (roughly 8 hours) / week

The Story:

A new software startup had developed a product to help the automotive insurance industry. After testing and validating their product, a significant American Insurance company has required them to provide proof of Cyber Security Compliance prior to signing as a client.

The company's infrastructure is all cloud based, with employees/developers all working remotely as there is not "office" to speak of.

The founder and lead developer had done their due diligence, and had already started looking at the CIS Controls Framework. They had started documenting several policies and standards, and were looking at how to implement security into the Software Development Life Cycle. This task however was taking them away from their core competencies: Developing and Marketing their app.

Through mutual contacts, the founder came to us to see if we could help.

The First 30 days:

Our Virtual CISO worked directly with the founder and his development team to identify the main data and infrastructure assets, review and assess the existing documentation, and understand and document the deficiencies in their Cyber Security program.

The client provided admin accounts on their cloud provider, and we started monitoring and reviewing activities there.

The Next 60 days:

As this was a smaller client, thing progressed a little slower than some accounts, but our TeamCISO Security Analysts we were able to keep an eye on the cloud environment, looking for anomalies while our Advisors continued to provide governance and oversight on the various Cyber Security initiatives:

• Change Management
• Vulnerability/Patch Management
• Cloud log management and SIEM implementation
• Incident Management
• Creation of a parallel Dev environment

Beyond the 90 days:

Recently, the client has requested an API and Web App penetration test to validate the Internet facing security controls as a final requirement of their most recent client.

We are now in a position to provide periodic Governance, conduct quarterly reviews/trend analysis, and provide external threat intelligence.  Our analysts will continue to monitor the network for anomalies and ensure that the various security processes are in place and functional.

Benefit to Client:  

• Our staff are able to integrate as part of the clients team and provide security Guidance
• We were able to provide assurance to their client that due diligence was in place
• We project managed the entire program from assessment to handoff
• We can provide monthly. quarterly progress reports
• We can provide quarterly Security Metrics reporting
• One-stop-shop.   We brought resources to the table to ensure a holistic Cyber Security Programme
  • Review of Cyber Security Controls
  • Assessment of Cloud Infrastructure controls
  • Assessment of and recommendations for Security in the Software development life cycle
  • Oversight of Security Operations
  • Penetration testing & vulnerability assessments
  • Comfort and peace of mind

Previous Case Studies in this Series:

Case Study #1 - Cellular Communications Provider in Merger & Acquisition

Case Study #2 - Fintech Service Provider requires Interim CISO

Case Study #4 - Wealth Management Company with Poor MSSP Contract

Case Study #5 -Small Family Law Firm concerned about Privacy Breaches