The Challenge:
With three locations and four distinct lines of business that each have specific regulatory requirements, this 60-employee, San Francisco Bay Area based wealth management firm has technology needs more complex than many larger organizations. That’s why they have trusted Xantrion’s Managed Security service to safeguard their infrastructure for several years. However, they also wanted a third party to evaluate their security posture, identify any potential risks, and suggest ways to improve alignment with the SEC’s cybersecurity recommendations.
“Protecting our client’s, employee’s and the firm’s proprietary information is very important to our company,” the COO and Chief Compliance Officer explained. “Annual penetration testing is one more way for us to be proactive about identifying potential risks to the security of this sensitive information.”
The Solution:
The COO asked the firm’s dedicated Xantrion engineer, who serves as its virtual CIO (vCIO), to help perform due diligence on penetration testing vendors. The vCIO also participated in the chosen vendor’s security assessment questionnaire, providing the technical information necessary to enable the testing, and was on-site with another Xantrion technician the day of the actual testing to answer any vendor questions. Finally, the vCIO reviewed the vendor’s assessment report and attended the vendor’s post-testing meeting with a list of suggestions for addressing weaknesses already in hand.
“Xantrion was a true partner from beginning to end of the process, ensuring that we asked all the right questions and got all the right answers,” the COO said. “They also follow up with us regularly on how improvements to our security are progressing, and they’ve already addressed most of the changes the vendor suggested.”
The Outcome:
The third-party vendor said the firm’s security posture was unusually strong for a company of its size. Although the penetration testing pinpointed a few patching issues and configuration weaknesses, it found nothing urgent. In fact, the COO said the firm received ratings of average or above average on all the vendor’s measures of security.
“The [penetration tester] told us that he rarely sees companies with security controls in place that manage them correctly. It’s [also] unusual for him to see a managed service provider that acts like a member of the team the way Xantrion does. It definitely confirmed for us that Xantrion is taking the right approach to managing our security, from planning and execution to providing cybersecurity training to our employees.”