FRSecure

BACKGROUND

Introduce your business and what you do there.

We’re a small actuarial consulting firm with 11 employees.

OPPORTUNITY / CHALLENGE

What challenges were you trying to address with FRSecure?

We had a client that was worried about their data, so we were basically required to do a SOC 2 (Service Organization Controls) audit if we wanted to keep them as a client. This was the first time we interacted with a cybersecurity company in this way.

SOLUTION

What was the scope of their involvement?

Everything’s been related to a SOC 2 audit. We’ve done two to three different engagements with them related to that. A lot of firms are requiring their partners and vendors to go through a SOC 2 audit. It basically makes sure we have the processes and procedures to minimize risks of a cybersecurity breach. We hold a lot of their data, and they want to ensure we’re secure. That’s where FRSecure came in.

A SOC 2 audit entails getting all your systems up to snuff, and then an auditor comes in to confirm we’re done it right. We’re at the stage right now where FRSecure is helping us get ready for this audit. We’ll have the auditor come in very soon, and we’re hoping we pass. We’re setting up lots and lots of policies. For example, if you have a new employee come in, we have a policy that defines the steps IT needs to take.

They look at our server to make sure it has all the up-to-date stuff, so the client can’t get hit. We have to make sure we lock our file rooms and don’t leave stuff at our desks, all the various things that would increase the chances of Social Security numbers being released to the wrong people. It’s the whole process; setting up all the policies, and then other processes, and working with our internal IT guy to make sure we’re doing the most up-to-date stuff.

We had one on-site meeting, but otherwise, it’s all done remotely. It’s nice to have that option. FRSecure delivers reports and action items as they go along. They’ve given us samples to work with, so we start with those and modify them to meet our firm’s specifics. They’ve been very knowledgeable, and they’ve had a lot of good tools that allow us to work with what they’ve given us and to update.

How did you come to work with FRSecure?

I looked up local auditors who do SOC 2 audits, and they’re the ones who actually referred us to FRSecure. The auditors had worked with them many times and said it’s gone well. They’re a smaller company close to us, so it just made a lot of sense. They were the only company we interviewed.

What is the status of this engagement?

We’ve been working together for almost a year. It’s been taking us a long time, and I’m still not done. That’s not due to anything FRSecure has done, we’re just busy at work. I have to update a few more policies and get that ready for the auditor.

RESULTS & FEEDBACK

Could you share any evidence that would demonstrate the productivity, quality of work, or the impact of the engagement?

We’ve made a lot of changes. We’ve set up all these policies, and now we’ve been having regular IT meetings internally. We’ve had meetings with employees to talk about security. We’ve locked our server room so no one can just walk in and do what they want. We’ve changed configurations on the server based on what FRSecure has told us. We’ve changed how we’re sending data back and forth with clients. Basically, we’ve changed most everything in the overall data process.

We’ve hired them to do penetration testing. They try to attack our server to see if there are any holes in it. They do those monthly. There have been a few things we’ve changed due to these tests, which has been good. They’ve also given us some ideas on disaster recovery and business continuity. We’re still in the process of working on that right now, but they’ve definitely given us some good tools to update that.

How did FRSecure perform from a project management standpoint?

A lot of our communication is by email, but we also have scheduled meetings. We all get on and do a live webcast so they can see what we’re doing. We’re showing them everything we’re setting up, asking questions, and getting ready for this audit. That’s really what we hired them to do, get us ready to pass the audit. If I could spend a couple hours working on this stuff, I think we’ll be ready for the audit. I’ve met with the auditor once, and there were a couple things we still had to do, so we’re very close.

What did you find most impressive about FRSecure?

I didn’t know what to expect. Trying to change all your processes is not fun and not our business. It’s kind of been a pain, but not because of them. We’re realizing that we’re so far behind the times. It’s been good to talk with them, and they’re helping us get into the 21^st century and be more prepared.

Are there any areas FRSecure could improve?

I can’t think of anything. They’ve done what we asked them to do. They’ve been there every step of the way and done everything as we agreed.

Do you have any tips for potential clients?

I would tell them that’s it’s going to take longer than they think, and it’s much more involved than they think. They’re going to have to devote someone to spend a lot of time. I’m not sure I would tell them to react any differently regarding FRSecure. I would just warn them as to what’s really involved. For a small business, it takes a lot of time away from doing your real business.

BACKGROUND

Introduce your business and what you do there.

I’m the president health care an online platform that brings together integrative holistic therapies. We educate consumers about their healthcare options and connect those consumers with local practitioners of each specialty. 

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with FRSecure?

We decided to approach FRSecure earlier than most companies would have. Many companies call them when they have issues or are in need of urgent consultancy. We called them as a startup because we needed a good HIPAA-compliance consultant from the beginning. We wanted to make sure that we built our website correctly and didn’t have to be reactive to something we didn’t build correctly, which can be very expensive and takes a lot of time. We were interested first in their HIPAA compliance knowledge and then PCI [payment card industry] compliance. We also wanted them to test what we’ve built via penetration to make sure that it’s sound. 

SOLUTION

What was the scope of their involvement?

We started building this website from scratch. We built it internally with our IT people, and FRSecure definitely consulted with us on how to build it. Once we made certain pieces, we would circle back with them for tweaks so that the finished product would be extremely secure and built the right way. For PCI compliance—which is needed for any website that's going to be collecting credit card information—they made sure that we had a secure payment gateway that was integrated correctly within our site. They also helped us on the policy side of things by explaining rules and regulations and making sure that we knew exactly what to expect from a compliance standpoint. They promoted a secure environment as we were building the website, rather than waiting until the end.

The team from FRSecure included a handful of really great guys. John [VP of Operations, FRSecure] was our first point of contact. Then, John and Steve [Senior Sales Consultant, FRSecure] helped us understand the scope based on our needs and directed us to the right people within the team. Ryan [Solutions Engineer, FRSecure] and Tim [Information Assurance Analyst, FRSecure] were incredibly knowledgeable and really bright guys. They can talk the techie lingo but are able to explain it in a way that non-techie people can understand. We also had an account manager who would set up meetings and sit in to understand what we’re about, what we’re trying to do, and facilitate our needs there. Now, we’re working with Derek [Security Consultant, FRSecure]. He's been responsive and really helped us understand what we're doing as well.

How did you come to work with FRSecure?

We did our own research online, starting with Minnesota and spreading as far as California. We looked at 15 companies. We came across FRSecure’s website fairly quickly and definitely were impressed in the first go-round. We really liked their website and message, and they seemed very professional from the start. From there, we talked to John and got a very good first impression, so we went with FRSecure.

How much have you invested with FRSecure?

Over the last 3 years, we’ve spent around $15,000–$20,000, probably closer to $15,000. They will continue working with us throughout the rest of this year. We’re going to be rolling out some new features to our website to support patient-to-practitioner messaging, which has to be HIPAA-compliant as well. If somebody talks about having a certain disease or condition, you've got to follow that HIPAA compliance protocol. We plan to double our budget over the next year, spending close to $30,000 by 2018.

What is the status of this engagement?

We started working with FRSecure almost 3 years ago. The platform is live. We launched trailheadhealth.com in December or January of this year. As with any complex website, you're going to have bugs that you can only learn about later. Once we launched, we made changes and talked with FRSecure to make sure that our tweaks are still in line with our security priorities. They have also done audits since the launch, and we explored some penetration testing, which went well. They reviewed the entire structure of our business and have been very helpful. 

RESULTS & FEEDBACK

Could you share any evidence that would demonstrate the productivity, quality of work, or impact of the engagement?

They are really knowledgeable. They took pieces of our complex site and pieces of ever-changing HIPAA compliance and made the requirements easy to understand. We’ve had the same group since day 1, and they’ve only brought in new experts as needed. That's always comforting as a business owner: when you have a point of contact, you don't want to be moved around to a bunch of different people and have to reintroduce your concept. This team stuck with us for the 3 years without any turnover. I think that speaks a lot to their business as well. Our IT guy loves working with them, too. We’ve had a great experience.

How did FRSecure perform from a project management standpoint?

They map and scope the audits, and they give us a heads-up about how many hours a project will take. They help us understand the timelines and the costs very well. They delivered reports and gave presentations on-site about things we need to do. They were great. They can work with us in any facet. They're so flexible; we do phone calls, send emails, and have screen-share presentations. We didn’t really use a specific portal for tickets.

We like working with them, so we would drive out to their location, which is about 40 minutes from our office. They’ve moved a little bit closer, so sometimes we see them in person, which is convenient for us. They’ve shown that they can work with businesses on any level.

What did you find most impressive about FRSecure?

They treat their customers with tremendous respect. Not everybody treats us that way. For building this website, we worked with a number of contractors and businesses. FRSecure was the only company that wasn't nickel-and-diming our business for each minute spent. They were very flexible and understood our situation, especially as a startup. They devoted the time to learn about our project and its direction. They weren't just focused on invoicing me as quickly as possible. When they moved offices, we had no hiccups at all. It was a seamless transition.

Are there any areas FRSecure could improve?

I don't know that I could identify any right now. They've done a fantastic job.

What tips or recommendations could you share that might increase the likelihood of success with FRSecure?

HIPAA compliance is a difficult topic, and it’s always changing. I would have started working with FRSecure even sooner. I always want to maintain control, but we really need experts for things like HIPAA compliance, PCI compliance, and security. With all of the hacking and security breaches going on, we need a good organization that has our back. FRSecure has had our back from the start. 

BACKGROUND

Introduce your business and what you do there.

I’m the vice president of technology and services at a regional bank with 6 branches and about $1.3 billion in assets. We have a high concentration of commercial real estate and focus on the commercial side of banking. My responsibilities include managing the infrastructure, help desk, security, and systems of the bank.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with FRSecure?

We’re required to do an audit every year. We change auditors every 2 years. For the past 6 years prior to working with FRSecure, we approached the audits through the audit companies exclusively. But, this time, due to cybersecurity risks, we wanted to look at the audit from more of an IT security framework versus just the compliance side of those controls. That’s why we chose FRSecure.

SOLUTION

What was the scope of their involvement?

They’ve done 3 audits for me—a social engineering audit and 2 IT audits for 2 different years. On the social engineering side, we were doing an internal phishing and calling scam to see how many of our employees would click on the link or answer the phone call by sharing some private information. The IT audit addressed 4 categories: penetration testing, vulnerability assessments, IT general controls and governance, and physical security.

The reports that they delivered at the conclusion of these audits resulted in action items, especially for the first year. The second audit report identified new threats. That was my expectation because we had satisfied the original items, as verified through this second audit. These new steps were designed to take us to the next level in the maturity model for security.

For both years, different analysts came in, but I was still able to ask the analyst questions. I had a project manager that was my single point of contact for each year, which helped make it more efficient on my side.

How did you come to work with FRSecure?

At the time, I had sent out an RFP. Five companies responded, including FRSecure. The deciding factors were the clarity and accuracy of their response to the RFP, experience level, presentation of documentation, and price point. FRSecure had the best answers and options. I did the social engineering audit almost as a test for their company to see how they handle even just a regular IT project. It was a good small scope to begin our relationship with.

How much have you invested with FRSecure?

For both years, we spent between $17,000–$20,000.

What is the status of this engagement?

I originally sent the RFP in 2015. The social engineering audit was done within the first year, prior to the IT audits. Both IT audits were done over 2 consecutive years. We added the FFIEC [Federal Financial Institutions Examination Council] portion to the last IT audit. 

RESULTS & FEEDBACK

Could you share any evidence that would demonstrate the productivity, quality of work, or impact of the engagement?

I really liked FRSecure because they gave priority to the action items. They put them into 2 formats: a technical list for the IT side, and the same information in a different way for the executive summary and the board. Having the same information in 2 different formats was incredibly helpful.

They gave us an estimation for how long the audits would take and delivered a week early. I had an aggressive timeline for the second year, which took out one of the RFPs because they initially knew they wouldn’t be close to finishing on time. Typically, we give anywhere from 5–6 months of request time, but they were able to do it in under 3.

For the first year, they had asked for a list of documents on a secure portal, similar to our FDIC exams. This year, they didn’t ask for them until they were on-site, which was another unique aspect. It was a good addition to the second level of testing as far as maturity for us.

How did FRSecure perform from a project management standpoint?

They helped interpret the reports for us twice. Our RFP stipulated that they give a presentation of the results, which they did both online through WebEx and on the phone. They also give the same talk or a different presentation to the executive committee or board if needed.

On 2 occasions, I reached out to them afterward by call or email to ask general follow-up questions to some of the action items and received great feedback.

What did you find most impressive about FRSecure?

FRSecure, compared to others that I’ve used in the past, offers work that’s more than just security-based; they’re also an information-sharing company. They truly want to make our security better versus offering sales points to advance their business. With other auditing firms, I’d go through an audit and receive a list of action items. Then, the provider would give me a list of charges for completing the items, which made the audit seem less genuine. With FRSecure, I never feel like I’m getting a sales pitch. We have a partnership that I rely on continually. I know they really stand by the results and recommendations of their audits because they’re willing to carry out the actions of what they’re identifying.

Are there any areas FRSecure could improve?

For the action items, I’d love to have some trackable portal that I could log into that isn’t just an Excel spreadsheet, but I can work with that. 

BACKGROUND

Introduce your business and what you do there.

First National Bank is a small community bank in the southwest of Minnesota. We are a $200 million bank. I am in charge of the IT department.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with FRSecure?

We originally hired them to do penetration testing and vulnerability testing, physical security testing, and then also an administrative controls test or review. Administrative controls would just be coming in and looking at policies and procedures to make sure how we are maintaining our environment. It is not a technical review, but it is a review of what we do in the technology department and how well we safeguard things from an administrative standpoint. The physical security portion is that they come out to each of our branches and take a look during hours we are not open, just to make sure we leave the bank in a secure manner. It can also follow over to opening hours as well, but they like to see how we leave things, checking to see where the cameras are, and if we locked up.

SOLUTION

What was the scope of their involvement?

We used them two years ago for all of those things, then we switched to somebody else. We have a policy that says we have to switch who we use for that type of service. We have really liked working with FRSecure. We used the other company for a year and now we’ve gone back to them. This year they performed the administrative controls audit and we have not done the physical yet. The rest of the audits are set to be done before the end of the year.

The admin controls audit takes them about a day of interviews with myself, HR, and some with operations. Then they go back and they review policies and write up a report on that. I would say they had a report back to us within one to two weeks.

Because we are a bank, we are heavily regulated and the OCC is who regulates us. They require these vulnerability tests and penetration testing. We need to make sure that we have those done and that we mitigate any risks that are found. I have one person that I work with that is in charge of coordinating all of it, but I can work with a number of different people depending on what is being done. There is one person assigned as your coordinator.

How did you come to work with FRSecure?

We were working with CTS, a company here in Minnesota, and they had FRSecure out to do a security presentation. Evan, one of the owners, spoke at that event. Afterward, there was a chance to talk with him and based on that, we hired him.

How much have you invested with FRSecure?

We are doing a three-year contract with them instead of just a year by year. If you do multiple different types of audits, they give you a discount because of the different amount of audits that you are doing. They also give you a discount if you contract with them for multiple years. The administrative controls audit is actually two different audits. It is a five-step administrative controls review. Then there are the FFIEC additional admin controls. FFIEC is one of the regulators and they put out a guidance for security controls. They go through that and see how we do as it relates to that. So that is something that is really valuable to us because it relates directly to what OCC is going to come in and look at. There are the external and technical controls, which is penetration testing, an internal technical controls assessment, and physical controls review. And all total, based on a three-year contract in doing all five of those type of audits, it is about $22,000 a year. We get a 10% discount for a three-year agreement.

RESULTS & FEEDBACK

Could you share any evidence that would demonstrate the productivity, quality of work, or the impact of the engagement?

At this point, we were really interested in them doing the administrative controls this year because there has been a lot of new guidance coming down from the FFIEC. We are basically going through and rewriting our internal controls or information security program. Their feedback was really good, and they have been able to provide us with some great templates to use for some of the different types of policies we are going to need to write. We’re rewriting our whole program based on the feedback they’ve given us.

They also gave us a framework of how they see the information security program being built and how it would relate to our bank specifically. That has been really helpful. Everything right now is basically risk-based. Having a really good risk assessment is really key to that. I did go up there for a day and spend a day with them going over that and rewriting our risk assessment. Based on that, we’ve been applying the policies for all those risks. They do offer some classes. I know they have one that is for specifically for writing policies and procedures. They are really good at what they do.

How did FRSecure perform from a project management standpoint?

We communicate by email and phone whenever I need it. When we were originally doing that assessment, I probably talked to them on the phone every day about a week with different questions. Then I went up for a day and did our risk assessment. We are getting ready to do the vulnerability assessment and penetration testing.

What did you find most impressive about FRSecure?

In my opinion, one of the reasons I prefer them is that they really offer you very personal instruction and guidance. Some of the other companies that we’ve used are bigger. The last one we used, for instance, was so big. They are not real flexible in what they are going to do. You may want them to do a certain portion of it, but then you want them to do something a little different, but they are not willing to do that. FRSecure wants to make sure that they give you exactly what you need, and that’s the primary reason that I went back to them.

This type of service is unique at this point and time from what I see out there. They are just really helpful. They really want to make sure that the end result is what you wanted. If they are not going to really give you any kind of a benefit, then they really don’t want to work with you. The really want to know that their work is helpful to you. They have a great group of people to work with them. Some of the people that I worked with on the administrative controls are people that were previously working at a bank in the technology department, that were in charge of those type of things. They really first hand, not just the security side, but also the banking side which is awesome. 

Are there any areas FRSecure could improve?

I can’t think of any. I have been very satisfied.

What tips or recommendations could you share that might increase the likelihood of success with FRSecure?

I guess just read everything that you can get your hands on. There is just so much out there, but a company like FRSecure is certainly going to help you with what’s specific for your area. Read everything you can.

BACKGROUND

Introduce your business and what you do there.

I am the information security specialist at a medical technology company. I handle anything related to information security. I write policies and arrange for work with IT vendors, such as FRSecure. I’m in charge administering everything about the security program, with the exception of the firewalls. The company does medical imaging, so MRI’s, CT scans, mammograms, bone density scans. We have facilities to do anything that involves scanning inside the human body.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with FRSecure?

I was looking to do a phishing engagement, which is where we contracted them to send out a bunch of fake emails to our company. We wanted to determine how susceptible we’d be to someone trying to compromise our information by sending fake emails to employees.

SOLUTION

What was the scope of their involvement?

They assigned an analyst to our account, because they had to create a web page, landing page. They had to create the email templates and different fake domains to make it look like it was coming from us internally. They probably automated the actual email sending process. We already knew exactly what we wanted when we approached them.

The results came back pretty negative for our company, which was to be expected because we had done malware awareness training prior to that. Because of the results we got, we were able to get approval to launch a training platform for additional training on internet-based security. We started rolling that out to management and started doing test emails of our own through that platform to continually drill employees and get awareness going. It was a one-time deal, but I may contact them for another engagement where they would pretend to be Touchstone employees, and see how far they can infiltrate a facility or something similar.

How did you come to work with FRSecure?

FRSecure came very highly recommended online, so we didn’t consider other companies.

How much have you invested with FRSecure?

I believe it was about $6,000.

What is the status of this engagement?

We started it in December of 2016, and the actual emails went out in January. We had the information back by the middle of January of 2017. They helped us go through the results. They did a call with me and went over what the findings were, what everything meant on the action items list they gave me. They did a good job of follow-up after the fact.

RESULTS & FEEDBACK

Could you share any evidence that would demonstrate the productivity, quality of work, or the impact of the engagement?

It’s been pretty positive. We have another vendor we’ve worked with as well, and they’ve done good jobs, but having a fresh set of eyes from someone not familiar with the company really brought some new insight to things, which everyone seemed to like.

How did FRSecure perform from a project management standpoint?

We primarily communicated by email, with some phone calls as needed. We were using an internal ticketing system, but FRSecure didn’t have visibility on that.

What did you find most impressive about FRSecure?

They do have the drive to improve the information security field. I actually attended a CISSP (certified information systems security professional) course hosted by their CEO over the last few months, and I’m probably getting my certification next week. They’re really passionate about making the information security field as knowledgeable as possible and doing what it takes to increase the number of people who are qualified to work in the field by any means necessary.  

Are there any areas FRSecure could improve?

I don’t have anything from that engagement. Everything was pretty much as expected.

BACKGROUND

Introduce your business and what you do there.

I’m the CTO a nonprofit organization that provides online tools and services for people that are going through health training. We have about 30 million users worldwide.

OPPORTUNITY / CHALLENGE

What challenges were you trying to address with FRSecure?

I wanted to beef up the security at the organization. However, cybersecurity fell mostly in line with the folks that are doing operations, but I wanted to do more. I suggested making an investment there late last year but wasn’t able to justify a security team in-house. I wanted to look at a vendor that would provide that service for us long term.

SOLUTION

What was the scope of their involvement?

Our engagement with FRSecure ensures that we have adequate security as well as protection for the future. They took over the different security programs that we had in terms of physical controls, administrative controls, applications, and networks — both internal and external. We use them for the entire program as a way to help us safeguard ourselves from intruders.

The way it works is that a couple of these controls or phases are mostly one-off type engagements, although we want these more frequently. Part of the program that we have with them is that we expect them to come back, for example, to do a physical control every couple of years and then administrative controls annually. Both audits have been onsite, and that’s why I wanted to pick a local provider.

When they did the physical control, they spent the whole day here walking around the perimeters and checking the other tenants in our building to make sure that we are properly and adequately defended. The idea was to find a couple of weak points that we quickly addressed internally. There are a few more we continue to do which is good.

The administrative controls relate to HR policies, beta test policies, and so forth. We just got that report back, and even then they came and visited us both times before they produced a report. We are now in the process of digesting that report and determining which action items we want to take on.

When it comes to network and applications, we have them to do controls every couple of months or so. We could outsource the program in terms of one-off events, which we want to do more frequently than we have in the past. However, they’re not monitoring our network per se, but rather looking after us from a security perspective on an ongoing basis.

How did you come to work with FRSecure?

I had worked with other vendors that have multiple practices within the offering, but this is the first time that I’ve been involved exclusively for security. At the other jobs that I’ve had, we tended to have our own internal security teams. This is the first time I don’t have that.

We found FRSecure online and had a referral. I attended a couple of CTO round tables and they were there to present a couple of times. Then, I did some due diligence with a few other folks. I really wanted to look for a vendor that was local to the Twin Cities area, and they fit the bill. There were two other ones that I looked into, but security wasn’t really their only focus.

FRSecure is a bit more of a boutique shop with a very responsive service offering at a price point we can afford. So far, I’ve been pretty happy with them.

How much have you invested with FRSecure?

We’ve invested around $10,000. It’s not a very big engagement yet — after all, we are a nonprofit.

What is the status of this engagement?

This is a multiyear engagement with FRSecure. We chose them at the end of last year and started working with them early this year.

RESULTS & FEEDBACK

Could you share any evidence that would demonstrate the productivity, quality of work, or the impact of the engagement?

We have done the physical controls and just concluded the administrative controls. We’ve gotten the reports back from them and taken some action based on their feedback. We are taking on additional things at our own pace according to what we can afford. They knew that security is one of the aspects that I wanted to do better in, but I also have to be realistic about the plate that we have. As long as we're making progress and getting good feedback, we should be happy.

They gave us a timetable of when to expect the reports as well. They asked us when we wanted the work and how the pace should be so that we don’t have to take on too much at the same time. If it were up to me, in a more full-profit type of environment, I would’ve wanted it to be a bit more aggressive in terms of timeline. So far, they’ve been right along with us in terms of our pace.

How did FRSecure perform from a project management standpoint?

We communicated mostly by email, phone, and conference videos. For example, there was an incident where we wanted to get some advice from them a couple of months ago, and that done through video. Most of the time, we do try to make it something more formal and have one-on-one meetings. When they came by recently to give us the audit reports for the administrative controls, we had them give our employees a seminar on how to better protect ourselves and how they can help us protect our data assets. I asked them to do it. It’s one of those add-ons that they do for free.

What did you find most impressive about FRSecure?

What’s most impressive for me is the intimate relationship that we have with them. Obviously, security is a serious issue. We wanted our vendor to take the matters of security seriously but at the same time be pragmatic about implementing the solutions that best fit our needs. More importantly, we needed to have the framework to go about doing it, and they did. For every control that they audited, we got a score. Based on that score, we easily communicate with the rest of the company where we are at and how we can best improve the score over time. It’s not like something we have to do right away but yet something that we continue to work on in a multiyear fashion.

Are there any areas FRSecure could improve?

How good they are is yet to be seen. It’s like when you do have a security incident, which is something I don’t want to have, then you can tell how technical they are. Right now, we’re going over ways of better protect ourselves. Some of these things we already knew and wanted to do anyways. At the same time, their expertise is really necessary when you have incidents, which thankfully we haven’t had yet. I hope to never find out.

So far, they’ve been pretty good. They do keep an eye on us and that’s all I expected to have.

What tips or recommendations could you share that might increase the likelihood of success with FRSecure?

Really be clear about what you’re looking for and be realistic about balancing what you need short term and long term. I didn’t want was guys giving me recommendations right away. 

With small businesses, you really need to make sure that the people that you work with can stand up to the recommendations they made over time. That’s why I wanted to have a multiyear engagement with a vendor that I can afford. I know I cannot pay for security experts in-house; I want to be able to bounce off ideas over time as needed, and they fit the bill.

BACKGROUND

Introduce your business and what you do there.

I’m the interim director of IT at The Saint Paul Foundation and The Minnesota Community Foundation, an office of 70 people who administer support of $1.3 billion in funds. We collect donations from donors, and we give donations to grantees and manage those relationships and investments for people. I've been here since February 15th of this year.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with FRSecure?

In 2015, the organization determined that they needed a data security program. I don't know if that was due to a request of the board or some other influence, but the current director of IT was tasked with making progress in data security. When I started in 2017 and knew that I had responsibility for security, I reached out to FRSecure.

SOLUTION

What was the scope of their involvement?

I took that audit and told FRSecure that I only had the executive summary and needed the details. They provided all the documentation and background from the audit and offered support. I had a ton of questions, and I met with them. They helped me get up to speed and supported their materials 2-years later. The original audit provided value at the time and definitely gave this organization a boost in setting security policy and creating early security improvements to get the program established.

FRSecure helped educate me about the existing audit, but I also wanted to create an action plan of top security improvement items that should be completed in the next 6–12 months. They worked with me, free of charge, to create that, calling it a support of the existing audit.

How did you come to work with FRSecure?

We hired FRSecure before I arrived. I don't know how the previous IT director found FRSecure. I don't know if my predecessor vetted other companies against FRSecure, but I would imagine that it's a standard policy for us to look at multiple vendors.

In the early days, I called Clyde [Security Consultant, FRSecure] because I was trying to figure out who these people were while exploring my security audit. He came on-site with an analyst, and we spent a few hours together going over the original audit, pulling action items that remained, and looking at our next steps.

How much have you invested with FRSecure?

I didn't look up the cost of the original audit because I have spent nothing in the last 3 months, even though I have worked with them for a total of 10 hours, which is a lot of free work time. I don't know how much time on the backend they required.

What is the status of this engagement?

FRSecure performed the first information security audit for this organization in 2015. I’ve had a relationship with them since about February 20th regarding follow-up work from that original audit with the new director. They're still supporting that. They told me that "we stand by our audits, and we'll continue to support that work through its useful life." Since I'm still having lots of useful life from that original audit, they were continuing to consult on that without charging me extra money, even though I was using their time. 

RESULTS & FEEDBACK

What was the scope of their involvement?

I took that audit and told FRSecure that I only had the executive summary and needed the details. They provided all the documentation and background from the audit and offered support. I had a ton of questions, and I met with them. They helped me get up to speed and supported their materials 2 years later. The original audit provided value at the time and definitely gave this organization a boost in setting security policy and creating early security improvements to get the program established.

FRSecure helped educate me about the existing audit, but I also wanted to create an action plan of top security improvement items that should be completed in the next 6–12 months. They worked with me, free of charge, to create that, calling it a support of the existing audit.

How did you come to work with FRSecure?

We hired FRSecure before I arrived. I don't know how the previous IT director found FRSecure. I don't know if my predecessor vetted other companies against FRSecure, but I would imagine that it's a standard policy for us to look at multiple vendors.

In the early days, I called Clyde [Security Consultant, FRSecure] because I was trying to figure out who these people were while exploring my security audit. He came on-site with an analyst, and we spent a few hours together going over the original audit, pulling action items that remained, and looking at our next steps.

How much have you invested with FRSecure?

I didn't look up the cost of the original audit because I have spent nothing in the last 3 months, even though I have worked with them for a total of 10 hours, which is a lot of free work time. I don't know how much time on the backend they required.

What is the status of this engagement?

FRSecure performed the first information security audit for this organization in 2015. I’ve had a relationship with them since about February 20th regarding follow-up work from that original audit with the new director. They're still supporting that. They told me that "we stand by our audits, and we'll continue to support that work through its useful life." Since I'm still having lots of useful life from that original audit, they were continuing to consult on that without charging me extra money, even though I was using their time.

BACKGROUND

Introduce your business and what you do there.

Our bank has nine branches and is a $261M bank. I’m the CTO. I’ve been here for nine years.

OPPORTUNITY / CHALLENGE

What challenges were you trying to address with FRSecure?

When I came onboard, we had other suppliers doing the work FRSecure does, but I didn’t like their format and the information they were giving us. I needed a company that would do a better job for me.

SOLUTION

What was the scope of their involvement?

They’ve done a number of our access control audits as well as our internal and external penetration testing. They also helped us completely revamp our business continuity plan. The project was a collaborative effort depending on the project. For the internal and external penetration, I give them the information and they take it from there. For access control, it’s a collaboration of both of our teams. If I have questions, they give me feedback on how to improve it and steps I could take to make my information security program better. We have implemented the ideas they gave us.

How did you come to work with FRSecure?

Our bank president’s son worked for FRSecure, and that’s how we got the referral. I always look at two or three companies when I contract IT services, but what set FRSecure apart was their professionalism and knowledge. I had a conversation with their president, Evan, and was impressed with his background and ability. I could tell from the conversation that he knew what he was doing and knew what to look for. Their presentation led me to believe they had strong IT knowledge. There are a lot of companies that can do the service, but they don’t do it very well.

What is the status of this engagement?

We started working with them in 2008, and the work is ongoing.

RESULTS & FEEDBACK

Could you share any evidence that would demonstrate the productivity, quality of work, or the impact of the engagement?

We’ve made it through a number of bank exams without question. To me, that’s the key. We haven’t had breaches and stayed secure. We haven’t had any major issues with things we’ve implemented since becoming partners with them. I had good peace of mind working with them. Bank regulators require us to change providers every three or four years to get a different perspective. When I have to do that, I feel like I’m taking a step backward in growing my information security program because it wasn’t as comprehensive and didn’t have as much detail as FRSecure provides.

How did FRSecure perform from a project management standpoint?

We communicate in person or through email.

What did you find most impressive about FRSecure?

They’re a strong leader in IT. Evan is constantly on the news sharing information about different items that are going on in the world. He’s up to date and he makes his staff achieve the same level. They have a good leader, and you can see evidence of that in every aspect of the organization.

Are there any areas FRSecure could improve?

I don’t have anything negative to say.

BACKGROUND

Introduce your business and what you do there.

I'm the IT director of Van Horn Automotive Group, an employee-owned automotive group in Wisconsin that retails new and used cars.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with FRSecure?

We needed guidance in setting up an information security program. Our company hadn't had a formal approach to information security, and we needed a risk-based program that complied with our legal obligations. We also wanted to get to a place where we could confidently say we were careful with our customers' information.

SOLUTION

What was the scope of their involvement?

FRSecure provided a risk-based information security assessment, vCISO cybersecurity service hours, and incident response services. We did a vulnerability scan (internal and external) while working extensively on our technical controls and formal governance.

What is the team composition?

We worked with one vCISO, one project manager, one account manager, and two people on the risk assessment side.

How did you come to work with FRSecure?

We found them through an online search. The sizing of the organization made sense for us, and their approach met us where we were.

How much have you invested with them?

We’ve spent around $50,000 per year since 2022.

What is the status of this engagement?

We started working together in January 2022, and the engagement is ongoing. The deliverables of the incident response plan have been completed, and the risk assessment happens yearly. The vulnerability scan happens twice a year, and we use vCISO services frequently.

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement?

FRSecure has a risk assessment platform called Security Studio that equates cybersecurity to a credit score. When we started, our score represented very low compliance and a high degree of risk. We're much higher three years later, having a score that represents a fairly mature program with the pillars of cybersecurity in place. 

The vulnerability scans FRSecure provided were important in raising our score and eliminating points of ingress across our network. While we have different solutions that perform that function now, we retain FRSecure as a solid second opinion on that topic.

How did FRSecure perform from a project management standpoint?

Project management is excellent and well-organized. They’re on time and respond very quickly. We primarily communicate through Teams meetings and email.

Are there any employees from the service provider's team that you would like to give a shout-out to in this review?

Our account management team has been great. Tonya has been flexible as our needs have changed. Jim has been excellent, and his calm approach helps us.

What did you find most impressive about them?

FRSecure's organizational philosophy makes them feel more like a partner and ally rather than a consultant just trying to tell us what to do. They want the best for us, push best practices, and understand what we can do within the business framework.

Are there any areas they could improve?

Nothing really comes to mind, honestly. They're genuine people and believe in their approach. It fits very well with us and that's why we've stayed with them.

BACKGROUND

Please describe your company and position.

I am the Network/Security Administrator of an education company

Describe what your company does in a single sentence.

Supports MN School districts with technology and teacher intergration

OPPORTUNITY / CHALLENGE

What specific goals or objectives did you hire FRSecure to accomplish?

• Ransomware Review
• Suggestions for the collaborative as a whole

SOLUTION

How did you find FRSecure?

Prior relationship

Why did you select FRSecure over others?

• High ratings
• Pricing fit our budget
• Great culture fit
• Company values aligned

How many teammates from FRSecure were assigned to this project?

2-5 Employees

Describe the scope of work in detail. Please include a summary of key deliverables.

Review 3 districts and their readiness for a Ransomware Event and supply individual reports for each with an overall executive summary where all three can grow that may apply to schools as a whole.

RESULTS & FEEDBACK

What were the measurable outcomes from the project that demonstrate progress or success?

The delivered reports.

Describe their project management. Did they deliver items on time? How did they respond to your needs?

Yes. Always responsive.

What was your primary form of communication with FRSecure?

Virtual Meeting

What did you find most impressive or unique about this company?

We were impressed by their thorough explanations, which deeply helped us make effective improvements.

Are there any areas for improvement or something FRSecure could have done differently?

This is difficult because schools are a hard one to add services to. In the business world, offering some more forms of help with areas would be ideal. Doesn't really fit the k12 mentality though.