Ostendio Blog

Compliance Lessons Learned from a Cybersecurity Heavy-Hitter

Written by Paul Redding | Jun 7, 2024 10:27:50 PM
 

Layer 8 Security is a cybersecurity consulting, advisory, and technical services firm that focuses on the proper integration between people, process, and technology. Layer 8 Security arms organizations with practical strategies for achieving and maintaining security compliance to boost client confident that their most critical assets are protected.

Today, we're super excited to share our conversation with Sean Toolan, VP, Cyber Risk & Compliance Solutions, Layer 8 Security, one of the real heavy-hitting providers of cybersecurity and vCISO services.

In our discussion, we’ll dive deep into the latest innovations in the field, exploring how to stay ahead of emerging threats and demonstrate your cybersecurity posture to build market trust.

This is a great opportunity to gain insights from one of the leading cybersecurity advisory firms in the industry and uncover how to bolster your - and your clients' -  security compliance program.

Get ready for an engaging and informative chat! After the interview, stay tuned for a video overview of how Layer 8 leverages Ostendio. 

Here's the conversation:

Who is Layer 8 Security? How do you describe yourselves?
 

Layer 8 Security is a cybersecurity services firm. We specialize in cyber risk compliance and technical security services, and we serve clients in several industries, with a focus, in the healthcare, life science, financial service and government contractor space. 

How does Layer 8 Security fit into the channel ecosystem?
 

There are MSPs and MSSPs in the space and we can provide some of the functionality that these services do. That said, we see ourselves as more of an organization that can help either build and develop a cybersecurity program for an organization or or come alongside technology leaders to help manage, monitor and improve an organization's security program.

Are you vendor agnostic or do you come mandate the use of specific tools and products?

We are vendor agnostic, and in fact, the only areas right now that we are not really vendor agnostic are in our security program support tools. For example, with compliance and risk management, we've chosen to partner with Ostendio, so that's now our preferred vendor and tool in that area.  We do have a few recurring technical services that are dependent on specific tools we have selected, but we are agnostic in terms of working with platforms like Microsoft or AWS-based architectures.

Would you describe yourself as more of a virtual CISO?

Yes. And in most, many cases, we essentially provide an outsourced CISO department for our clients.

What was the differentiator that made you arrive at Ostendio as a point of truth to manage your clients' cybersecurity and  compliance programs?

We looked at all the leading platforms in the GRC tooling space, and the primary reason that we chose to partner with Ostendio is the variety and breadth of frameworks that Ostendio helps an organization track against.

We see a lot of our clients are now not just trying to align with one specific security framework, they're trying to align with multiple frameworks. So, we wanted to have a capability to enable our customers to track against multiple frameworks concurrently. That's why having the access to track and manage against multiple frameworks with Ostendio was so important to us. 

Secondly,  Ostendio has the most powerful compliance management, document tracking and repository capabilities that we saw of any tool currently on the market. So, the compliance management aspect was very important as well as how that tied into our vCISO services.

Thirdly, we felt that there was a really good connection between us and the Ostendio team and a willingness to partner as we went to market together. We have found that to be true since we began our journey with the Ostendio team. Ostendio has been a really good partner, and we've been able to work collaboratively together on solutions for customers since we entered into our business relationship.

Get your free QBR template and run a QBR that your clients will look forward to! 

 What do you see as the driving influence and compliance in the modern sector? Will CMMC really shift the American space? Do you think that it's the adoption of frameworks like CIS or CSF? 

Good question! We're seeing two main driving factors. One is just a private, commercially-driven motivation for companies to be compliant or align with leading frameworks. That's why having the access to track and manage against multiple frameworks is so important! The companies we work with have investors, partners or vendors that demand that they comply with certain frameworks. In one year it could be one framework, let's say SOC 2, and then the next year it could be ISO 27001.

Companies are focusing more closely on managing third party risk and don't want to enter into a relationship with any company that they don't feel is secure.

That extends to cyber insurance as well. Cyber insurers require that companies now become compliant with a major framework, like SOC 2, and then crosswalk to additional frameworks, like CMMC.

The second factor is government-driven. This is where we see the emergence of CMMC requirements. Many companies have approached us in the past year now that CMMC requirements are being enforced.

" Our partnership with Ostendio has dramatically increased demand for our security compliance management services. Together, we work side by side to help our customers align and stay compliant with industry frameworks. "

The recent SEC guidance has further solidified the actions public - and even some private - companies should take with their cybersecurity programs. 

In the past, there were sporadic pushes towards certain frameworks. But now, we're really seeing a full-force push from both the public and private sectors, which is propelling the need for compliance management in the security field overall.

This market shift has driven a lot of interest in our services - and now, we can scale those services much more easily and effectively with Ostendio. 

Those are two great points. If you're paying for cyber liability insurance and you can't prove you're compliant, it's not worth the paper it's printed on.  Secondly, you're not going to get business if you can't illustrate that you're capable of protecting client data.

Where do you see you guys going in 2024, 2025 and beyond? What is the future look like for Layer8?

Our partnership with Ostendio dramatically increased demand for our security compliance management services. Together, we help our customers align and stay compliant with industry frameworks.

Secondly, we're growing compliance management into a holistic end-to-end security management program. So, if a framework is dictating, for example, that vulnerability assessments need to be conducted on a quarterly basis, we're able to monitor and manage them.

If we're managing a security program for a given company, we conduct the vulnerability assessments for those companies at the right time, on the right cadence, and we can track the execution and closeout of those tasks in a timely manner. 

It's about optimizing the compliance management capabilities and making it more efficient for our customers overall. 

 *Bonus expert advice from Layer8 Security CEO, 'JPL' Lipson:

Data is critically important for our clients - it's the single most valuable asset we hold.  By leveraging the data that we get from our clients, both on the security services side, for example, the outputs of penetration tests, or the outputs of SIEM, SOC, MDR, XDR, and then combining those with the outputs from the risk assessments and the gap analysis, you truly have the appropriate picture of the readiness and true cybersecurity of your clients. And Ostendio is going to help us do that for our clients.

Right. Auditors want to see that your compliance program is effective for the issues that you're facing today and can grow with you to protect you against the risks you may face in the future.  Risks don't sit still. You must always evolve as time moves on.

I want to thank you for taking the time to talk with me today, and for your partnership. At Ostendio we're very proud of the role we play in the growth of a group like Layer8.  Together, we can truly strive to deliver on our mission statement of "Everyone Secure!"