Ostendio Blog

How to Build a Comprehensive Cybersecurity Program

Written by Grant Elliott, President and CEO, Ostendio | Aug 14, 2020 2:35:05 PM

Even before the COVID-19 pandemic took hold, too many organizations were not looking at a broad enough approach to cybersecurity as they evaluated their operating models.  As we highlighted in our blog post about the recent Twitter breach, an IT-centric security approach is never sufficient. For Twitter it resulted in an employee being tricked into giving a hacker company credentials allowing a breach of high-profile accounts.  A recent article from Bain and Company also suggests that because of the COVID-19 pandemic “companies have to reevaluate the full complement of security capabilities as they permanently adjust operating models for the post-pandemic world.

As a result of the pandemic, employees have been scattered to remote working locations and organizations are moving more of their critical infrastructure to the cloud. For these reasons, it is essential to adopt a full spectrum security program to avoid data security breaches. While most business leaders are aware of the importance of implementing security programs they often develop a program that is too narrow and merely focuses on IT controls. The reality is that to fully protect a business, organizations must look beyond IT controls and consider the organization as a whole, including vendors, and build a comprehensive cybersecurity program that includes an organization-wide culture of security.

[Read more: Twitter breach highlights why IT-centric security programs are insufficient]

How do I start building a cybersecurity program?

Ostendio strategically guides customers through a 5 step process to build their security program and ultimately attain a chosen security certification.  Here is an overview of our 5 step process:

1. Foundation

Building a solid data security foundation is a key element to a successful and sustainable security program. The foundation begins with the leadership team by setting the tone for the organization’s adoption and implementation of a security program.  The whole organization is introduced to the Ostendio MyVCM platform and the entire staff understands their role in the organization’s security program. As part of the Foundation step, the CISO and security team take time to learn about the different regulations and certifications that are important for the organization, and identify what level of effort is needed for each certification, whether it is SOC 2, HITRUST etc. The organization will then select the certification that is right for their business or industry and agree to a schedule and timeline for certification. Staff will be trained on the Ostendio MyVCM platform and start to gather and organize existing documentation and identify key stakeholders. The Ostendio Customer Success team will assist customers every step of the way, offering training to onboard all team members. 

2. Intermediate

Now that the organization's data security foundation is in place, and current documents are in the Ostendio MyVCM platform, it is time to perform a gap analysis on the current security program. Ostendio will work with the organization’s security team, focusing on the security framework chosen by the organization. Ostendio will work with MyVCM Premium and Enterprise customers to perform a thorough review of their existing policy and procedure documents, and importantly build out the processes to support them. Ostendio will ensure that each document has the appropriate approvals and acknowledgements and the ability to track completion of tasks is added into the Ostendio MyVCM platform appropriately.

3. Proficient

The best practice regarding the organization’s security process is to ensure all policies and procedures are kept up-to-date with version control and to establish a documentation approval process using the Ostendio MyVCM platform. The document management feature makes it easy to ensure the appropriate employees have access to documents they need to see and that the approvals process is documented clearly.  Ostendio Customer Success and Professional Service teams will assist, as needed, in developing the organization’s configuration management in the asset management, audit task and assessment modules.  Ostendio will guide the organization through the vendor management process on the Ostendio MyVCM platform as the organization starts the interview process to choose an audit company. 

4. Advanced

As the organization moves to the Advanced step, their security team will have approved and published policy and procedures to employees for acknowledgement, and the organization will be tracking compliance with the processes that were implemented.  Collecting evidence is an essential component to any security program.  Security awareness training will be sent out to appropriate staff members and audit tasks will be assigned to collect appropriate evidence. Based on the certification type selected, the organization will have completed the relevant scoping questionnaires. At this stage Ostendio will also introduce risk management, specifically the ability to track and mitigate risk across the enterprise.  This will form the foundation for future security investment decisions.  

5. Certification

This is the goal of many organizations - to be security certified to their chosen standard. The organization will sign a contract for certification with an auditor group and Ostendio’s team may act as a liaison where necessary between the selected 3rd party auditor and the organization. Ostendio’s Customer Success team will support the 3rd party auditor to ensure they are trained and understand how to navigate the Ostendio MyVCM platform. When the audit is complete and the organization has gained certification the cybersecurity journey has not ended.  Most certifications require an annual audit or re-certification and by using the Ostendio MyVCM platform, an organization can keep documentation and evidence up to date which will make any subsequent audits less of a heavy lift in terms of employee time and effort.

Ostendio has over 7 years of experience helping customers build, operate and showcase their security programs. We have helped customers successfully navigate this 5 step process and guided them through certifications. Our Professional Services team is a group of industry experts who are ready to help customers as they implement their security programs. If you need additional help, engaging our Professional Services team is the perfect solution to supplementing your organization’s compliance team when you are setting up your security program for the first time or preparing for an audit. Speak to an expert at Ostendio who is happy to help your organization with their cybersecurity journey.