vCISO Training- CvCISO Program Introduction

SecurityStudio created the Certified Virtual Chief Information Security Officer (CvCISO®) Program to establish an industry standard for vCISO quality and qualifications. This program is designed to address the pressing need within the cybersecurity community for highly skilled and well-qualified virtual Chief Information Security Officers (vCISOs).

This vCISO training program goes beyond conventional certification approaches. It strategically aligns its learning objectives with a broader mission, directly impacting individual vCISOs and the organizations seeking their expertise.

Recognizing the multifaceted needs of vCISOs, this vCISO training program aims to enhance their quality of life by providing a comprehensive support system. This includes increased opportunities for professional growth, improved benefits such as heightened productivity, a sense of accomplishment, and competitive pay. The program empowers vCISOs to excel by instilling confidence in their information security and risk management expertise.

Simultaneously, the CvCISO® Program is designed to elevate the quality of life for organizations navigating the complex cybersecurity landscape. It strives to create opportunities for these entities to achieve better returns on their cybersecurity investments.

vCISO Training Program Goals

The program underscores the potential risks of employing underqualified vCISOs, emphasizing that a poorly equipped vCISO could potentially cause more harm to an organization than if it had not employed a vCISO at all. Ultimately, the CvCISO® Program offers not only prestige to its certification holders but also an assurance to those who choose to employ them, ensuring a higher standard of cybersecurity leadership.

By equipping vCISOs with the skills and knowledge necessary to address contemporary challenges, the program enables organizations to bolster their cybersecurity protection with confidence. This holistic approach reflects a commitment to bridging the talent gaps within the information security sector and rectifying the systemic issues that have plagued the industry.

SecurityStudio acknowledges that the ultimate goal isn’t merely to churn out more vCISOs, but to cultivate professionals capable of making a tangible difference by producing good vCISOs with standardization to their practice.

The vCISO Training Certification- CvCISO

The vCISO training program comprises four distinct levels, from CvCISO® Level 1 to the advanced CvCISO® Expert, accommodating individuals at various stages of their careers.

There are no specific experiential prerequisites for entry into CvCISO® Level 1, ensuring inclusivity and accessibility. Conversely, achieving the CvCISO® Expert status demands substantial and diverse experiential accomplishments and an interview with industry leaders. Advancement within the program hinges on a triad of fundamental principles: training, experience, and collaborative engagement within the CvCISO® community.

The vCISO training regimen starts with the foundational Certified virtual Chief Information Security Officer Course (CvCISO-1), followed by specialized courses for those seeking to navigate more intricate organizational landscapes, evidenced by higher levels of certification.  Experience and training requirements are defined for each vCISO level, acknowledging the evolving skill set necessary for ascending the ranks.

The CvCISO Community

The hallmark distinguishing the CvCISO® Program lies in its unwavering emphasis on community. The group “CvCISO CommUnity” stands as a testament to this commitment. Within this specialized community, CvCISOs find more than just a platform for exchanging knowledge; they discover mentorship, validation, camaraderie, and avenues for career advancement.

The significance of this communal space is captured in the adage, “People come for the content but stay for the community.” While the program may initially attract individuals with its rich educational content, the thriving, collaborative community becomes the cornerstone of long-lasting connections and growth.

Regional CvCISO Chapters

The CvCISO Program has begun to extend its reach by establishing a regional CvCISO community chapter in Minnesota that, in time, will be duplicated nationwide. These chapters provide a localized dimension to the overarching community, fostering even closer ties, facilitating regional knowledge exchange, and strengthening the network of like-minded professionals. This unique blend of shared experiences, expertise, and regional connectivity enhances individual professional trajectories and contributes to the collective strength and resilience of the entire CvCISO network.

Importance of a Certified vCISO

A CvCISO® certification validates the professional’s proficiency in risk management and strategic security planning and is a tangible testament to their commitment to excellence. A vCISO with certified expertise ensures that an organization’s defense mechanisms are standardized, robust, and adaptive.

Beyond technical adaptability, a certification is a beacon of trust for stakeholders, clients, and partners. It signifies that the vCISO possesses a recognized and standardized set of skills, instilling confidence in its ability to safeguard critical assets and navigate the complex landscape of cybersecurity threats.

This CvCISO certification extends beyond individual competence because of the membership in our dynamic and supportive “CvCISO CommUnity,” providing a stamp of individual proficiency and the support of professional peers.

Join the CvCISO Community

Whether you are seeking to advance, change, or enhance your career, the CvCISO certification badge represents more than just a credential—it is a symbol of excellence, trust, and belonging to a dynamic, growing community.

In a field where expertise and adaptability are paramount, the CvCISO certification is an investment in both individual growth and the collective strength of the cybersecurity community. Consider the CvCISO certification as a milestone and catalyst for propelling your cybersecurity career to new heights. For more information on our upcoming courses visit: SecurityStudio Academy.

S2PCI: The PCI Compliance Software helping to navigate the complex terrain of PCI DSS

Approach to Streamlining Documentation

In the rapidly advancing digital era, businesses face the task of safeguarding their customers’ payment data. Attaining and sustaining Payment Card Industry Data Security Standard (PCI DSS) compliance is a formidable challenge for many industries. This article delves into the intricacies of PCI compliance, highlighting the complexities faced by organizations and introducing our PCI compliance software solution, S2PCI,  designed to streamline the often-arduous documentation process.

The Challenge of PCI Compliance

The path to compliance is fraught with complexity. This complexity is not just in the interpretation and adherence to the standards themselves. It’s more basic than that. Organizations struggle to identify which Self-Assessment Questionnaire (SAQ) form is appropriate for them. This form has far-reaching implications, determining which requirements they need to meet.

Resource Allocation and Security Implications

The pursuit of PCI compliance demands a significant investment of time, financial resources, and skilled personnel. Striking a delicate balance between these investments and other pressing business priorities is an ongoing struggle for many organizations. Additionally, the consequences of failing to comply with PCI DSS can be severe, ranging from data breaches to fines and reputational damage, elevating the stakes and adding pressure to an already intricate process.

Navigating the PCI Compliance Landscape

The lack of in-house expertise further complicates the PCI compliance journey for organizations. The absence of knowledgeable personnel can make it challenging to navigate the path toward compliance, especially when it comes to determining the correct Self-Assessment Questionnaire (SAQ) form. The result is often a time-consuming and resource-intensive process with potential compliance gaps.

A Thoughtful Solution- Our PCI Compliance Software

In response to these challenges, we’ve launched our latest product, S2PCI to assist with this process. S2PCI is a PCI compliance software aimed at organizations falling under PCI compliance Levels 2-4. This is because Levels 2-4 are eligible to self-assess.

The following are the 4 levels of  PCI Compliance:

  • Level 1: Merchants processing over 6 million card transactions per year (Need a QSA to complete)
  • Level 2: Merchants processing 1 to 6 million transactions per year
  • Level 3: Merchants handling 20,000 to 1 million transactions per year
  • Level 4: Merchants handling fewer than 20,000 transactions per year

Exploring the Evaluation Workflow


Initiating the evaluation for the Card Acceptance Process (CAP).


Answering a series of questions to determine business type, compliance level, and the correct SAQ form.

Avoiding the waste of resources associated with completing  the wrong SAQ form

Assessment (SAQ):

Completing the online SAQ form, including any required notes.

Achieving a compliant or non-compliant status for the CAP.


Organizing the collection of supporting evidence or pursuing further action on non-compliant requirements.

Achieving a compliant or non-compliant status for the CAP after remediation is completed.

Outcomes of S2PCI


Leveraging built-in logic to discern the correct SAQ form.

Facilitating the completion of the SAQ form online, significantly reducing the time required.


Minimizing the risk of selecting the wrong SAQ form.

Ensuring documentation aligns precisely with PCI standards.


Providing a platform to document and track progress toward compliance standards.

Facilitating the systematic gathering of evidence for all requirements.


Organizing workload through automatic communications, an evaluation scheduler, and evidence collection.

More Than Checking the Compliance Box

SecurityStudio doesn’t just aim to sell a product but to contribute to the ongoing dialogue surrounding information security, and by extension, compliance. We acknowledge the many challenges of achieving PCI compliance, but we also encourage everyone to think beyond checking a compliance box. We intend to foster understanding, inspire discussions, and, most importantly, offer a practical solution that aligns with the broader goals of improving your information security posture, as well as securing payment data.

PCI Awareness Training Recommendation

Complementing the endeavor to streamline PCI compliance, we suggest anyone looking to expand their knowledge of PCI compliance consider the PCI Security Standards Council’s PCI Awareness Training. This training program is tailored for individuals wanting to enhance their understanding of PCI, particularly those within organizations obligated to adhere to the PCI Data Security Standard (PCI DSS).


The journey toward PCI compliance is undeniably challenging, but a thoughtful solution like S2PCI can significantly alleviate the burden. By simplifying the documentation process and providing a structured approach, organizations can not only meet compliance standards but also optimize their efforts. We encourage organizations to view PCI compliance as a critical aspect of their commitment to data security and operational integrity, not just a means to check the box. It’s just good business practice. As businesses continue to evolve in the digital landscape, thoughtful approaches to compliance become integral pillars of responsible and secure operations. If you’re interested in seeing a demonstration of our PCI compliance software, S2PCI, we’d love to show you in more detail! Book a demo with one of our team members, or watch the demonstration below.

Introduction to S2Team

S2Team is a simple and inexpensive portal into employees’ cybersecurity habits

S2TEAM dashboard

S2Team collects anonymized data from a collection of personal information security risk management tool instances (S2Me) and presents the information to the organization in a simple, easy-to-understand, and easy-to-use manner.

It all starts with S2Me.

About S2Me

S2Me is a personal information security risk assessment and management tool used by 1,000s of people around the world. S2Me is personal, meaning nobody else sees results but the person using the tool for themself. People are far more likely to provide truthful information because it’s their information used to protect their life and their family better.

S2Me is organized into ten topics for ease of reference:

 Assessment results are presented to employees in an attractive and easy-to-understand dashboard.

S2TEAM full report

The S2Score is used to quantify results, putting everything into context using a number range most people are familiar with; 300 – 850

Badges and achievements make the process of assessing and managing information security risk more competitive and enjoyable. Assessing personal information security risk is good; however, improving things is better.

S2TEAM score
teams achievements

Recommendations are presented in plain English and risk scoring is used for setting the right priorities.

S2TEAM recommendations

The current version of S2Me is v2, and v3 is expected in Q1/2021.

How S2Team Uses S2Me

S2Team consumes data from S2Me and presents a simple dashboard for employers to make better risk decisions.

S2TEAM trends

The dashboard shows how many employees completed their S2Me, which employees have completed their S2Me, what the average S2Score is, and how the average S2Score has changed over time.

The “Employees” tab allows you to create your own custom URL/Promo Code. The custom URL/Promo Code is what ties your employee S2Me instances together into S2Team. Employees are given the URL/Promo Code for signing up with S2Me (they can also add it later).

S2TEAM employees

Finally, average employee topic scores are displayed. This information is useful in helping you decide how you could improve scores and/or mitigate unacceptable risks.

S2TEAM topics

How You Use S2Team

The process is simple.

  1. Sign up for S2Team, login, and create your custom URL/Promo Code.
  2. Determine how you will provide S2Me to your employees. This decision often depends on your intentions and your culture, but the most common approaches are:
    1. As an employee benefit. Showing your employees that you care about their personal protection and the protection of their employees is a great goodwill gesture.
    2. As a work-from-home requirement. Use the S2Me as part of the approval process for working from home.
    3. As a general requirement. S2Me use is required for all employees in the organization.
  3. Watch the results come into S2Team!

That’s it. Simple. The next decision is what you’ll do with your newfound insight!

  • Will you tout the success?
  • Will you adjust your training and awareness materials to focus on the areas your employees benefit from the most?
  • Will you negotiate home security product bulk pricing for employees?
  • Will you do all these things?

There are many creative things you can do to help your employees protect themselves, and by proxy, help your organization.

Added benefit: all progress is measured!

Training & Awareness is better with S2Team

People pose the greatest risk to information security success. The challenge is not only teaching people how to be good stewards of their assets (systems, applications, and data), but it’s also helping them to apply what they’ve been taught.

Training and awareness programs are vital to the success of information security. The two most common activities we use to improve information security effectiveness with people are the creation and delivery of traditional training and awareness materials and testing.

Traditional training and awareness materials include:

  • Live training sessions.
  • Recorded training sessions.
  • Flyers and promotional material.
  • Newsletters and other reminders.

Based upon our study of traditional training and awareness, we estimate the effectiveness [1] of such activities to top out at ~60 (on a scale of 0-100).

Testing includes:

  • Phishing exercises.
  • Click tests.
  • Social engineering exercises.
  • Multiple-choice and true/false exams/quizzes.

Testing has shown to improve the effectiveness of training and awareness by as much as 40%, but still tops out at ~81 (on a scale of 0-100).

Taking your training and awareness activities to the next level with S2Me can improve the effectiveness of your training and awareness by 67% over traditional approaches and 17% over traditional approaches with testing.

teams graph

Traditional and testing approaches to information security training and awareness are focused on skill-building, keeping activities top of mind, and re-enforcing safe activities, but they fall short in developing good information security habits. All these things are important; therefore, we suggest using S2Me as a supplement to the other activities.

Advantages with S2Me

S2Me offers several advantages over traditional approaches and testing, including:

  • Unprecedented insight. Determining and measuring employee behaviors at home without violating their privacy is a challenge for organizations.
  • Motivated employees. Employees are more motivated because they are protecting themselves versus protecting their organization.
  • The truth. Employees tell us the truth versus telling us what they think we want to hear/see.
  • Better habits. People are creatures of habit, and S2Me focuses on building better security habits:
    • The same habits people use at home will translate into habits at work.
    • Habits are baseline behaviors, reducing the impact of distractions (other family members at home, social events, etc.)

Ask us how we can help you with better information security. We make it simple.

About SecurityStudio

SecurityStudio is a SaaS company dedicated to the mission of fixing the broken industry. We achieve our mission by creating simple, fundamentally sound, and inexpensive (or free) information security risk management tools for everyone.

At SecurityStudio, we’re always #MissionBeforeMoney!

[1] Effectiveness is defined as a positive change in employee behaviors over the long-term (>6 months). Positive changes include choosing strong passwords, turning on MFA, less clicking on links, etc.


Estimate your score or book free demo today

A company without rules would be in chaos. No one wants to follow up on a concern they’re unsure how to handle according to company procedure. That’s why it’s essential to write security guidelines from the get-go. 

In fact, with this information security policy guide, you can learn how to write a security policy. From stating its purpose to defining your objectives, writing policy is now quick and easy. Don’t worry with this flexible policy template guides, you can remove or add what you need to fit your profession or situation. 

Now, are you ready to get started? Here’s an extensive look at writing an information security policy: 

What Is an IT Security Policy? 

An information security policy is a set of policies issued by a company to ensure that all information within its domain complies within its regulations. This applies to information that is stored both electronically and physically. 

Why Is a Security Policy Important? 

By creating a security policy, it helps establish the importance of information/cybersecurity in your organization, security policy can help you to reduce the risk of having security issues such as: ransomware, business disruptions, data loss, and data breaches. It’s also crucial for newly established businesses as a matter of defensibility to have an appropriate security policy in place. 

By increasing digitalization, every staff member is producing a portion of data that must be secured from unauthorized access. In fact, depending on your industry, data may even be protected by regulations and guidelines industry-wide. 

Intellectual property, identifiable personal information, and sensitive data should be held and protected to a higher standard. Thus, information security is crucial at every level of your company and even outside of your organization too. 

Most businesses use some type of outsourced or hosted solutions to help run their business, this means third-party vendors will have access to your company’s data. Thus, third-party risk, as well as vendor risk management, should be a portion of any security policy. After all, third-party risk and fourth-party risk are no laughing matter. 

What are the Elements of a Security Policy? 

Writing a security policy can be as brief or as extensive as you want it to be. It can cover topics like data security, social media usage, or even security training. 

However, it should engage and inform all staff members as to your company’s security requirements. That’s why you’ll want to include these nine essential elements in your security policy: 

1. Purpose of Intent 

First, you’ll want to draft an outline of the purpose of your security policy. When doing so, you might want to think about what you’re writing about and why. For instance, here are some common reasons: 

  • To provide an organized structure 
  • Discover and prevent security breaches by third-party vendors 
  • Locate the misuse of applications, networks, data, and computer systems
  • Protect the company’s reputation 
  • Maintain legal, ethical, and regulatory requirements 
  • Look after customer’s data and answer to complaints about data protection as well as security protocol 

Whichever reason you choose, you should place your purpose at the beginning of your document. That way, anyone who reads it has a clear idea of what the document is about and why it exists. 

2. Audience

You’ll want to carefully define who your security policy applies to and who it doesn’t. While you might not think a security policy would apply to third-party vendors or even fourth party vendors, don’t write them off the list just yet. Instead, third party and fourth-party vendors are all apart of vendor risk, which should be accounted for appropriately.  

Whether or not you have a regulatory requirement to protect your customer’s data from third-party data leaks isn’t the problem. Customers may still find you liable for your breaches. In fact, since security protocol was not under your full control, damages could be costly. 

3. Security Objectives 

These are the goals that have been agreed upon by all management personnel. They state what is wished to be obtained in the upcoming weeks, months, or even years. They also identify the strategies used to achieve each individual goal. 

It’s imperative that you state goals clearly and precisely so all staff members can understand. In fact, goals are important since they allow a person to challenge themselves and work to a higher level. With goals, individuals are ten times more likely to be successful in their endeavors. 

However, most companies use the CIA triad, to sum up, security objectives. The CIA triad consists of: 

  • Confidentiality: All information and data are properly secured and protected from unauthorized users. 
  • Integrity: All data is complete, intact, and of the most accurate knowledge.
  • Availability: Systems are ready and available when needed. 

Thus, the CIA triad allows organizations to give a complete and comprehensive statement about the types of security objectives. 

4. Authority and Access Control Policy  

This section is important since it notes who has the authority to access certain information and who doesn’t. Although remember this decision may not be up to your company. 

For instance, if you’re a chief of security at a hospital. You’ll likely have to obey HIPPA requirements and data protection demands. In fact, if you have medical records, they can’t be viewed or accessed by any unauthorized user, whether online or in person.    

An access control policy can help draft the level of authority over the company’s data for each level of your organization. It should layout how to handle sensitive data, as well as who is in charge of security controls. Additionally, it can state what types of access controls are in place, and the acceptable security standards.  

Policies may also include a network security section. It defines who can have access to company networks as well as what type of security controls are needed. For example, some companies request strong passwords, ID cards, access tokens, while others require biometrics.  

In fact, in some situations, employees are contractually obligated to comply with the security policy before gaining access to company information. That way, all employees understand what’s expected of them in terms of security protocol. 

5. Data Classification

This policy should classify data into different categories, so sensitive data cannot be seen by unauthorized parties. You can do this by classifying data as “secret,” “confidential,” or “public.”

Another is by simply dividing data into levels. For instance, 

  • Level 1: Public knowledge
  • Level 2: Information your company has chosen to keep private but disclosing it wouldn’t cause harm to your company or to specific individuals. 
  • Level 3: If disclosed, information has a risk of causing harm to specific individuals and to your company. 
  • Level 4: If disclosed, information has a high risk of causing harm to specific individuals and to your company. 
  • Level 5: If disclosed, information has a severe risk of causing harm to specific individuals and to your company. 

In this type of categories, levels 2-5 would need to be classified as confidential. Meaning, they would need some type of protection to further secure data. 

6. Data Operations and Support

Once data has been completely classified, you need to layout how data at each level will be handled. Generally, there are three components to this section of the security policy: 

  1. Data Protection: Companies that store sensitive data must be protected in agreement with company standards and industry policies. 
  2. Data Backup: This operation states how data is backed up, what encryption is used, and what third-party providers are utilized. 
  3. Movement of Information: This operation lays out how data is communicated. If data is selected as classified, then data should only be communicated through encryption. It should not be transmitted over public networks to avoid any breaches or leaks. 

These three components ensure that data is always safe and secure. By writing these in the security policy, it allows companies to rely on their own standard of security to protect and move data. 

7. Security Training   

A security policy that no one follows or doesn’t quite understand is not a policy at all. Rather, you need your staff to understand and acknowledge what is required of them. That’s why training should be directed to inform all staff members of security requirements. 

Meaning management should go over, access control, data classification, data protection, and even the proper way to handle cyber threats. In fact, by training employees, you can help them increase their knowledge and skill level. 

Security training should include these three components:  

  • Social Teaching: Make sure to teach employees about phishing and other common cybersecurity attacks. 
  • Be Clean: Laptops and documents shouldn’t be left on a desk for anyone to see. Instead, they should be neatly tucked away when they aren’t being used. 
  • Acceptable Usage: When are employees allowed to use their personal devices, and when is it restricted?   
  • Reporting Security Issues: Staff should be trained on when, how, and who to report security events and incidents too. 

8. All Responsibilities and Duties of Employees 

This is the part where you invoke your security policy. In fact, in this section of you can layout the everyday responsibilities of employees. For example, here are some common duties employees have: 

  • Network security 
  • Device Security  
  • Data Protection
  • Acceptable Use Notice
  • Vender Risk
  • Disaster Recovery 
  • Security Awareness

Throughout this section, you should explain your company’s response to each action and communicate different strategies that may be used to complete each action as necessary. You can even provide employees with examples of scenarios and how to react in certain situations. 

You can also refer staff members back to higher management for routine questions or concerns. That way, each staff member understands the right way to handle security issues when they’re present. 

9. Other Security Policies 

It’s best to provide staff with as much information as possible. That’s why you might want to include other sections such as:  

  • Virus protection  
  • Remote work procedure 
  • Malware protection 
  • Consequences for non-compliance 

You also might want to link a section or provide staff members with technical guidelines for your industry. That way, all employees understand industry regulations and the consequences provided with the refusal of policies. 

At the end of the document, you can add resources to other supporting documents or provide employees with the names and numbers of those to contact first for support issues.  

How Can a Security Policy Benefit Your Company? 

A security policy can benefit your company by establishing general compliance with security-related matters. As with any policy, it builds the framework for what is accepted and what isn’t in your company. 

By reading a security policy, employees can be better informed about the security nature of your company. It can also help staff members understand how to handle technical issues and recognize cyber-attacks before they happen. It can even inform employees of certain goals to keep in mind when handling data and highly classified information. 

In fact, by having a security policy, it ensures consistency when following procedural steps. A security policy can even educate new employees on who to speak with regarding questions about security-related matters or concerns on tasks related to data protection, vendor risk, or network security. 

It even allows other business partners to assess your security protocols to see if they would like to work with you. Thus, it demonstrates how strongly your company values security and the type of guidelines you want to have in place. 

Write Your Information Security Policy Today 

Writing an information security policy is essential in formulating your business and creating a protected space for highly sensitive data. In fact, it establishes a general approach to security matters while representing crucial data concerns like data protection, data backup, and movement of information. It even limits access to lower-level personal by creating a classification system. 

When writing, just remember to write your purpose of intent first and add any additional resources to the very end of the document. That way, you can put names and contact numbers, links to other policy materials, or guides to industry regulations in the document itself. 

If you’re interested in receiving a security policy template, contact us today. We look forward to hearing from you. 


Estimate your score or book free demo today


What is third-party information security risk management?
Third-party information security risk management (“TPISRM” or vendor risk management for short) is a critical component for ALL information security programs. You cannot adequately account for information security risk without also accounting for TPISRM.


TPISRM isn’t new. Some organizations have been doing it for a long time. Mostly larger companies (with adequate resources) driven by compliance requirements. In the early 2000s, I worked on TPISRM for a few Fortune 500 companies and saw first-hand how things were done.

In 2013, TPISRM took center stage when Target Corporation became aware of a significant data breach involving one of their third-party providers (Fazio Mechanical). This was one of the most publicized cybersecurity breaches of all time because of the timing (holiday season), the number of people affected (110 million+), and the fact that Target is one of the largest retailers in the world.

One of the many lawsuits that stemmed from the Target breach was a derivative action where shareholders filed suit against Target’s board of directors, essentially Target suing Target. When this happens, the court appoints a special litigation committee (SLC), and this is where I fit in again. I was retained by the SLC to assist and consult them[1] [2]. What does this have to do with TPISRM? A lot! Vendor risk management program (or lack thereof) played a critical role in the breach.

Unfortunately, not enough has changed since then:

  • 66% of security professionals think that it’s possible or definite that they suffered a breach through third-party access[3]
  • Roughly 61% (just shy of two-thirds) of U.S. companies have experienced a data breach caused by a third-party.[4]
  • Third-party breaches and security incidents are more costly than ever, especially for smaller organizations.[5]
  • Only 52% of the companies in the United States have security standards for third-parties.[6]

TPISRM is more important than it’s ever been, and if you’re waiting for someone else to make you do it, it will be too late. Whatever you do, don’t half-ass this.

Three things before we jump into the “must-haves”:

  1. TPISRM can be done right and inexpensively, even in smaller organizations.
  2. You must engage in TPISRM, either now or later. “Now” hurts less.
  3. If you’re going to do TPISRM (which you’d better), make sure you do it right.


Quick SecurityStudio Introduction

SecurityStudio (or S2) is a community and mission-driven information security solutions company dedicated to simplifying information security management and compliance. We help people and organizations in all industries (public and private) master information security fundamentals by providing practical tools on our best-in-class SaaS platform and through our trusted service partners.

The S2 platform is the premier risk and digital safety assessment tool in the world. Driven through our easy-to-use interface, information security risks can be assessed and managed for individuals (consumers and employees/personnel), the organizations they work for (public and private sector), and their vendors. With more than 3,000 assessments completed, our platform has been proven to be successful in simplifying and improving information security for hundreds of thousands of people.

Our tools:

In this document, we’ll discuss things related to S2Score, S2Org, and S2Vendor, but don’t worry, I won’t get salesy. I want you to get value from reading this more than I want to sell you something.

Alright, the seven “must-haves” for TPRISM.

7 Must-Haves for Effective Third-Party Information Security Risk Management

Must-Have #1 – Adequate Coverage

Your TPISRM MUST account for administrative, physical, and technical risk.

The most tempting place in TPISRM to take shortcuts is to treat it like it’s a technical or IT issue. DON’T! It’s not! It’s a business issue and to treat it as anything else will be done at your own peril.

Effective TPISRM practices MUST account for administrative, physical and technical risks. Isn’t it easier (and more likely) for an attacker to go through a secretary (or another person) than it is to go through a firewall, and who cares about a firewall when an attacker can just steal the server? This is truth. I know it. You know it. Certainly, attackers know it too.

Technical controls are part of TPISRM. Technical controls are not TPISRM in its entirety. Slight, but significant difference. Scans are good, but they won’t tell you squat about a third-party’s employee training program, asset management practices, onboarding/offboarding processes, access control procedures, server room security, etc., etc.


Must-Have #2 – Automated Workflows

Using manual processes with spreadsheets and calendars is error-prone, costly, and ineffective.

The only people who claim spreadsheets are the way to do TPISRM have either never done TPISRM or they’re stuck in the dark ages (“this is the way we’ve always done it”). Not only is using spreadsheets a pain in the butt, it’s expensive and ineffective.

There’s a much better way! Use an automated workflow where TPISRM processes (inventory, classification, assessment, remediation, etc.) are programmatic. If you’ve got money to waste, you could build your own automated workflow tool, but a better choice is probably using a commercial tool. Automated workflows ensure that everything is tidy and easy to manage. If you’re handling any more than one or two third-party relationships, an automated workflow is a must.

Another fact; there is a demonstrable ROI in using an automated workflow versus using manual processes.


MUST-HAVE #3 – Distributed Workloads

No single person knows enough about all vendor relationships to be effective.

The wrong way to handle TPISRM is to name a “TPIRSM Manager” or “Vendor Risk Manager” and leave everything to them. It’s unlikely that this person engaged the third-party in the first place, understands how the organization uses the third-party, and/or maintains the relationship with the third-party.

For each third-party relationship, there’s someone who’s responsible for the relationship. We sometimes call this person the “relationship manager”. These people must be involved in the TPISRM process. The best place for this person/group to be inserted into the TPISRM process is usually:

  • Third-party inventory management – validating that the third-party is still engaged by the organization.
  • Vendor contact maintenance – validating that the third-party’s contact information is valid.
  • Inherent risk determination (or classification) – validating how the organization uses the third-party, including the nature of the products or services provided.

If you’ve addressed the first two “must-haves” in our list, ensure that the tool you use will enable or facilitate participation from other people and groups. A shared workload makes everything better.


MUST-HAVE #4 – Quantification

It’s easier to defend a process or system than it is to defend your judgment.

Regardless of how good you get at TPISRM, a bad thing (breach, disruption, or whatever) will eventually happen. No matter what you do, you cannot prevent all bad things from happening, but that’s not the point anyway. Risk elimination is impossible. Risk management IS possible, and it’s the objective.

The truth is, at some point you’ll need to defend your TPISRM program from someone, and they’ll probably question your judgement. It might be the board of directors, a regulator, a customer, or (God-forbid) opposing legal counsel. Somebody, somewhere, is going to question what you’re doing.

Quantification helps take your judgement out of the equation, and quantification comes through measurement. Quantification allows you to make comparisons between third-parties and set thresholds of acceptable risk. Setting a threshold of acceptable risk is easier to defend because you hold all third-parties to the same standard. One-off and arbitrary decision-making will be much harder to defend.

I have trouble remembering what I did last weekend let alone a decision I made in February of last year.

Adding to defensibility is using a tool, process, and/or risk threshold that’s used by others. There’s (some) safety in the herd.


MUST-HAVE #5 – Objectivity

Binary (1 or 0) decisions are more efficient, easier to defend, and scorable.

Which question is more efficient, easier to defend, and scorable:

  • Tell me about your information security program? OR
  • Do you have a documented information security program?

How about these:

  • How do you train your employees? OR
  • Do you train your employees?

Binary (1 or 0, “yes” or “no”, etc.) questions are objective and create a much better measurement/quantification than do subjective, open-ended questions. The downside to objective questions is the to ask more of them. Once someone answers “Do you train your employees?”, we’ll need to ask more binary questions about the training.

Using objective criteria will also reduce the need for interpretation where two people can look at the same subjective/open-ended response and interpret in completely opposite ways. Subjectivity steals the efficiency and defensibility out of our TPISRM program.


MUST-HAVE #6 – Inventory Management

Garbage in, garbage out.

The entire TPISRM process starts with your inventory of third-party relationships. It’s the first step. There’s the initial inventory and ongoing inventory management.

Build your initial inventory by checking who you’re paying, either through invoices, credit card payments, or employee reimbursements. Chances are good that you’re paying your third-parties in some manner, so Accounts Payable (or similar) is a great place to start.

In order to keep your inventory current, the “ongoing inventory”, you’ll need to determine how important it is for you to maintain a live inventory or if a periodic third-party inventory reconciliation is good enough. The answer should be a function of the churn in your third-party relationships. If third-parties come and go often, then there’s more justification for the live inventory approach. In a live third-party inventory scenario, you’ll need to make sure your third-party engagement/procurement/enrollment process is tightly-integrated with your TPISRM processes. Maybe you don’t pay any third-party until they’ve been assessed for cyber risk.

Periodic reconciliation consists of validating your inventory periodically, maybe on an annual basis.

A good TISRM tool accounts for all the “must-haves” here, including assistance with third-party inventory management. Entering third-party information one-by-one is fine but becomes a real pain when you have many third-parties to enter. A great feature is the ability to upload third-party information in bulk and a potential integration through APIs with other enterprise systems.


Must-Have #7 – Simplified Processes

Complexity is the enemy of information security.

Your TPISRM process shouldn’t consist of any more than four primary steps. If it’s more than four steps, you might be making this harder on yourself. The four steps are Inventory, Classification, Assessment, and Decision-Making. That’s it.

In some cases, you may need to repeat steps, but it’s still only four steps. For instance, you may decide (Decision-Making) that the risk posed by a third-party is unacceptable. In this case, you could decide to remediate, which will then lead back into the Assessment step.


BONUS: Third-Party Risk Assessment/Questionnaire Re-Use

Everybody hates filling out dumb questionnaires.

I have yet to meet anyone who enjoys filling out TPISRM questionnaires from their customers. If I did, I’d question their sanity. Filling out questionnaires is a waste of time. There are three ways we can make this more enjoyable and usable for everyone.

  1. What if we made the questionnaire into an organization’s information security risk assessment?
  2. What if an organization’s own/internal information security risk assessment could be used in lieu of a questionnaire?
  3. What if we reused a questionnaire that a third-party completed for someone else?

Yes, yes, and yes please!

On the SecurityStudio platform we’ve developed two effective, best practice, and simple tools to enable all the “must-haves” in this document, and significantly reduce wasted time, effort, and money for your third-party friends. By reusing assessments and questionnaires, you’ll get better results in your TPISRM efforts and your third-parties will sincerely appreciate having to do less work!

The tools are S2Vendor and S2Org.

S2Vendor is our best-in-class TPISRM tool for organizations of all shapes and sizes. S2Org is the best organizational information security risk management tool for vendor performance regarding security anywhere. Combined, there are no other solutions that compare!

Let’s demonstrate how these tools work together.

  1. A third-party who completes an S2Vendor questionnaire can use the same information to manage their information security program with a simple click of a button. The click of the button imports their responses into their own (private) S2Org portal where they can track results, print reports, create a roadmap (risk treatment plan), manage the roadmap, and much more! Not only can the third-party use this information to improve their security program in a measurable way, but they’re also more inclined to provide truthful answers to you as their customer.
  2. There are more than 3,000 organizations who already use the SecurityStudio platform and S2Org for information security risk assessments and management. Rather than having to complete another tedious questionnaire, an S2Org user can just choose to share their assessment (or resulting S2Score) with the S2Vendor user (you).
  3. If an S2Vendor third-party risk assessment has already been completed on behalf of a vendor by someone else, rather than completing another assessment, you can allow them to confirm and reuse one that they’ve already completed. This saves you the headache of dealing with pushback and saves your third-party vendors a lot of time.

In Closing

There you have it. If you want to build a TPISRM practice/program the right way, these are seven things that you must have. Short cuts, manual processes, bottlenecks, subjectivity, gaps, and complexity must all be accounted for and taken out of the equation. If you’re into these things, well, that’s too bad. They’ll eventually come back to haunt you.

All the best.
Evan Francen CEO


Estimate your score or book free demo today

If you’re a manager in IT or Information Security, I’m sure you’ve already heard the phrase many times, “It’s not IF you’ll be breached, but WHEN.” In which case, you know that you need to do “something” to better prepare your organization for the possibility of a breach and how to respond, but how?

There are two immediate steps you and your organization can take:

1) Complete a risk assessment to identify your organization’s most vulnerable processes and

2) Prepare an Incident Response Team.

Complete a Risk Assessment

Until recently, completing a risk assessment on your organization either cost a lot of money, or required a skilled professional to complete. While there are other free tools available, in most cases the S2Org Risk Assessment is going to be the fastest and most effective way to get a complete view of your organization’s cyber security posture overall, and where your organization is the most vulnerable to a cyber security breach.

Based on the security assessment criteria used by information security consulting firm FRSecure for over 10 years, S2 Org is designed to identify the greatest risks to your organization’s information overall. The assessment allows you to quickly identify the weaknesses in your organization’s human-run processes, physical controls, and technical controls. Because S2 Org updates scores immediately based on your responses it enables you to complete a broad, high-level assessment, or to really dive deep into the controls at your organization by involving multiple people in the assessment process. A well-informed IT Director (or similar) at a small-to-mid sized organization could potentially complete the assessment in a couple hours, quickly enabling your organization to identify where you’re most vulnerable to attack, and thus most likely to experience a breach to your information.

At the completion of the assessment, your organization will receive an overall score as well as a score for each of the four phases (Administrative, Physical, Internal Technical, External Technical). S2 scoring is based on a scale of 300-850 (modeled after the credit score), with 300 being rated as Very Poor (High Risk), and 850 Excellent (Low Risk). Additionally, because of the way that S2 Org is divided into four control group phases, you can complete an assessment on any one of those groups independently and provide reporting immediately based on the results.

securitystudio current assessment

Equipped with the results of your risk assessment you’ll be able to develop a plan to address your most severe vulnerabilities to help prevent or reduce the impact of that impending breach, as well as to better equip and prepare your Incident Response Team to respond.

Prepare an Incident Response Team

While you don’t have to complete a risk assessment before you prepare your Incident Response Team, it will help you better select the appropriate people with the best skills suited to respond to the type of breach that your organization would be most impacted by.

An Incident Response Team is a group of individuals responsible for managing the organization’s response to an information security incident. An information security incident is defined as: A suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with Information Resources or operations; or a significant violation of policy. For example, incidents may include:

  • Violation of company policy
  • Attempts to gain unauthorized access to the organization’s systems or information
  • Denial of service to the organization’s systems or services
  • Unauthorized use of company systems
  • Loss of confidential or private information

No matter the size or industry, your organization should develop at least a basic Incident Response Plan (IRP) with the appropriate people identified to respond. Lack of a good communication plan is one of the primary reasons that so many organizations fail at responding to a breach. At a minimum your plan needs to identify how customers, personnel, and other sources of information will report potential incidents to your team, and who within your organization is responsible for managing your organization’s response.

The primary goal of your Incident Response Team (IRT) is a quick and appropriate reaction to a potential or actual breach. At a minimum, your team should have an Incident Response Commander. This person takes overall responsibility for the incident response program and the IRT’s response activities. They ensure that there is a plan and that it will be effectively executed when an incident occurs.

Other IRT members may hold the following roles:

  • Privacy officer – familiar with privacy laws and requirements for the organization concerning the information it manages
  • Security officer – familiar with security obligations of the organization concerning the systems it manages
  • Legal Counsel – familiar with legal and contractual obligations of the organization
  • Public Relations manager – oversees the development of any customer or public communications
  • Financial Officer – able to make funds available for response activities
  • Technology Manager – manages the technology team engaged in response activities
  • Facilities Manager – manages facilities involved in response activities

Ideally your IRT should consist of 6-8 people, depending on the size of the organization; a small company’s IRT may consist of a few people with multiple responsibilities, where a large enterprise’s IRT may consist of key decision makers across multiple regions. Regardless of the size, a communication plan needs to be established ahead of time, and all team members need to be aware of the organization’s definition of an incident and appropriate response in order to achieve its response objectives.

Realistically, no organization can protect themselves from every possible type of threat to their information and systems. The best way to prepare your organization is to identify and address its most vulnerable processes and be prepared to react when a breach does occur.


Estimate your score or book free demo today

Measuring and managing information security risk is no longer optional in today’s world. SecurityStudio has developed simple, fundamental, and compliant cybersecurity assessments for organizations of all sizes and industries.

Value proposition – Brief

The cybersecurity market is noisy, chaotic, and full of solutions claiming to solve every problem under the sun. Buying decisions are being made without a clear, plain English understanding of how these products and services will measurably improve your security posture. It doesn’t need to be this way.
SecurityStudio simplifies information security risk management by focusing on the fundamentals and translating risk into a language that all people understand. There is no other platform that simplifies cybersecurity like we do, certainly not without taking shortcuts or compromising credibility.

NOTE: For the sake of brevity, we will use the terms “cybersecurity” and “information security” interchangeably in this document.

Introduction to SecurityStudio

securitystudio introduction

SecurityStudio has built a platform of simplified, best-in-class cybersecurity assessment tools that enable business to focus more time and money growing their business and less wasted time and money on aimless cybersecurity ventures.

SecurityStudio provides the following tools to customers of all sizes, in all vertical markets:

  • S2Org  – Answer yes/no questions about your organization, receive measurement of all risks, a variety of report formats and a prioritized action plan.
  • S2Vendor – Automate the process of documenting and managing the security of your service providers and vendors.
  • S2Team – Leverage the free S2Me assessment, measure the security risk of your team and focus training efforts where they will do the most good for you and your team.

These tools were designed, employed and tirelessly honed by security experts in the real world and are now available for all to use.

Reason #1 – It’s Free

The core functionality of the SecurityStudio platform is completely free. SecurityStudio believes you should spend your money where it has the most benefit to your business. Given today’s information security “money grab”, a free and effective cybersecurity risk assessment tool is refreshing and empowering for business leaders.

With our platform, you can do all the following at zero cost:

  • Perform the S2Org assessment
  • Produce an S2Vendor for your organization
  • Streamline vendor risk management due diligence
  • Perform S2Me assessments
  • Identify cybersecurity risks and receive unbiased recommendations
  • Produce, download, and print easy-to-understand and attractive reports

SecurityStudio believes that good cybersecurity risk assessment tools should be free, leaving more of your hard-earned dollars for value-added services and other risk management efforts.

Reason #2 – It’s Simple

Complexity is the enemy of good cybersecurity. The key to your cybersecurity success is simplification. Don’t confuse simple with easy or with taking shortcuts, it’s quite the opposite. Effective cybersecurity requires work, but it requires focused and measurable work. Simplification means that we’ve taken complex cybersecurity concepts and broken them down into fundamental and simple building blocks. Most risk is found in fundamental weaknesses, making our assessments the perfect foundation for your cybersecurity efforts.

The strength in SecurityStudio’s assessment tools is found in their simplicity.

There is no such thing as a cybersecurity “easy button”, but SecurityStudio specializes in creating cybersecurity simple buttons.

Reason #3 – It’s Credible

SecurityStudio tools are built from a combined 300+ years of information security experience and our assessments have been used by organizations of all shapes and sizes. Adding to our credibility is our referenceability between common security standards like those found in the NIST Cybersecurity Framework (CSF).

The S2Org has been conducted more than 2,000 times and has stood up to regulatory scrutiny from the OCR, OCC, FDIC, FINRA and many others.

Specific regulatory risk assessment reports are automatically generated by our assessment tools where applicable. NIST CSF and HIPAA-specific reports are available through a simple click of a button.

The credibility of our assessments only gets better through feedback we receive from our community of partners and users like you.

Reason #4 – Unparalleled Insight

Breaking security down into its fundamental components makes everything objective and clear, especially for business leaders. All criteria used for assessing and managing risk are objective, meaning they are black or white. Cybersecurity fundamentals are common across all businesses, which makes the SecurityStudio platform a perfect solution for establishing a solid cybersecurity foundation for your business.

Additional insight comes from the way SecurityStudio is architected, and from our innovative approach to common problems. The architecture features insightful dashboards with full drill-down capabilities, and our newest innovation is S2Team/S2Me. The S2Team/S2Me tool combination provides CISOs and business leaders with unparalleled insight into true employee behaviors by assessing them at home.

Contact a SecurityStudio for more information about S2Team/S2Me, we’d love to tell you more about them!

Reason #5 – Simple Vendor Risk Management

Arguably, most breaches occur through vendor relationships. Organizations don’t have a choice but to assess vendor risk, but this doesn’t mean it needs to be disruptive to your business. Based upon SecurityStudio’s research, very few organizations get vendor risk management correct; they either over-complicate the entire process, take shortcuts, or attempt to manage workflows manually.

SecurityStudio makes vendor risk management as simple and efficient as possible, without taking shortcuts.

Here’s how easy it gets.

  • If a vendor already has an S2Score in SecurityStudio, they start by sharing their score. That’s it.
  • If a vendor doesn’t have an S2Score in SecurityStudio, they’ll automatically get one when they’re assessed by anyone who uses the platform.

There are only four simple steps to vendor risk management with S2Vendor inventory, classify, assess, and manage.

Reason #6 – Vetted Partners

SecurityStudio has built a network of cybersecurity experts who are specifically trained to use our platform to serve their customers.

Some people want help, others don’t. SecurityStudio users are empowered to accept help from a qualified and vetted cybersecurity expert, but only if they want it or need it. Our network of cybersecurity experts is vetted and are held to the highest standards. SecurityStudio partners are qualified to:

  • Assist in using all SecurityStudio tools.
  • Conduct assessments.
  • Consult on road mapping and remediation planning.
  • Provide product recommendations.

SecurityStudio users can choose a preferred partner with a simple button click within the platform. Get cybersecurity help you can trust with SecurityStudio.

Reason #7 – It’s Convenient

SecurityStudio is an online platform, allowing you to easily collaborate with other people, regardless of location. The convenience of the platform is given to you without compromising security. You are always in control.

Bonus – Did We Mention It’s Free?

Yes! SecurityStudio is free, and there’s no catch. There’s no excuse for cybersecurity ignorance. Give it a try. Do it now.

Visit SecurityStudio online at and click “Sign up for free” on the home page.

securitystudio signup

Or visit directly to create your account.

securitystudio organization

Estimate your score or book free demo today