Software Startup requires Governance on a Budget
Industry: Insurance Tech
Location: Toronto, Ontario, Canada
Size: 15 employees
Reason: Client required Governance Certification
Effort: Ongoing 1 day (roughly 8 hours) / week
A new software startup had developed a product to help the automotive insurance industry. After testing and validating their product, a significant American Insurance company has required them to provide proof of Cyber Security Compliance prior to signing as a client.
The company's infrastructure is all cloud based, with employees/developers all working remotely as there is not "office" to speak of.
The founder and lead developer had done their due diligence, and had already started looking at the CIS Controls Framework. They had started documenting several policies and standards, and were looking at how to implement security into the Software Development Life Cycle. This task however was taking them away from their core competencies: Developing and Marketing their app.
Through mutual contacts, the founder came to us to see if we could help.
The First 30 days:
Our Virtual CISO worked directly with the founder and his development team to identify the main data and infrastructure assets, review and assess the existing documentation, and understand and document the deficiencies in their Cyber Security program.
The client provided admin accounts on their cloud provider, and we started monitoring and reviewing activities there.
The Next 60 days:
As this was a smaller client, thing progressed a little slower than some accounts, but our TeamCISO Security Analysts we were able to keep an eye on the cloud environment, looking for anomalies while our Advisors continued to provide governance and oversight on the various Cyber Security initiatives:
Beyond the 90 days:
Recently, the client has requested an API and Web App penetration test to validate the Internet facing security controls as a final requirement of their most recent client.
We are now in a position to provide periodic Governance, conduct quarterly reviews/trend analysis, and provide external threat intelligence. Our analysts will continue to monitor the network for anomalies and ensure that the various security processes are in place and functional.
Benefit to Client:
Previous Case Studies in this Series:
Case Study #1 - Cellular Communications Provider in Merger & Acquisition
Case Study #2 - Fintech Service Provider requires Interim CISO
Case Study #4 - Wealth Management Company with Poor MSSP Contract
Case Study #5 -Small Family Law Firm concerned about Privacy Breaches