OSHEAN’s Cybersecurity Perspective: From GRC to Technical Controls   

Cybersecurity is a foundational element to protect organizational assets, ensure regulatory compliance, and support operational resilience. OSHEAN’s strategy emphasizes a comprehensive approach, starting with Governance, Risk, and Compliance (GRC) and culminating in Technology solutions (Technical Controls).  

Given our heritage in networks, the evolution of our security services model over the years stems from the network technology (e.g. DDoS, DNS, Firewall) and has built up toward application protection over time.  We now are adding non-deployment services to help our members with education and compliance.  As is the case with most of our services, we usually start by using the product or service internally as part of our enterprise program and then, if appropriate, offer the service to members with an added level of buying power, expertise and even network integration. 

Governance, Risk, and Compliance (GRC)  

A strong GRC framework sets the foundation for an effective cybersecurity strategy by aligning security with business goals, managing risk, and ensuring regulatory compliance. Effective governance requires the establishment of a Cybersecurity Governance Board or Steering Committee with executive sponsorship, clearly defined roles and responsibilities, and enforcement of security policies and procedures aligned with industry’s best practices. Additionally, fostering a culture of security awareness across the organization ensures that cybersecurity stays a priority at all levels.  

Risk management is essential for identifying and mitigating potential threats. Implementing a risk assessment framework such as NIST RMF or ISO 27005 helps organizations systematically evaluate cyber risks. Regular threat modeling, defining a clear risk appetite, risk treatment and establishing a third-party risk management program are crucial to mitigating security risks. Compliance is another critical aspect, ensuring adherence to regulations such as GDPR, CCPA, HIPAA, PCI-DSS, and ISO 27001. Regular audits or assessments, maintaining a compliance tracking system, and engaging with regulatory bodies help organizations meet evolving security mandates.  

OSHEAN utilizes a GRC platform to monitor and manage the maturity of our cybersecurity program. The organization has adopted the Center for Internet Security (CIS) Version 8.1 framework, leveraging it as our primary model. Additionally, OSHEAN utilizes CIS V8.1 as a foundation for cross-walking to the AICPA SOC 2 framework, enhancing our overall security posture. The GRC platform serves as a central tool for tracking progress, measuring compliance, and generating reports on cybersecurity initiatives. Organizational and third-party risks are managed and monitored within the platform as well, further ensuring alignment with the requirements of the frameworks. This is an example of a non-deployment service that we will take from our experience and offer to members going forward. 

Technology & Innovation  

As is the case with all our technology implementations, OSHEAN, is always on the hunt for the best cybersecurity solutions to protect our own network and data. Our process starts with rigorous evaluation—reviewing the latest security technologies in our own environment to ensure effectiveness, scalability, and ease of integration.   

In earlier years of the rising threat of cybersecurity attacks, unauthorized access, and large-scale cyber disruptions, we took a proactive approach to security. We implemented Cisco Duo for Multi-Factor Authentication (MFA) to safeguard user access, deployed Cisco Umbrella DNS protection to block malicious sites before they could become a problem, and integrated a robust DDoS protection suite to defend against volumetric attacks that could disrupt network availability. Additionally, we implemented edge security by deploying Fortinet Firewalls, delivering next-generation Firewall capabilities for advanced traffic inspection, segmentation, and threat prevention.  These services are the foundation of our current security offerings to members. 

Through real-world testing, OSHEAN’s cybersecurity team has fine-tuned these tools, ensuring they worked seamlessly with existing infrastructure while providing comprehensive protection against evolving threats. Once, proven internally, OSHEAN saw an opportunity to extend these powerful defenses to our member organizations. By using our firsthand experience and expertise, we developed tailored deployment strategies, ensuring that organizations of all sizes could benefit from the same level of security. Through this approach, OSHEAN not only strengthened its own defenses but also empowered our members with innovative cybersecurity solutions—keeping networks secure, data protected, and threats at bay.  

Managed and Hosted Firewall services, powered by Fortinet VDOM technologies, delivers dependable security for well over 100 OSHEAN members. Cisco Umbrella DNS protection adds an extra layer of defense by blocking malicious domains before threats reach member networks. Multi-Factor Authentication (MFA) with Cisco Duo ensures secure access, verifying user identities and reducing the risk of unauthorized logins for our members. Our SecureWorks vulnerability scanning (VDR) service provides members with a comprehensive visibility tool at a very attractive price point.  Our cybersecurity team continues to provide updates on the latest risks, upgrades to firewalls for latest protections and integrity measure suggestions to keep member environments secure.  

Technology plays a crucial role in securing the network by implementing multiple layers of defense to protect against evolving threats. Combined with proactive monitoring and automated threat response, these technologies work together to create a resilient and secure network environment for OSHEAN and our member organizations.  

A comprehensive cybersecurity strategy, starting with GRC and ending with technology, ensures a resilient and adaptive security posture. Organizations must continuously evolve their cybersecurity practices to combat emerging threats, comply with regulatory changes, and safeguard their digital ecosystem. We must also consider emerging technologies to stay ahead of future threats. Quantum-resistant cryptography, artificial intelligence, secure 5G and IoT frameworks, and blockchain for identity management represent key innovations that will shape the cybersecurity landscape in the coming years. OSHEAN strives to stay on top of these emerging technologies for internal use and to share the knowledge and expertise with our member community.