When you talk to Kevin Gorsline, it's impossible to ignore what strikes you: His conviction. As dull as talking about privacy and security software can be, Gorsline speaks with an earnest sincerity about his work.
It's personal for him.
Gorsline is the chief operating officer at TBG Security, a boutique security and privacy consultancy. Established in 2003, its customers are start-ups to mid-size enterprise organizations in all verticals. That means TBG has to understand business models of all sizes and sectors and respond nimbly to their particular compliance needs. While TBG primarily did security for years, it later launched its "virtual chief information security officer" feature. And it recognized privacy expertise and solutions had to be part of that package.
"What for us is critical is long-term relationships with our customers," he said. "Our goal is to become our customers' trusted advisor in all things cybersecurity and privacy, which are two distinctly separate fields in people's minds."
But its cybersecurity clients realized they had privacy obligations, as well. TBG identified it needed software to help clients with consent management, third-party monitoring and data subject access requests. It wasn't seeking a reseller opportunity; TBG is strictly a consulting firm. It wanted to partner with a company that could provide the solutions its clients sought.
"Osano was reachable and amenable to a conversation about partnership opportunities, as opposed to straight 'go-ahead resell our product for X amount of dollars per sale,'" Gorsline said. "It was really more about the right platform for our customers."
TBG chose Osano for the platform's simple implementation and customer support's kind-and-quick responses, he added. And that support can be crucial in times of crisis.
"Whenever (the clients) are calling us, it's never because something good is happening. It's always because something bad happened," Gorsline said. "So to know I can reach out and get a rapid response on something and never be treated like I'm a village idiot for not having known that, it's a super important part of why we stick around."
TBG then leveraged Osano's software to build additional consulting services around its consent management, third-party vendor monitoring and data subject access request needs.
"For us, the real value proposition is the services we can build on top of it," Gorsline said. "Osano is a low-cost solution; low cost, low margin."
To meet its customer's needs, TBG had to find a flexible and customizable consent-management solution capable of handling its diverse client base's needs. TBG was discerning choosing the right vendor because, as Gorsline said, "anyone can do consent management" and throw a banner on a page. But TBG needed more than that.
"What we were looking for was someone who actually recorded that consent and then provided some flexibility in how we managed exposing the different cookies and scripts to our clients," Gorsline said. "Or provided our clients the ability to pose different options to present those cookies and scripts."
Third-party vendor monitoring and DSARs
The importance of monitoring third-party vendors is something organizations often overlook, Gorsline said, but that can be a fatal flaw. Having the necessary information to decide which vendors do privacy well is essential to any company's compliance.
"For third-party risk management, typically people are looking at cybersecurity risk, and often customers of ours will completely overlook privacy as a risk," Gorsline said. "So, if I'm looking at a third party vendor, and they don't have appropriate privacy settings, that to me is a red flag. It means their security posture is probably not as secure as it should be. They could get fined or put out of business and thus put a hole in our supply chain. I always look at Osano as the third leg of our stool for our third-party risk offering. It's an integral part of our virtual CISO solution."
TBG took the same approach with Osano's data subject access request (DSAR) feature. They picked it for its built-in workflows and later leveraged their investment by building additional consulting services.
"We're a consulting firm. Most of our clients haven't gone through the exercise of mapping their data flows, nor have they gone through the exercise of assigning data-source owners, both of which are critical to the DSAR process," said Gorsline. "We get the opportunity, from a consulting perspective, to offer the service consulting services to build out that DSAR workflow."
In the end, most important to Gorsline is the long-term reciprocity he mentioned earlier.
"Our relationship with Osano is just that; it's a relationship," he said. "I can reach out to Skye in support, and I get a near-immediate response. So the deciding factor for us in selecting a tool and staying with you as a partner has been your responsiveness. Both from a support as well as product enhancement perspective."