May 18, 2022Payroll Technology
Evolve and Adapt: Navigating the Ever-Changing Security Landscape
As a 100% employee-owned company, Wise Consulting prioritizes serving and protecting our clients above all else. In this very digital era, we believe this includes achieving and maintaining a high level of cybersecurity. We also understand that many companies are looking to increase cybersecurity awareness, which is why we would like to share what we have learned in our journey to becoming an adaptive organization for cybersecurity practices. We interviewed our Director of Operations and Security, Tom DeStefano, regarding the choice to adopt NIST CSF and what it has meant for our organization.
Increasing Security Measures
As a company that has supported remote worker capability since its inception 26 years ago, Wise has long been aware of the ever-growing cybersecurity threat. In recent years we have responded to this threat by selecting a partner organization to assist us with the ever-changing landscape. Wise selected Choice Cybersecurity to help us understand the next steps to improve our culture of security. After several discussions with Choice’s CEO Steve Rutkovitz, we understood the need to adopt the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). “The NIST CSF is a cybersecurity standard with a set of guidelines and best practices that help companies manage their cybersecurity risks,” explains Rutkovitz. “It’s a voluntary self-assessment that allows companies to implement a structured program to mitigate their cybersecurity risk.”
Developed by the National Institute of Standard and Procedure, the NIST CSF is a widely used and accepted cybersecurity standard in the U.S. “It helps any organization understand and reduce cybersecurity risks. It gives a description of activities that can be followed and informative references that really solidify the activities within the Framework,” says DeStefano. “The great thing about it is that any company can complete the work to adopt it.”
Based on the level of accountability the NIST CSF brings, pursuing the framework was a no-brainer. “You can’t solve cybersecurity risks with a pinpoint solution. You need to create a culture of security and compliance, and the NIST CSF has a balance of technology and policies to meet the company’s overall needs,” says Rutkovitz. Starting with an initial risk assessment, Wise has been working closely with Choice Cybersecurity to ensure that the proper policies and procedures are in place. “The technology and cybersecurity spaces are ever-changing. It can be extremely difficult to keep up, but we have to be adaptive and continue to evolve,” says DeStefano. “It’s great having a partner like Choice Cybersecurity. We can go to them with issues or questions, and they are able to advise us on what needs to be changed.”
Baking Cybersecurity Into Company Culture
Prioritizing our focus on cybersecurity means being transparent with every employee-owner at Wise about why this is important and what they can do to support the effort. Our goals are ambitious: “Within the NIST CSF framework there are 5 functions, 23 categories, 108 subcategories, and 4 different tiers that define our company characteristics,” explains DeStefano. “We have achieved Tier 4, (which is the highest tier) for all 108 subcategories in the NIST CSF. That means that we’re an organization that integrates and communicates security into risk decisions across the board from executives to consultants. We are in a state of continual implementation and improvement of our practices.”
Not only does Tier 4 reflect the commitment to security Wise employee-owners have made, it shows how the company is able to adapt to the mercurial nature of the digital age. “We’re what we call an adaptive tier: as issues arise, as new internal policies or external standards come into place, we can adapt based on what needs to be done and what is best for Wise,” explains DeStefano.
NIST CSF and the Ever-Changing Cyber World
Although DeStefano and his team have adopted impressive cybersecurity measures, their work is far from over. “This is a space that needs continuous improvement,” he says. “The bad guys don’t stop, so neither can we. Identify, protect, detect, respond, recover–those are the functions in the Framework, and we constantly discuss improvements.”
Even though the core actions are repetitive, the NIST CSF requires continual adaptation. “The great thing about the Framework is that we can adapt based on the needs of our business, our partners, and our clients,” says DeStefano. “It moves along with the security requirements of technological change, so as our company evolves, we can simultaneously evolve our methods of maintaining compliance within the NIST Framework.”
The Passion Behind Protecting Data
While the NIST CSF has provided Wise’s internal team with an added layer of security and compliance, the buck doesn’t stop there. “Having the NIST CSF controls in place allows the company to have the proper layers of technology, policies, procedures, and training. By implementing the NIST CSF framework, everyone in the company will know the best ways to protect the company and how to react if there is a breach,” states Rutkovitz. Maintaining the Framework demonstrates that Wise employee-owners take security measures seriously–something that is important to partners, vendors and clients. “Our clients can look at our website and review our compliance badge and know that they’re in good hands. It shows that we follow a very rigorous, standardized, and thorough approach to cybersecurity,” says DeStefano. “We take this matter very seriously by investing not only in ourselves and our internal structure but also investing in an outside organization like Choice Cybersecurity to work with us and make sure that year over year we continue to maintain our compliance.”
As human capital management and payroll compliance experts, maintaining compliance is something that is of extreme importance to every employee-owner at Wise, especially concerning the handling of sensitive data. “Our philosophy with client data protection is that all client data is sensitive and should be guarded as if it were your own. That’s always been the mantra across Wise,” says DeStefano. While the NIST CSF allows additional measures of security assessments, it does not replace standard practices. “Our employee-owner consultants are so good at what they do, and they’re always extremely careful when they’re dealing with client information on a day-to-day basis. We only collect what we need to do the task at hand, and when a project is over, we return data and remove what is no longer needed,” explains DeStefano.
This level of employee awareness is something that DeStefano and his team take pride in. “We implemented an internal Cybersecurity Awareness Champions program and over 70% of Wise employee-owners completed voluntary training above and beyond our annual required training,” he reports. “I think that says a lot about the dedication and pride our employee-owners here at Wise have about cybersecurity.”
Far-Reaching Benefits of the NIST CSF
The diplomacy of the NIST CSF extends far beyond the internal policies implemented at Wise. It fosters an environment that enables Wise to be a leader in the security space. “The NIST CSF creates a common language that puts us in a position where we can discuss policies and practices with our counterparts at other organizations,” explains DeStefano. “I believe adopting the Framework was an obligation to our partners, UKG and Ceridian, to not only show that we can be a trusted partner, but to really prove that as well. They can clearly understand that we are committed to security and compliance when they see that we have adopted and are upholding the Framework.”
While not mandatory by law, the NIST CSF and other security measures are becoming more and more popular as organizations of various sizes and industries look to establish their credibility in security and compliance. “We’ve found that clients are engaging a lot more in that space as well,” says DeStefano. “They’re coming to the table and asking more questions and requesting completed assessments before signing contracts. The NIST CSF allows us to give them peace of mind.”
However, engaging in a contract is a two-way street, and DeStefano and his team have been able to make accurate assessments of potential partners’ abilities to conform to necessary security measures thanks to what they’ve learned from the NIST assessment process. “Having this level of standards allows us to decide how we engage with potential partners in regard to security risks,” explains DeStefano. Having the knowledge of when to enact increased measures has allowed DeStefano and his team to provide a safer environment for employee-owners and clients alike.
When You’re With Wise, You’re In Good Hands
Trusting an outside party with extremely sensitive data can feel risky. However, as companies of all sizes navigate the Great Resignation and the high turnover rates that come with it, many are recognizing the need to outsource processes such as payroll and other HR functions. Taking the leap to turn over those processes and the data is not a decision to be taken lightly. It’s important to select an established partner that has adopted high levels of security practices so that you can rest assured your company’s data will be safe. At Wise, our experienced consultants and committed Security and Compliance Team work hand-in-hand to ensure that all processes are completed accurately and securely. To learn more about our services and our credentials, contact a consultant today!
Interested In Learning More?
Contact Us Today!
Because Wise is 100% employee-owned, our consultants are professionally invested in your success. We make time to understand each client’s methodology and goals, aligning our strategy and sharing best practices to assure optimal results.
We want to hear your questions and make sure you receive the information you need to make an informed decision about engaging our services. Give us a call during normal business hours (est) or reach out to us online and we'll get in touch with you as soon as possible!
Prospective clients have questions and we aim to be as transparent as possible in answering them. read out FAQs to see the most requested information, or contact us. We'd be happy to speak with you to answer any questions you have!