Why Our Services
1. Expertise at a Fraction of the Cost:
By leveraging our vCISO services, you can access high-level cybersecurity expertise without the financial commitment of hiring a full-time Chief Information Security Officer (CISO) or their team. The cost of an in-house CISO and security team, with an average annual salary working in the U.S., the average total compensation—defined as base salary plus annual target bonus and the annual equity value—is
$550,000 with a median of $388,000 (IANS 2023).
​
2. Tailored Solutions for Your Business:
We can provide customized security solutions tailored to your unique needs and risks. We bring a wealth of experience to help develop, implement, and manage security programs specific to your industry and objectives.
​
3. Immediate Availability:
Our services offer the benefit of immediate availability. While recruiting an in-house CISO can take months, if not longer, we can be onboarded quickly to address pressing security concerns.
​
4. Multi-Faceted Skill Set:
We have extensive knowledge in various areas of cybersecurity, risk management, compliance, and technology. We will bridge any gap between technical teams and management, ensuring that security aligns with overall business goals.
​
5. Scalable Services:
You can scale our services up or down according to your evolving security requirements. This flexibility is particularly valuable for startups and small to mid-sized businesses experiencing growth.
​
6. Industry Knowledge:
We have experience working in diverse industries. This knowledge can bring fresh perspectives and best practices to address emerging threats and challenges in your specific sector.
​
7. Cost-Efficient Security Management:
By outsourcing the vCISO role, you can save on various costs associated with full-time employees, including salaries, benefits, training, and overhead.
​
8. Risk Mitigation:
The cost of a data breach can be astronomical. Engaging us helps mitigate the risk of data breaches, regulatory fines, and reputational damage. This protection is especially valuable in industries where data privacy and regulatory compliance are paramount.
​
9. Vendor-Neutral Advice:
We bring an unbiased perspective when evaluating and recommending cybersecurity solutions. We offer vendor-neutral advice and guide you in choosing the best technologies for your unique needs.
10. Compliance Assurance:
For businesses dealing with complex regulatory requirements (HIPAA, GDPR,FERPA, PCI etc.), we can help maintain compliance and navigate evolving regulations. We ensure that security measures are up-to-date and aligned with legal standards.
11. Focus on Business Growth:
By outsourcing cybersecurity leadership to a vCISO service such as us, business leaders can concentrate on strategic growth initiatives rather than becoming overwhelmed with the day-to-day security management.
​
12. Cybersecurity Strategy:
We work with you to develop a comprehensive cybersecurity strategy that not only protects against threats but also aligns with broader business goals.
We think these are pretty compelling reasons that highlight the benefits of vCISO services, including cost-efficiency, specialized expertise, scalability, and the ability to stay ahead of emerging threats and regulatory changes. Coupled with the substantial cost savings when compared to hiring full-time in-house security professionals, often difficult to find with experience, our services offer an attractive and practical solution for businesses seeking robust cybersecurity leadership. Third-party risk and fourth-party risk are becoming increasingly
important, particularly if investors expect a company will be acquired. At some point before the due diligence process, the security program
needs to be evaluated and matured so security does not become the critical path to a transaction. Our goal thus is to make the internet a better place to live, work and raise a family in.
1
vCISO
​Services offered as part of our Guardian tier.
Cancel anytime
​
-
Customer and partner questionnaire support (Vendor Risk Assessments)
-
Annual information security training
-
Annual business continuity table-top exercise
-
External monthly vulnerability assessments (up to 10 targets)
-
Internal monthly vulnerability assessments (up to 4,000 targets)
-
Vulnerability Management Program
-
Annual qualitative information security risk assessment
-
Annual SOC2 or similar audit support
-
Compliance with regulations and standards such as NIST-CSF, FedRamp, FISMA, PCI, or HITRUST
-
Annual IT security assessment
-
Chairing a quarterly governance committee
-
Third-party critical vendor reviews
-
Managed KnowBe4 Training Services (license fee extra)
-
GRC services
-
Information security program creation and management
​
Technical Services
-
GRC services
-
Managed KnowBe4 Training Services (license fee extra)
-
Network Vulnerability Assessments - External and basic web application scans
-
Network Vulnerability Assessments - Internal
-
Security Training Program - Employees (Managed KnowBe4 Training Services)
2
Full Cybersecurity Assessments - On Site by request
​Does your firewall ruleset make sense? Are your other IT controls maximized for protection? Our experienced virtual CISOs and security professionals provide an independent review to verify IT controls or recommend changes, all while not impeding business operations.
The focus of our Security Assessments is to be practical and helpful to our clients. In most cases, we come onsite for 3-5 days to assess the current cybersecurity set up for a company. We start with a phone call to go over the process and get the relevant information about the company and policies. During our on-site or remote visit, we assess the entire environment including internal scans, talking with IT, and learning the culture of the business.
About 2 to 3 weeks after the assessment, we will send a report including an executive summary, risk matrix, roadmap and detailed findings on ways to improve your cybersecurity. OPSG will provide you with a complete risk breakdown that can be used as an easy to follow security roadmap.
​
OPSG will help provide you with the plan that is needed to implement the proper and effective cybersecurity that is customized for your business in the key domains:
​
-
Technology vs Solutions
-
People Process Technology
-
Prevention (Firewalls and IPS)
-
Detection (IPS) – Detection (SIEM)
-
Incident Response
-
Documentation
-
Documentation BCP/DRP
-
Awareness
-
Threat Hunting
-
Offensive Countermeasure
-
Encryption
-
Key Questions
3
Personal CyberSecurity for individuals - Tradecraft
This course is designed to address the fundamental concerns of journalists, concerned citizens, activists, whistle blowers, missionaries, corporate executives and liberty lovers in general, with regard to digital security. Whether hackers, governments, criminals or acts of espionage; our privacy is in serious jeopardy.
You will learn to secure your devices and communications in the following ways:
Properly employ symmetric and asymmetric encryption
Create and safely store powerful passwords
Guard against common criminal and state level intrusion techniques
Recognize unsafe software you are using now and explore safe replacements
Surf the web anonymously
Explore the deep web
Transfer files safely
Communicate securely and privately
Understand and deal with malicious firmware
Crypto-currencies
Properly employ "burner" phones
​
This course is meant to take the uncertainty and guesswork out of digital security, give you a fundamental base of knowledge to grow from and get you up and running with the highest levels of security available TODAY.
4
Compliance & Audit Readiness
We help our clients build roadmaps for certification attainments based on business goals, we understand what auditors look for, and we help manage the process by providing the following strategic leadership.
Due to the fact that we specialize in serving startups and small to mid-sized business, we inherently have a ton of experience helping customers just like you with ISO 27001 readiness, SOC 2 readiness, HIPAA compliance, GDPR compliance, and more!
We're here to help with:
-
Gap analysis & audit roadmap
-
Build policies, procedures, and controls
-
Assess overlap with other audits
-
Advocate client on any ‘audit pushback’
-
Oversee audit readiness
-
Acting as the liaison with auditors
-
Build future audit roadmap
-
Provide evidence in proper 'audit language
-
HIPAA
Demonstrate you have the required safeguards in place to protect patient data. Does your organization store, process, transmit, maintain, or touch protected patient health information? Old Pueblo's HIPAA compliance platform can help you achieve HIPAA compliance from readiness to report by leveraging our years of experience in the healthcare assessment space.
Let us assist you through all phases of your HIPAA compliance from reviewing the safeguards you have in place to validating your compliance within those safeguards.
-
HITRUST
Demonstrate your commitment to compliance and provide confidence to your customers with HITRUST certification. Old Pueblo knows HITRUST certification better than anyone, we've been through the process as customers ourselves, leading top companies in their industry vertical as security professionals on staff.
​
Who Typically Needs HITRUST Certification?
Organizations that are obligated to adhere to standards like NIST, HIPAA, FTC, PCI, COBIT, Red Flag, and ISO need HITRUST CSF. Especially, if your business is involved in the creation, access, storage, or exchange of personal medical information, it is mandatory for you.
More specifically, healthcare providers such as hospitals, clinics, and private practices need this certification to ensure they are compliant with regulations like HIPAA.
Health insurance companies also require HITRUST to safeguard policyholder data. Additionally, pharmaceutical firms managing clinical trials and patient data can benefit from this certification to maintain data integrity and confidentiality.
​
Beyond healthcare, HITRUST is increasingly relevant for third-party vendors and business associates who provide services to medical organizations. This includes cloud service providers, data storage companies, and even legal firms that may have access to sensitive health information. Financial institutions dealing with healthcare accounts, like Health Savings Accounts (HSAs), also need it.
5
Security Assessment Questionnaires
Security Assessment Questionnaires (SAQ’s) are resource-intensive, time-sensitive, and absolutely critical to growth.
Securing these contracts/partnerships directly impact scalability and market share obtainment, but poor security controls and inadequate processes can compromise these opportunities.
​
-
Complete the SAQ and write answers to be reused in subsequent SAQ’s
​
-
Ensure policies, procedures, and controls are created or refined to expedite future assessments by providing a Security Program Overview document.
​
-
Quickly remediate risk areas to score higher on the questionnaire
​
-
Affirm the questionnaire is completed in proper security jargon
​
-
Act as security liaison with prospective client/partner, advocating on the company’s behalf
​
-
Act as your CISO (which is oftentimes a requirement for the client/partner)
Get in Touch
How can we serve?