CEOCFO-Members Login

March 20, 2017 Issue



Cyber Security and Information Management Platform Manages Workflows and Implements Assessment and Training Tools to Bring the Entire Organization into Compliance



Grant Elliott

Founder & Chief Executive Officer




Interview conducted by:

Lynn Fosse, Senior Editor, CEOCFO Magazine, Published – March 20, 2017


CEOCFO: Mr. Elliott, what is the focus for Ostendio today?

Mr. Elliott: Our premise is that we want to make it very simple for any organization to easily manage their cyber security and information management process. Today there is a great deal of focus on breaches; anything from ransomware to data loss and hacking. Therefore, many organizations get confused and overwhelmed by the amount of work that they have to do to not only build out a cyber security and information management program, but to manage it as well. We have simplified the front end and have made it very easy for them to get every single person in the organization involved. We drive security from the employee perspective and make sure that every single person in their organization is involved in the process, rather than just depending on a security team.


CEOCFO: How do you do that?

Mr. Elliott: We have a SaaS-platform that they roll out to their entire organization. That platform not only manages all of the workflow elements of running and maintaining a cyber security and information management program, everything from the simple assessments to document management and the distributing of policies & procedures; getting employees to not only read, but electronically sign off that they understand and comprehend the documents; as well as a training & assessment program; asset tracking and inventory management. These are the various tools and workflows that are required. Depending on the particular standards and regulations you are looking to follow, we create a capability to build those workflows for each individual within the organization and then hold them accountable. The way we do this is we give every single person within the organization their own individual compliance score, so that not only does each person know exactly what their score is, but more importantly, we then benchmark them against the entire organization. This allows them to see whether they are above average or below average in their personal contribution, so people will know whether they are contributing to or working against the cyber security posture of the organization as a whole.


CEOCFO: Where are some of the areas that people are ignoring?

Mr. Elliott: We feel that many organizations look at cyber security as an IT process and will often go out and spend a great deal of money on very sophisticated IT solutions, such as encryption capabilities, perimeter security tools, and network monitoring capabilities within their organization. However, they forget that the most vulnerable part within their organization are people. Lots of breaches occur because someone downloads information on a laptop and it gets stolen from a car, or they copy information onto a thumb drive that then gets lost, or they simply just misconfigure something and make it publicly available. 


As an analogy, it does not matter how expensive your house alarm is if you have not locked your windows and doors, because the alarm will do you no good. What we help those organizations do is focus on the basics and implement a robust information security charter, so that they understand that as an organization they are committed to building and operating within a cyber security framework. Then, making sure block-to-block, piece-to-piece they are building a focused program, and making sure they have clear policies and procedures for how they classify data, how they track and mange where data is, and the same for what their objectives are in terms of their ability to protect it. Once they have done all of that it becomes easier to then understand what the solution should look like.


CEOCFO: Once you show people what they should be doing, how do you help them be compliant?

Mr. Elliott: One of the biggest mistakes I hear when I speak with organizations when it comes to security is about training. First of all, they define security training too narrowly. People associate training as the classroom or going through some sort of assessment process. However, training needs to be viewed differently. You need to see every interaction you have with an individual as an opportunity to educate and train them. Therefore, it does not have to be physical classroom training, and organizations do not do that often enough. They typically do annual training and make people sit through two or three hours at a time and touch on certain key points. However, when you are working day-to-day you are not necessarily going to remember what you are taught six months ago. The reason organizations do it that way is because it is hard to coordinate any more than that, it is hard to communicate with people on a regular basis or do training on a regular basis. Because we simplify this process, we make sure our platform is touching the individual every single day. They are communicating not just a task, but the activities. We are making sure that they have been trained or educated on a regular basis, which keeps things fresh in their minds.


The second thing we do is get people sign off on this. There are electronic documents which they have to sign saying they will do what they are supposed to do. This raises the stakes by having people legally acknowledge that they are going to do certain things. This combined with the proper training means they cannot plead ignorance. For example, if the company says that employees are not allowed to use a mobile device and will lose their job for doing so, and they sign off on that policy, then they are less likely to use a mobile device.


The third aspect is identification. People want to do the right thing, and by scoring and benchmarking them against the organization, it allows the HR department to reward good behavior and use it as an example of good behavior. People that are performing well within the platform can be given incentives and recognized by the company. Our platform communicates regularly with people. You do not want our software sending you an email saying you that you are below average, because then not only are you not feeling good about yourself, but you know that the company is not happy with you either.


The last thing is at the executive or management level, since they now have the visibility to see how people are performing on a routine and regular basis. Therefore, when they start to see a particular department or a particular area where things are not going the way they should be, then they can take action. That may mean additional education or additional training, explanation or communication. By having that visibility and being able to see it in real-time, management can know what is going on in the organization at all times, and take action immediately.


CEOCFO: Would you tell us about some of your specific solutions and who is using them?

Mr. Elliott: The platform is called MyVCM, We have different levels of the product. We have our basic Select product, we have a Premium version and an Enterprise version. The platform has multiple modules and at the moment if you subscribe to the platform you have access to them all. There is an assessment module that allows you to conduct a High Level Risk Assessment and at the moment we also have a partnership with Intel, which also allows you to do Intel security breach assessments within the platform.


There is a very robust document management system as described before, which allows you to track, manage, store, distribute and receive electronic acknowledgements and documents. The module also maintains all versions of those documents and tracks all approvals and any changes that have been made. There is a training and assessment module, so you can distribute training content of any type, not just security, and add conduct assessments on the training. You can run training programs and courses, send the training out either directly through the platform or linked to your existing Learning Management System.

There is also a ticket management system, which is predominantly used for Incident Management and Response, but we have other components that it can be used for as well, such as managing exceptions and change management.


There is an Asset and Audit management process, so you can upload all of your asset information within the platform, track your assets, when you bought them, how much you paid for them, but more importantly, all of the routine audits that need to be conducted. For example, if it is a server, you may have to do operating system updates or data access audits. Anything task you need to conduct against that asset, you can create multiple audits against it. This applies to portable assets too such as laptops and mobile devices. You can also classify the risk of each asset.


Then there is a whole vendor management component, where you can upload all of your organizations, whether they be customers, vendors or partners. You can not only track and manage what people do, but also conduct vendor access audits on an ongoing basis for those organizations as well. We also have what we call our Trust Network Vendor Connect program. What that means is that if you use our platform in an organization and one of your partners or customers use our platform as well, you can actually link your platform with their platform and share information. Therefore, if you have a vendor using our platform, you can actually require that vendor to send you specific information about their security program. Some of our hospital clients use that to manage their vendors.


CEOCFO: Do you work strictly in the healthcare arena?

Mr. Elliott: No, we do have customers outside of healthcare. We started in healthcare predominantly because of all of the issues they experience. As an industry, it was crying out for this type of solution. I spent eight years as the COO and Chief Information Security Officer of Voxiva, but we already have other customers in other segments. The platform is regulation and standard agnostic, so we have customers in the legal profession, IT industry, and a number of different areas. Any industry that has a strongly dispersed ecosystem, with a high number of vendors, such as finance, retail or aerospace, are all applicable to our platform.


CEOCFO: What are some of the newer features as you do add features on an on-going basis?

Mr. Elliott: We typically have a major release every quarter and some minor releases each month. Some of those were enhancing our single sign-on and API access for enterprise customers to be able to do auto positioning of users. Our next big release is enhancing the audit and asset management piece, elevating it to an inventory management solution, so that any organization can at a glance look at what access they stored in any of their assets. That will help to simplify the process. We are also in the process of enhancing the ability to support various audit types, so if you are going through a SOC 2, Type 2 audit or a HITRUST assessment, you have the ability within the platform to assign and allocate all of the data within the platform, mark it to specific controls, and then put that in a project bucket against specific to that audit, so that your audits are going into evidence in one place.


CEOCFO: What is next for Ostendio?

Mr. Elliott: The next thing big thing for us apart from continuing to improve our platform is to build our partner network. As I mentioned, we have already developed a partnership with Intel, and we have a number of other partnerships that we are developing. We really believe organizations that operate in this field, for example information security companies and CPAs, basically any-organization that is involved in helping their customers improve their security profile - can become a good partner, because we as a platform make their job easier. Therefore, building out our indirect channels and alliance partners will be our next big area of growth. We are also working and talking to a number of cyber security insurance companies so that we are looking at some point to actually bundle cyber liability insurance into the platform, so we are looking at organizations to do that as well.


“Our premise is that we want to make it very simple for any organization to easily manage their cyber security and information management process.”- Grant Elliott





Niamh Bennett

877 668 5658







Any reproduction or further distribution of this article without the express written consent of is prohibited.



Healthcare Cybersecurity, Ostendio, Cyber Security for Medical Devices, Digital Health Companies, Medical Colleges and Associations, CEO Interviews 2017, Grant Elliott, Cyber Security and Information Management Platform Manages Workflows and Implements Assessment and Training Tools to Bring the Entire Organization into Compliance, Technology Companies, Healthcare Company, Cybersecurity, Information security, Information Management, Healthcare compliance, HIPAA, HITRUST, Ostendio Press Releases, News, Tech Stock, Companies looking for venture capital, Angel Investors, private companies looking for investors, healthcare cybersecurity companies seeking investors, medical device cyber security companies needing investment capital does not purchase or make
recommendation on stocks based on the interviews published.