VST Service FAQs

Is there an acronym you use to refer to Virtual Security Team?


We call the Virtual Security Team service “VST”.

Why choose a 3-month VST instead of a 12-month VST?

The longer timeframe of the 12-month Virtual Security Team allows greater team engagement and Loptr can provide more implementation support. 3-month Virtual Security Team clients must be prepared to take over the security program quickly – Loptr will get you started but you’ll have to keep the momentum going.

Most organizations that lean towards the 3-month Virtual Security Team have no or little budget for a security program. The shorter engagement can build a case for appropriate program funding later. Some hope to run the security program in-house – that’s okay with us but, if your security team has full-time jobs already, it won’t be easy (for them). Some organizations re-purpose a penetration testing or risk assessment budget to a 3-month (or 12-month) Virtual Security Team.

Why VST instead of just a penetration test or vulnerability scan?

We created Virtual Security Team as a better alternative so, not surprisingly, we think this is a great idea. This goes for just about any variation of information security assessment if you do not have very good reasons to think that you already have a decent program. If you already know you have problems, why pay someone to agree with you?

Loptr’s Virtual Security Team builds a functional information security program – with a technical review and risk analysis included. The technical review includes a vulnerability scan and it checks firewalls, anti-virus, and patching deeper than scans or penetration testing.

Does VST help with compliance?


Many Virtual Security Team clients need to comply with the Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DDS). We designed Virtual Security Team to address PCI DSS and HIPAA security requirements – and more regulations and standards (like ISO 27001, TSP 100/SOC 2, NIST 800-53, and state breach disclosure laws).

Our philosophy on compliance is to focus on good security practices in a way that makes it easy to show compliance. You’ll see this in subtle ways throughout Virtual Security Team. We cross-reference policy statements and procedures, for example, and our risk analysis maps to controls that are in turn mapped to multiple regulations and standards. We have been auditors so we understand how auditing works – and we design our tools and techniques to make life easier for both our clients and their auditors.

When is VST not a fit?

If you just want to “check the box”, you won’t be happy with VST.

You’ll like VST if you know you have holes in your security program and you want to fill them. VST will help you to:

  • Foster an environment where security activities are business-as-usual
  • Make policies more readable and usable, especially for non-technical staff
  • Create procedures that are easy to follow and record
  • Show how their activities meet legal and regulatory requirements
  • Provide meaningful training and awareness to staff
  • Test key security systems

If you just need a pen-test, scan, or HIPAA assessment, Loptr can do that. But if you already know we’ll find big problems, VST is a better fit.

What happens after a 3-month or 12-month VST?

Most Virtual Security Team clients continue to work with Loptr after the 3-month or 12-month engagement. We call this “Year 2” – although it doesn’t have to end there. The Year 2 Virtual Security Team includes more ad hoc support and updates to the dashboard, risk analysis, policies, and procedures. Year 2 also continues quarterly technical reviews, training and awareness, team meetings, and briefings. Year 2 shifts to maintenance and continuous improvement whilst adjusting to changing threats and requirements.

Do I need a security expert on staff to use VST?


VST is designed for organizations that do not have dedicated security staff. Somebody on your side will be your “designated security official” but that person doesn’t have to be a security professional. You can rely on Loptr’s expertise.

What does the VST “team” look like?

Loptr assigns a project coordinator, lead consultant, and technical advisor to each Virtual Security Team client. The project coordinator is Loptr’s primary point-of-contact – ensuring communication and keeping everything scheduled and on track. The lead consultant provides “CSO-level” guidance while the technical advisor focuses on, well, the technical aspects of information security. It isn’t unusual for other Loptr consultants to lend a hand as well.

The client’s side of the team varies. You will assign a liaison as your primary point-of-contact but other team members are up to you. Definitely include your designated security official (the person who drew the short straw). You may draft team members from management IT, HR, facilities, operations, or anywhere else that makes sense. Liaisons have been CIOs, CFOs, IT managers, network engineers, and office managers – a key liaison quality is a willingness to talk to humans and return messages.