Cyber Defense Group

BACKGROUND

Please describe your company and position.

I am the Director, Security and Compliance of PacketFabric

Describe what your company does in a single sentence.

PacketFabric is a supplier of Network-as-a-Service cloud services, supplying software-defined networks to customers.

OPPORTUNITY / CHALLENGE

What specific goals or objectives did you hire Cyber Defense Group to accomplish?

• Evaluate Unitas Global's security program
• Assist in meeting SOC2 and ISO-27001 compliance standards

SOLUTION

How did you find Cyber Defense Group?

Online Search

Why did you select Cyber Defense Group over others?

• High ratings
• Great culture fit
• Company values aligned

How many teammates from Cyber Defense Group were assigned to this project?

2-5 Employees

Describe the scope of work in detail. Please include a summary of key deliverables.

CDG was contracted to perform internal audit of the company prior to attempting external audits for SOC2 Type 2, and ISO-27001. Key deliverables were a detailed internal audit report, internal risk assessment, mandatory compliance-related activities such as tabletop exercises, and assistance revising and in some cases creating security controls and processes.

RESULTS & FEEDBACK

What were the measurable outcomes from the project that demonstrate progress or success?

CDG produced detailed documents describing their evaluation of Unitas Global, including a full internal audit report. They participated in numerous weekly and ad hoc meetings to address specifics, and arranged other sessions including tabletop exercises.

Describe their project management. Did they deliver items on time? How did they respond to your needs?

They're always on time and responsive. They can also pivot quickly when the company's compliance needs change.

What was your primary form of communication with Cyber Defense Group?

• Virtual Meeting
• Email or Messaging App

What did you find most impressive or unique about this company?

They have consummate professionalism, and a polished and thorough delivery. Their objectives-focused approach made it easy to not count hours, so mcuh as focus on the specific objectives we wanted to see.

Are there any areas for improvement or something Cyber Defense Group could have done differently?

They would sometimes be more proactive about suggesting a course of action which will meet customer needs, at least when it's obvious the customer doesn't know what they want or what is appropriate.

BACKGROUND

Introduce your business and what you do there.

I’m the senior VP of information security for a personalized products platform.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with Cyber Defense Group?

We need consultancy services around cybersecurity and security operations center (SOC) services.

SOLUTION

What was the scope of their involvement?

Cyber Defense Group is our cybersecurity consulting team. They've been an escalation point if we need incident response help. They've also run tabletop exercises for us, done security maturity assessments, and managed SOC-type services.

In addition, we've purchased some of our anti-malware from them.

What is the team composition?

We mainly work with Lou (CEO), but we're also in contact with people from their internal team.

How did you come to work with Cyber Defense Group?

They were already working with us when I took my current position.

How much have you invested with them?

So far, we've spent around $500,000 with them.

What is the status of this engagement?

We started working together in January 2021, and the engagement is still ongoing.

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement?

Cyber Defense Group has given us a penetration test on time. Overall, they deliver everything we hire them to do within our tight timeframes. We haven’t had any problems with them.

How did Cyber Defense Group perform from a project management standpoint?

Cyber Defense Group’s team is very responsive. In addition, they meet deadlines and stay within budget. In terms of communication, we use Slack and Zoom.

What did you find most impressive about them?

Cyber Defense Group is extremely responsive and very well-versed in a broad range of security topics.

Are there any areas they could improve?

As they work with different companies and try to provide standardized reports, they could become stronger in helping companies in their reporting.

Do you have any advice for potential customers?

Keep up good communication with them and ensure to express exactly what your needs are so they know exactly what you’re expecting.

BACKGROUND

Please describe your company and your position there.

I am a Director of Engineering at Riva Health. I manage the following teams: Backend, Web, iOS, Android, DevOps, and Security.

OPPORTUNITY / CHALLENGE

For what projects/services did your company hire Cyber Defense Group?

We hired CDG to help us establish our security program and become HIPAA compliant. They successfully did that and are currently contracted as our vCISO. They continue to help us harden our security and aid in the cybersecurity portions of our FDA submission.

SOLUTION

How did you select this vendor and what were the deciding factors?

They were more boutique and hands-on compared to the very big alternative we were looking at that felt more mechanical and contractual / cold. We didn't know what the future had in store, so we chose the most flexible offer that didn't break the bank

Describe the project in detail and walk through the stages of the project.

• We needed to get to HIPAA compliance from a company and software perspective.
• CDG first outlined the high-level HIPAA requirements then mapped them to a set of deliverables that we tracked over the course of the project
• We had weekly sync meetings to track progress and answer questions
• We had ad-hoc working meetings to meet the deliverable
• Security engineers at CDG worked alongside our engineers to deliver and review the code and software solutions we put in place
• For 3rd-party security solutions, CDG would offer 2-4 recommendations, discuss pros and cons, and assist us in getting a contract.
• CDG reviewed all 20+ company policies we wrote to ensure that they covered all necessary bases.

How many resources from the vendor's team worked with you, and what were their positions?

Our main points of contact were:

• Caroline Connolly
• Senior TPM
• Remington Winters & Philip
• Director of Security Engineering Philip succeeded Remington while the project was happening because Remington took a job at another company. Both of them are great to work with.

RESULTS & FEEDBACK

Can you share any outcomes from the project that demonstrate progress or success?

We were able to become HIPAA-compliant in time to meet our deadlines. We couldn't have done it without CDG's guidance and having their engineers work alongside ours.

How effective was the workflow between your team and theirs?

Working with CDG has been very effective. Because Riva Health is an early-stage startup, we need to be able to move fast when we focus on something. Caroline devised a flexible workflow consisting of a weekly sync with a prepared agenda. We'll leave each meeting with action items for different parties in CDG and Riva to accomplish. She will then take notes and send them out. She does a great job clearly outlining these for everyone and following up on getting these done. Every contact we've had at CDG, including the CEO, Lou, has been extremely responsive to us. We're usually able to get meetings within a day or two of requesting one, and each person is good at responding to our Slack messages.

What did you find most impressive or unique about this company?

CDG is focused on results, value, and education. I was very satisfied when a read a case study about the Uber hack and realized that we had implemented all of the best practices over the last year and a half. At the outset, we agreed to focus on initiatives that improved the actual security of Riva Health, and not do anything that's security theater. At a startup, we are incredibly resource constrained. CDG understands this and points us towards policies, practices, and implementations that drive results. We've had multiple conversations on whether a certain recommendation is "needed" or "nice to have".

CDG has always been able to back their recommendation as "needed" or "nice to have" in a way that is understandable to all stakeholders. As an early-stage startup, we're also careful about how to spend our finances. For any item that has needed a 3rd-party purchase, CDG presents a list of 2-4 recommendations with pros and cons. This is a jumping off point for different conversations about the value a 3rd-party provides. In some cases, we've gone with a more expensive option because of the features provided.

In others, we've gone with a cheaper option. CDG helped us navigate these purchasing decisions with clarity and ensured that we get good value from what we buy. From working with Lou, Caroline, Philip, and others at CDG for the last year and a half, I've learned a ton about how to build a security program from scratch. Part of the reason for this is that everyone at CDG has been a fantastic educator. They do a great job of presenting security best practices in an approachable way to all stakeholders, both engineers and non-engineers.

Are there any areas for improvement or something they could have done differently?

At the very beginning of our engagement, there were some issues with one of the members CDG assigned to our team. I got in touch with Lou and gave feedback about what was happening. CDG rapidly switched them out, brought Caroline onto the team, and managed to get the project done on time. Lou also followed up with us privately multiple times to make sure that we were satisfied with the level of service we received.

BACKGROUND

Introduce your business and what you do there.

I’m the director of business intelligence for a gastroenterology group called the  Borland-Groover Clinic.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with Cyber Defense Group?

We needed a security assessment for our IT setup and didn’t have anyone on our staff with those capabilities. We wanted to bring in a third party to look at our infrastructure and network to see if they could guide us on possible vulnerabilities.

SOLUTION

What was the scope of their involvement?

They came in and explained to us what their process would look like. They performed interviews, penetration testing, and completed scans of our systems. After they collected all of the data, they provided an assessment of everything to our executive team and included recommendations on how to move forward. 

We engaged them again, and they’re now working with our security officer. They’ve been showing him what needs to be done and are working through the different remediation steps they identified in the initial assessment. 

What is the team composition?

We primarily work with Lou (CEO), J.J. (Chief Information Security Officer), Phillip (Director of Engineering), and Caroline (Senior Technology Program Manager). 

How did you come to work with Cyber Defense Group?

Someone in our company knew Lou, and after a bid with 3–4 other companies, we decided to go with Cyber Defense Group. 

What is the status of this engagement?

We started working with them in February 2022 to do the initial assessment. We engaged with them fully in June 2022 to implement the solutions, and the engagement is ongoing.

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement? 

They did a phenomenal job with the initial assessment, and we decided to move forward with their recommendations.

How did Cyber Defense Group perform from a project management standpoint?

They’ve been providing excellent project management for us. They supply us with checkpoints and scheduled calls so that we’re always on the same page. Everything was on-site to start with, but now everything is being handled remotely. 

What did you find most impressive about them?

They're very transparent and keep us updated with everything they’re doing. They take the time to explain everything and put it into language that we understand. Overall, they provide great value for the money we’re spending. 

Are there any areas they could improve?

We don’t have any complaints about them. 

Do you have any advice for potential customers?

Let them guide you because they know what they’re doing. Give them a good idea of your goals and what you’re willing to invest because it will help them move forward.

BACKGROUND

Please describe your company and your position there.

I'm the IT Director at a utility company

OPPORTUNITY / CHALLENGE

For what projects/services did your company hire Cyber Defense Group?

We were looking to improve our vulnerability management plan, with a specific focus on patch management.

SOLUTION

How did you select this vendor and what were the deciding factors?

We had used CDG in the past and were very pleased with the value we received.

Describe the project in detail and walk through the stages of the project.

At a high-level, they interviewed all the individuals we identified to understand the challenges each faced. They reviewed how we were using our patch management solution. We ended up with a report of recommendations including the sequence we should follow to implement these.

How many resources from the vendor's team worked with you, and what were their positions?

We had two senior cybersecurity analysts and a PM assigned. In addition, the CEO sat in on the key deliverables review meetings.

RESULTS & FEEDBACK

Can you share any outcomes from the project that demonstrate progress or success?

We are still implementing these improvements and have not yet compared the before and after. However, I am confident things have improved.

How effective was the workflow between your team and theirs?

Each week, the lead analyst would send me a status of what was accomplished and what was planned for the upcoming week. Project ended as expected within their forecast delivery timetable.

What did you find most impressive or unique about this company?

They were flexible when we decided after signing the SOW to add a few additional individuals to the interview process. They helped us focus on prioritizing patches based on the real threat to our environment. Additionally, they did a deep dive into the patch management solution we were using and pointed out capabilities that would allow us to be more productive.

Are there any areas for improvement or something they could have done differently?

I do not have any.

BACKGROUND

Please describe your company and your position there.

My company develops software for the advertising and media industry. We develop software to help our clients monetize by selling advertising through digital and linear channels. My role is Sr VP of IT and Security and I oversee all aspects of Information Technology and Security for the company.

OPPORTUNITY / CHALLENGE

For what projects/services did your company hire Cyber Defense Group?

We hired CDG to help with our security initiatives. We were looking for strategic guidance, process development, and policy creation with regards to Security. We also wanted tangible services such as penetration testing, Software Development Life Cycle (SDLC) implementation, and Security / BCP table top execution.

SOLUTION

How did you select this vendor and what were the deciding factors?

We looked at 4-5 different players in the field and went about a process to understand how they would fit best into our organization, our size, and our goals. CDG won the project as they clearly differentiated themselves with their results based security practices. We were not looking for a binder of what we should do, rather implementing those practices and making progress in our security practices.

Describe the project in detail and walk through the stages of the project.

The projects are currently ongoing, however it incorporates several key areas:

• Pentesting - CDG carried out pen testing in our applications for SOC requirements and provided the reports to support it.
• Incident Table Top - CDG organized and lead a table top exercise to manage a security incident, the results of it, the lessons learned and provided a document to refer to for subsequent exercises.
• Virtual Chief Information Security Officer (vCISO) - continuing to provide leadership from a strategic standpoint and guidance to ensure our security posture is inline with industry standards.
• Policy Mgmt - creating and reviewing essential policies to help govern our practices.
• Vendor Selection - provide input into current vendors for security services or for new products / services required to fulfill gaps within our practice.

How many resources from the vendor's team worked with you, and what were their positions?

We have several team members, but its about 3-4:

• vCISO
• Project Manager
• Pentesting member
• Data / Integration specialist

RESULTS & FEEDBACK

Can you share any outcomes from the project that demonstrate progress or success?

Some of the larger success criteria's are successful creation of policies, table top exercise with reporting, security assessment of our practice, strategic guidance for developing our security footprints.

How effective was the workflow between your team and theirs?

They have been extremely communicative through various means, including live meetings, chat collaboration, document collaboration, adhoc phone calls, etc.

What did you find most impressive or unique about this company?

The unique thing about Cyber Defense Group was their result-based security services. They pride themselves on ensuring everything has a clear deliverable that is disseminated to the client and ensures that the deliverable isn't just talk / guidance and something that the client has to go off and figure out.

Are there any areas for improvement or something they could have done differently?

While we found their pentesting services helpful, we didn't get the best value out of that. So I would consider doing this else where and focusing on strategic initiatives instead.