OTH Security offers fractional security advisory services to clients across fintech, health tech, insurance tech, and other regulated industries. These clients need a maturity security program to be able to sell to big enterprises, banks, and other customers, but don’t have the million-dollar-plus budget for a security department to build one.

OTH Security fills in the gap, offering the capabilities of a part-time CISO, security engineer, security operations center, and project manager for a fraction of the price.

“We run their security programs on their behalf. We control the budget, we staff into those companies from a security operations and engineering perspective, and we report up to their executives or their boards,” says Jeffrey Taylor, CEO and fractional CISO of OTH Security.

Many of these clients hire OTH Security to build and steer their security program to meet specific compliance requirements or simply to implement best practices. In either case, they usually use a compliance framework to provide structure to delivering these programs.

“We’ve done about 35 SOC 2s in the past two years alone, and a bunch more prior to that. But we also do CMMC, NIST frameworks, ISO 9001, ISO 27001, ISO 27017, ISO 27018, TX-RAMP, and other StateRAMPs,” Jeffrey says.

While OTH Security partners with a handful of other GRC platforms to offer their clients flexibility based on their unique needs, budget, and compliance requirements, they experienced several pain points with other providers. 

Some were immature and required substantial manual effort to use, which defeated the purpose of using the tool. Others had outages that disrupted OTH Security’s and clients’ operations. And others didn’t treat their partners very well: referrals were undercut, feature requests went unanswered, and pricing didn’t reflect the actual value delivered.

As a result, Secureframe has become their preferred platform and they steer clients that are using another platform or not using a GRC tool at all to Secureframe whenever they can. 

“We've largely consolidated on Secureframe because we’ve realized a lot of efficiency with you. We can get a new Secureframe customer operational in a few hours,” says Jeffrey. 

One particular client exemplified the pain of doing compliance without a proper platform: their existing security program consisted of 37 spreadsheets that all linked to each other. They had a dedicated compliance manager whose sole job was updating those spreadsheets. Jeffrey knew this was unsustainable, both for the client and for his firm’s ability to deliver security services efficiently at scale.

“I was working five hours a week on those spreadsheets. Using Secureframe saved me that time and the client those billable hours, so it pays for itself immediately,” says Jeffrey.

The decision to consolidate on Secureframe came down to a combination of a few key factors: pricing, reliability, functionality, and a genuinely productive partnership.

“The price is right relative to the features that we need. The UI is very good. And it's reliable. We've never had an outage so when we need to do something, we can get in there. I've had outages with other platforms, which are pretty embarrassing for me,” Jeffrey explains.

One of Secureframe’s standout features for a firm like OTH Security is the migration function. When a client is already on another GRC platform, Secureframe can pull over their existing data and policies automatically, saving OTH Security the hours of manual reconfiguration that a platform switch would otherwise require.

“I can give Secureframe access and you actually pull over the data and set up the policies and a few other things. This saves me and the customer those consulting billables and sets Secureframe apart from other vendors,” says Jeffrey.

Day-to-day, OTH Security relies on several Secureframe features to keep their client programs running smoothly:

• Alerts and notifications flag upcoming audits, penetration tests, and control deadlines before they become urgent. 
• Email digests sent automatically to department heads give cross-functional teams visibility into their compliance responsibilities without requiring constant meetings.
• The policy generator lets OTH Security create working drafts for newer clients and iterate from there, rather than starting from a blank page every time.

Secureframe’s integration coverage also aligns well with the needs of OTH Security’s client base. 

“Most of our customers use Slack, Google Workspace, and similar tools so Secureframe has all the integrations they need by and large. Some platforms have more, but no one really needs 200 HR integrations, especially at the price tag these platforms have,” Jeffrey explains.

Equally important from a partner perspective is the provisioning experience. Jeffrey can spin up a new Secureframe instance for a client himself and bill it as a single line item. No sales calls, no friction. This removes any barriers for customers that are on the fence about using a GRC platform or Secureframe specifically.

“We don't do spreadsheet compliance anymore. We tell clients that need SOC 2 or ISO or some other compliance framework they have to go get a GRC platform. So if a customer is leaning towards Secureframe but they’re on the fence, I can just provision my own instances with Secureframe. That’s a huge selling point for me, and one of the reasons I stick with Secureframe,” says Jeffrey.

Beyond features and platform capabilities, OTH Security also sticks with and trusts Secureframe as a true partner. 

“We know the platform and how to use it efficiently, but we also have a good relationship with the partner team where if we do find a bug, or if we need a feature, or something changed, they’re actually receptive to our requests. That’s not just a nice-to-have for us, that’s essential,” explains Jeffrey.

The most tangible result is speed. While the exact timeline depends on how OTH Security builds the program and the customer’s size and industry, Secureframe reduced the average timeline by three-quarters.

“Getting the structure of a SOC 2 or a NIST framework moving, getting the right pieces in place, having the conversations, and then getting to an audit takes about 3 months for us when using Secureframe, whereas it would have taken a year without it,” Jeffrey explains.

That speed advantage translates directly into competitive differentiation against what Jeffreys calls "spreadsheet consultants,” which dominate the industry currently. 

“When we tell them you’ll have something in your hands from an auditor with Secureframe in 3 to 6 months, versus a lot of the other spreadsheet consultants, 6 to 12 months—that’s a pretty big advantage,” says Jeffrey.

Over the past two years alone, OTH Security has delivered 35 SOC 2 reports for customers using Secureframe, a volume that would be extraordinarily difficult to sustain with manual processes or a less mature GRC platform.

The ROI story is equally compelling. OTH Security bills its clients by the hour, so every hour spent on manual evidence collection or spreadsheet maintenance is an hour charged. Secureframe’s automation flips that equation: setting up an integration takes minutes instead of hours, and the platform cost pays for itself almost immediately.

“Whether it takes me 2 hours to collect evidence or 30 minutes to set up the integration in Secureframe, those are billable hours. So clients could pay us to do menial tasks or they could actually get a tool out of this that saves them a bunch of billables and effort in the long-term and also lets us be more effective at a different level. So it really pays for itself,” says Jeffrey.

Secureframe not only enables OTH Security to operationalize security programs faster, it also results in better stakeholder engagement. When department heads and executives can see policies and compliance workflows in a purpose-built portal like Secureframe’s, Jeffrey says they understand and act on their responsibilities far more effectively than if OTH Security simply dropped a folder of documents in Google Drive.

“Seeing it in the portal is a lot more intuitive for people than if we just threw a spreadsheet with a bunch of documents in a Google Drive at them. These programs tend to fail without a good GRC platform in place,” says Jeffrey. “Once clients understand why we’re using Secureframe, and they play with it for 30 minutes, the velocity of our SOC 2s and other security programs goes way up.”

For OTH Security, Secureframe has become more than a compliance tool. It’s the platform that lets a lean fractional security firm deliver enterprise-grade programs at a pace that keeps clients ahead of their competition.

As clients grow and expand into new markets, Secureframe makes it easy to layer on additional compliance frameworks. Clients selling into federal agencies need CMMC, while those expanding to Europe often add ISO 27001 on top of their existing SOC 2. With Secureframe, OTH Security can add these frameworks quickly without starting from scratch.

“CMMC has been the big one lately. We’re seeing more companies wanting to sell to the Department of Defense and other federal agencies so they tell us they need to add CMMC. Or when clients expand into Europe, they often want to add ISO 27001. Since Secureframe is a very scalable solution, meeting evolving requirements from customers is straightforward,” says Jeffrey.