FRSecure

BACKGROUND

Please describe your company and position.

I am the Chief Information Security and Privacy Officer of North Memorial Health

Describe what your company does in a single sentence.

Healthcare Provider System - 2 hosptials/Level 1 Trauma and 14 clinics

OPPORTUNITY / CHALLENGE

What specific goals or objectives did you hire FRSecure to accomplish?

• Provide us Cybersecurity expertise augmentation
• Partner with NMH on our Incident Response Program-High Level Support
• Perform an annual 3rd Party Information Security Risk Assessment

SOLUTION

How did you find FRSecure?

Word of mouth

Why did you select FRSecure over others?

• High ratings
• Close to my geographic location
• Pricing fit our budget
• Great culture fit
• Good value for cost
• Referred to me
• Company values aligned

How many teammates from FRSecure were assigned to this project?

2-5 Employees

Describe the scope of work in detail. Please include a summary of key deliverables.

FRSecure plays a vital role in our overall Information Security and Cybersecurity Program by augmenting our internal team with critical expertise that we do not maintain in house.  This expertise is leveraged primarily through bi-weekly interactions related to preventative work (vulnerability management consulting as needed) and cybersecurity incident response work.  
Our team represents the interal expert and FRSecure is the technical sme and has the resources needed if things get complex.  They also perform an annual pentest and risk assessment of our entire environment with the creation of a Risk Management Plan.   Lastly, they facilitate two 3rd party cybersecurity incident response table tops to test our program.  They are available to us 24x7x365 as needed.

RESULTS & FEEDBACK

What were the measurable outcomes from the project that demonstrate progress or success?

Risk reduction as evidenced on the Risk Assessment in scoring.

Incident Response MTTR on many incidents in under 30 mins start to finish, measured on our clock (meaning when incident actually occured).

Describe their project management. Did they deliver items on time? How did they respond to your needs?

Project manager is assigned and there is escalation if needed for any items that the project can't resolve.  They do respond to our needs and are very reasonable about out of control changes and very committed to try and figure out good solutions to problems that arise.

What was your primary form of communication with FRSecure?

• Virtual Meeting
• Email or Messaging App

What did you find most impressive or unique about this company?

They have a very high drive to do what is right and count on that if they do that the rest will fall into place. 

Are there any areas for improvement or something FRSecure could have done differently?

None that come to mind.

BACKGROUND

Please describe your company and position.

I am the Chief Technology Officer (CTO) of Bank of the Rockies

Describe what your company does in a single sentence.

Bank of the Rockies is a community bank based in southwest Montana and we offer retail and lending services (consumer, real estate, and commercial including agriculture).

OPPORTUNITY / CHALLENGE

What specific goals or objectives did you hire FRSecure to accomplish?

• Implement a solid vulnerability management program
• Determine what good looks like operationally and compliance-wise
• Establish metrics and manage to what good looks like

SOLUTION

How did you find FRSecure?

Networking

Why did you select FRSecure over others?

• Close to my geographic location
• Great culture fit
• Good value for cost
• Talented Resources

How many teammates from FRSecure were assigned to this project?

2-5 Employees

Describe the scope of work in detail. Please include a summary of key deliverables.

BOTR engaged FRSecure to perform an independent review of the people, process, and technology employed in the Vulnerability Management Function and to provide recommendations based on leading practices. These recommendations are intended to improve the function, to provide an understanding of what good looks like, and to provide a means to manage to what good looks like.

RESULTS & FEEDBACK

What were the measurable outcomes from the project that demonstrate progress or success?

We were able to inventory the people, processes, and technology involved in our vulnerability management function, to determine what good looks like (based on qualitatitive and quantitative metrics), and manage to what good looks like. Specifically, we are using our MDR's scanning with FRSecure's tool and working with our technology managed services provider to implement changes. We have knocked out all of our critical vulnerabilities and are working our way down with our highs being our next focus. Great work!

Describe their project management. Did they deliver items on time? How did they respond to your needs?

FRSecure employed a lead and supporting engineer as well as customer success team. They were able to work together to really keep things moving and make sure we are on-track.

What was your primary form of communication with FRSecure?

Virtual Meeting

What did you find most impressive or unique about this company?

The people are what impresses me about FRSecure. They are smart, they work hard, and they take pride in ownership. They also like to have fun so I have to say I'm in line with all of that!

Are there any areas for improvement or something FRSecure could have done differently?

Not that I can think of.

BACKGROUND

Introduce your business and what you do there.

I’m the director of information systems and part of the executive team at FAC Services. We’re a shared services organization providing professional services that are mainly financial in nature to three clients operating in the architecture, engineering, and construction industries. 

Our company has a team of 60 people, who are mainly accountants, law people, and software developers. A fair amount of our tools are built in-house for ERP, labor management, and client building.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with FRSecure?

We had in-house software providing project accounting features as part of our services. It had a fairly wide scope and stored financial and sensitive data. When we pushed the software into production, we hired FRSecure to do penetration testing.

SOLUTION

What was the scope of their involvement?

One of FRSecure’s testers did manual and automated testing on the security of our software. They then created a report on any vulnerabilities they found. It was purely a consulting-style service; they didn’t purchase any software or hardware. The service was done completely off-site.

What is the team composition?

I worked with one person in sales at the onset of our engagement. Then, an account manager took care of the scope of work and proposal. The rest of the project was done directly with FRSecure’s tester. A project manager was also involved in the effort. 

How did you come to work with FRSecure?

The engagement started with a cold call. Our company liked to work with different testers to see different points of view. On top of that, I was also a part of the American Council for Engineering Companies. People in that organization had good things to say about FRSecure. As a result, we hired them.

What is the status of this engagement?

The engagement happened in July 2022. Before that, we had our first discussion in March 2022 and signed an agreement in May 2022. We’ve already completed our business with them.

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement? 

The quality of FRSecure’s penetration testing report was much higher than we were used to; it was remarkably helpful. The debrief from the penetration tester was accurate. 

Usually, such reports either had too much jargon that I would have a hard time reading or were too long and had too much to look into — by contrast, FRSecure made sure that I understood every aspect of the report as an engineering manager. 

Moreover, the report included steps for my technical team to reproduce the findings. In other words, their deliverable was truly actionable and useful to my team.  

How did FRSecure perform from a project management standpoint?

FRSecure finished the project 100% per the targeted deadline and within our budget. In terms of tools, they shared documents with us via SharePoint. Everything was simple because there were only 2–3 people involved. There was no need for any milestone-based report. All of our communication was done via Zoom. 

What did you find most impressive about them?

The FRSecure team was truly cost-effective. A lot of opportunistic vendors existed in this field, but I found them to be reasonable. They were forthright, and their commercial practices were refreshing in that they were upfront and clear. We didn’t feel that money was wasted on things other than penetration testing. 

Are there any areas they could improve?

No, there weren’t any. They were an ideal vendor, and I’d highly recommend them. 

Do you have any advice for potential customers?

Take the time to present the software to FRSecure, and meet the penetration tester. Provide use cases for the tester. 

For example, I provided a matrix of different users with different permissions. This allowed the tester to focus on areas where we could escalate privileges to make the software more productive and enjoyable.

BACKGROUND

Introduce your business and what you do there.

I’m the CTO for a high school district in Park Ridge, Illinois that has about 6,500 students in three schools. We’re the first school district to ever adopt Google; our schools are among the best in Illinois. As the CTO, I’m in charge of all the technology used in the district; I’m responsible for everything from data systems and infrastructure to classroom equipment.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with FRSecure?

Prior to my arrival at the district, there were no security efforts. As a result, I needed some help to get a better cybersecurity program.

SOLUTION

What was the scope of their involvement?

FRSecure gives me high-level advice and recommendations on how our organization can move forward in terms of establishing a security program. They essentially serve as our virtual chief information security officer (vCISO). They do most of their work for us remotely. The FRSecure team also offers penetration testing services, and I plan to take them up on that offer for our network. 

What is the team composition?

I work with two people from FRSecure. One of them is a customer representative; he’s in charge of the company’s relationship with me. The other person is a project manager’s who’s highly familiar with security programs. 

How did you come to work with FRSecure?

I found FRSecure’s contact information after I underwent a free Certified Information Systems Security Professional (CISSP) training program. That was how I first engaged with them. During that time, I acquired a favorable opinion of their organization — I became convinced of their expertise and alignment with our group’s mission. Their integrity stood out to me. As a result, I hired them. 

How much have you invested with them?

We’ve spent around $24,000 on their vCISO service; I also pay around $10,000 for their retainer. 

What is the status of this engagement?

We started the engagement in August 2021, and it's ongoing. 

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement? 

FRSecure has successfully provided me with the foundational documents that I need to start our district’s cybersecurity program. Those documents include policy templates, disaster recovery plans, business continuity plans, and business impact analysis templates.  

How did FRSecure perform from a project management standpoint?

Their management skills are outstanding. Our engagement isn’t project-based; they simply provide the expertise that I don’t have. However, they offer great tools in terms of helping me do the foundational work necessary to start our security programs. In terms of communication, we talk on a bimonthly basis over the phone.

What did you find most impressive about them?

The team is more interested in their mission than money — that’s reflected in the fact that they offer free CISSP certification. They’re essentially donating their expertise to the profession, which is incredibly impressive for me. In other words, their integrity and relevance have been outstanding. Overall, the team is truly passionate about security and helping organizations. While they also need to make money, they’re truly more dedicated to making others secure. 

Are there any areas they could improve?

No, there aren’t any. The team has been responsive to my needs; they tailored their work around such needs. 

Do you have any advice for potential customers?

Know what you need. On top of that, somebody from your leadership team should handle the engagement with FRSecure. That person should be able to look into the relationship strategically. 

In my experience, many organizations jump directly to the day-to-day security operations. They buy the latest technologies that the vendor assures them will protect their organization — without analyzing their risks first. However, you can’t have a security program without doing some foundational work first, such as getting sign-offs from the executive team. FRSecure can help with this and lay a good groundwork for cybersecurity governance. 

BACKGROUND

Introduce your business and what you do there.

I’m the general manager of Brin Glass, a multi-location glass company across Minnesota. 

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with FRSecure?

We needed help in cybersecurity. 

SOLUTION

What was the scope of their involvement?

FRSecure provided us with a cybersecurity assessment. They conducted ethical network attacks, and their team prepared reports that detailed how we can improve our security. They gave suggestions on what we needed to close down and open up. 

What is the team composition?

I’ve worked with 7–8 teammates. Kelly (Client Success Manager) is our project manager. 

How did you come to work with FRSecure?

I had worked with FRSecure in the past. Their reputation was outstanding due to their high-quality work. When my current company needed the services they offered, it was an easy decision for me to lean towards FRSecure. 

What is the status of this engagement?

We worked together from October–December 2021.

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement? 

FRSecure touched on over 150 items throughout our network. I had been 100% satisfied with their work, and they had exceeded expectations. 

How did FRSecure perform from a project management standpoint?

FRSecure was perfect when it came to project management. They even waited for me a few different times. Nonetheless, they had been on top of the engagement — they were always on time, and their deliveries were spot on. We communicated through emails, phone calls, and Zoom meetings.

What did you find most impressive about them?

The thoroughness and completeness of FRSecure’s work were impressive. In addition, their team was incredibly professional and had all the necessary certifications. They were efficient and did a very good job. They overperformed and gave us more than we asked for.

Are there any areas they could improve?

I can’t think of anything. 

Do you have any advice for potential customers?

Be open and candid — the more information you provide, the better their work will become. Be honest with them, and they’ll work with you to create a solution. 

BACKGROUND

Introduce your business and what you do there.

I’m the VP of information security of a SaaS company that provides merger and acquisition life cycle support.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with FRSecure?

We needed a company that could help us improve our security posture by providing testing and monitoring services.

SOLUTION

What was the scope of their involvement?

FRSecure handled our organization’s security assessment in 2019, and we worked with them again in 2020 to test the improvements in our security controls.

This year, FRSecure provided three distinct services for us. They started the project by conducting an external penetration test, where they tested the external perimeter of our public-facing assets. After that, they did an internal penetration test wherein they tested our internal security controls.

The third service they provided was a risk assessment, which was essentially a miniature internal audit that was done to test the quality of the security program controls that protects our organization. They assessed our policies, procedures, and overall security controls.

What is the team composition?

We worked with three project managers, each of whom was assigned to the three separate engagements, a lead analyst, and an additional FRSecure employee who was our primary contact.

How did you come to work with FRSecure?

FRSecure was recommended to us by our previous chief security officer.

How much have you invested with them?

We invest $60,000 per year in FRSecure.

What is the status of this engagement?

We started working together in April 2019, and the engagement is ongoing.

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement?

We have seen an improvement in our security controls, which have moved up a classification from fair to good. That was definitely a positive step for our company.

How did FRSecure perform from a project management standpoint?

FRSecure performed very well in terms of project management — they were incredibly responsive to any requests or questions that we had.

We primarily communicated with them via email or phone.

What did you find most impressive about them?

I’m really impressed with FRSecure’s focus on our needs and the removal of barriers. They are always willing to engage and empower us by providing constructive criticism and functional improvements that we could employ. They don’t just give us reports and tell us to do better next time — they actually provide us actionable feedback to help us improve ourselves and secure our organization.

Another thing that I like about them is that they don’t upsell themselves. Typically, vendors just want to sell you as much as they can, but that has never been the case with FRSecure. When we were looking into recommendations for some services that FRSecure doesn’t offer, they actually helped us connect with another vendor who could provide those services for us. 

They are very transparent about what they can or can’t do, and they’re willing to really work with us to determine our needs and get those solved, no matter what.

Are there any areas they could improve?

We asked them to provide us with a mapping of the international standards that the risk assessment program they performed is built on, but they haven’t delivered that yet. Other than that, there isn’t really anything I think they could improve on.

Do you have any advice for potential customers?

Make sure to be as open and transparent as you can be so they can help you in the best way they can.

BACKGROUND

Introduce your business and what you do there.

I’m the director of audit and risk management for Platte Valley Companies. We’re a financial services company that consists of three banks, an insurance firm, and an investment center.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with FRSecure?

We were required by our regulators to have an annual external penetration testing done, so we hired FRSecure to do it for us.

SOLUTION

What was the scope of their involvement?

FRSecure provides us with standardized IT penetration testing. What they do is identify areas of improvement within our security by breaching our firewalls to look for weaknesses.

What is the team composition?

We work with Jennifer (Senior Account Executive) and Matt (Client Success Manager).

How did you come to work with FRSecure?

They reached out to me quite some time ago and sent me a free webinar. We went with them because we felt like they would provide the best value for us.

How much have you invested with them?

So far, we’ve spent around $6,500.

What is the status of this engagement?

The ongoing engagement started in May 2021. We’re going to work with them again to perform penetration testing in 2022.

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement?

They implemented some tools and tactics that we haven’t seen before, and we just feel like the value they provide is good for the work that they do. They gave our in-house IT team actionable information to keep the project going.

How did FRSecure perform from a project management standpoint?

Their whole process is thorough so we're able to identify outdated security information like expired SSL certificates.

What did you find most impressive about them?

One thing that’s important from an internal audit perspective is the timeliness of the work, so we’re very impressed with how they start and end their work on time. Even though we’re a small client to them, we still feel like we’re certainly valued.

Are there any areas they could improve?

I can’t think of anything because we’re pleased with the work they’ve done.

BACKGROUND

Introduce your business and what you do there.

I am the VP of tech and operations for Emerging Therapy Solutions, a healthcare service provider. We provide coordination of transplant services from traditional organs to bone marrow. We are also breaking into the new gene therapy transplant market, helping get those services into the hands of patients that need them.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with FRSecure?

In the healthcare space, we have to keep everything secure to protect patient’s data. We were looking for help creating a baseline annual security review process.

SOLUTION

What was the scope of their involvement?

FRSecure provides cybersecurity and testing services. First, they helped with our annual security review. This is a comprehensive review of everything related to our business, including policies and procedures. Their team also performed an internal scan and audit of our systems, reporting on the maturity level of our infrastructure. They helped us create a roadmap where we can track progress reports on security compliance. 

Next, they provided recommendations for what they viewed as areas of weakness. They also provided a rating and an explanation of their rating scales. This showed us how we rank against norms and standards and where we should be.

The team also ran an external penetration test against our public-facing audits. They scanned and tested the security of those systems. Then, the FRSecure team provided reporting on any vulnerabilities they found through those tests and recommendations to remedy them. Finally, they run quarterly internal scans.

What is the team composition?

I work with three members of the FRSecure team, including Christy (Client Success Manager), Victoria (Security Analyst), and Joshua (Associate Analyst).

How did you come to work with FRSecure?

Our compliance officer had worked with FRSecure while at another company and recommended them to us. 

How much have you invested with them?

We have invested between $15,000–$20,000.

What is the status of this engagement?

Our ongoing engagement with FRSecure began in September 2020. We have a two-year contract with them.

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement? 

Based on my past experience, working with FRSecure was exceptional. They’re extremely knowledgeable. This can be a daunting task for an organization and they were very professional and patient. 

The FRSecure team doesn’t waste time, they get right to it. Additionally, the results were very well laid out and did a great job of giving us a clear picture of what we needed to work on. They were also willing to accommodate some of our extra requests. 

How did FRSecure perform from a project management standpoint?

Christy currently runs our account and she does a great job communicating with us. I ended up feeling like they were a part of our team.

What did you find most impressive about them?

They brought professionalism, experience, knowledge, and logic to this endeavor. From the get-go, you can tell they’re experts in the space. I felt comfortable working with them, they really know what they’re talking about. 

Are there any areas they could improve?

No, everything went exceptionally well. 

Do you have any advice for potential customers?

Explore the process upfront with them. Go into the engagement knowing you’re going to work with a well-organized, well-structured, and professional team. Listen to them and don’t fight the process.

BACKGROUND

Please describe your company and your position there.

Founded on June 7, 1997, CaringBridge was the first social network created for communicating during a health crisis, developed nearly a decade before most social networking sites, including Facebook (2004) and Twitter (2006). CaringBridge is the first and most widely used global social network dedicated to helping family and friends communicate with and support loved ones during a health journey through the use of free, ad-free personal websites.

Our vision is a world where no one goes through a health journey alone. CaringBridge.org is used by over 30 million unique visitors every year, an average of almost 300,000 people visit CaringBridge per day, and those visitors come from over 235 countries and territories. CaringBridge is a non-profit with nearly 90% of funding coming from individuals who have used the site on a health journey. In 2019 we have more than 120,000 individual donors. More than a million donors have supported CaringBridge since 2002. My position is CTO, responsible for the product and technology which powers our mission.

OPPORTUNITY / CHALLENGE

For what projects/services did your company hire FRSecure?

We used FRSecure to assess and test our product's and organization's security capabilities.

What were your goals for this project?

CaringBridge is used by people going through very difficult times and often requiring that they communicate sensitive and personal information to their community. Part of our brand promise is that we will provide a secure and safe environment for them to work with their community of support.

Our objective was to evaluate the security of our environment and site to ensure we can provide the level of protection that our users expect. In addition, we are a non-profit that has limited resources and requires a security program that fits our organization.

SOLUTION

How did you select this vendor?

FRSecure has a comprehensive yet lightweight framework for evaluating an organization's security capabilities. Their cost was reasonable yet they provided excellent technical expertise.

Describe the project in detail.

We used FRSecure for our original assessment in early 2018. They provided both a risk assessment and an external Web Penetration Test. With their results they provided both a detailed assessment of our capabilities as well as templates and deliverables to jumpstart our remediation efforts.

We just completed a second round of security assessments including a risk assessment and an external Web Penetration Test in December 2019. Based on the framework they had provided for our previous remediation, we significantly improved our secure posture and capabilities since the original assessment in 2018.

What was the team composition?

The team included an executive sponsor and technical experts from CaringBridge. FRSecure supplied a project manager and technical security experts for the assessment.

RESULTS & FEEDBACK

Can you share any outcomes from the project that demonstrate progress or success?

Our security posture increased by 75% using a risk assessment scoring methodology from 483 to 702. The number of identified security issues dropped significantly. The framework that FRSecure provided to us significantly helped us to focus our remediation efforts and resolve individual security exposures.

How effective was the workflow between your team and theirs?

The coordination of the assessment was greatly helped by their Project Manager to ensure the whole effort stayed on track.

What did you find most impressive about this company?

The quality of the security assessment was very good and comprehensive. Yet the cost and impact were relatively low. This was an effort that even small organizations can absorb to improve their security posture to help protect their organization from all the bad actors out there in the world.

Are there any areas for improvement?

None

BACKGROUND

Introduce your business and what you do there.

Our application supports clinical trials. I’m our vice president of technology.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with FRSecure?

Our industry is heavily regulated, and we need to keep our data security HIPAA compliant. We needed help assessing the level of our information security, and reached out to FRSecure for their recommendations and improvements.

SOLUTION

What was the scope of their involvement?

Initially, we signed up for their virtual CISO (Chief Information Security Officer) program. They reviewed our policies and standard operating procedures to find any gaps, and they examined the physical security measures within our office. From all the information they gathered, they built a report that outlined our strengths and weaknesses, and a playbook that that suggested improvements for our weakest areas.

What is the team composition?

There is a project manager, but most of our interaction is with the Virtual CISO they provide. We meet with her once a month to review any new information or incidents that arise.

How did you come to work with FRSecure?

They’re a local company that could provide the level of engagement we were looking for. They came to our office and gave a good presentation of what they could do for us, and we felt that they would be the best fit for our needs.

How much have you invested with them?

We spend around $3,900 per month.

What is the status of this engagement?

The collaboration started in May 2018 and is ongoing.

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement?

Since our industry is so highly regulated, we wanted to be sure our security was performing as well as it possibly could. We are subject to customer audits, and FRSecure helped us strengthen our policies and operating procedures to frame us in the best light with our customers.

How did FRSecure perform from a project management standpoint?

They manage the project well. Because of the virtual aspect, a lot of our interaction is over the phone. They follow up with summaries of all of our meetings, with useful ideas for next steps.

What did you find most impressive about them?

There is a lot of depth to their background in information security and physical security. They know how to provide full coverage and give good suggestions to eliminate gaps.

Are there any areas they could improve?

I can’t think of any areas of improvement for them at this time. We have a good relationship.

Do you have any advice for potential customers?

Be honest about the current status of your information security programs; don’t try to hide anything. They will be able to help you best if you are open with them.