Mar 29, 2024


Masterclass was a graduate of our program and an excellent example of implementing appropriate security measures at each stage. They began with an annual assessment and then progressed to our vCISO Essentials program. They further advanced to our vCISO Enterprise program, where we assisted them in expanding the program and hiring a full-time internal Director of Information Security. We provided expedited transition support to the new Director of Security and helped with staff recruitment. Once their team was established, our support was no longer necessary.

Annual Assessments

Early on Masterclass wanted to know its unknown unknowns from a security perspective and have a level of understanding if it’s doing the right thing. So we began with a Technical Enterprise Security Assessment (TERA). TERA is a technical and interview based assessment that covers the entire company. See here for more details.
Our stakeholder at the time, the VP of Engineering, was always kept up to date on progress throughout. Stakeholder feedback is crucial to help diagnose
As required, the results of the assessment are presented to executives which creates a level of understanding across leadership with invaluable insights for non-technical teams. The results of the assessment are then prioritized internally and tackled throughout the year.
Over consequent years and as the company experienced rapid growth we conducted annual Enterprise Gap Assessments helping re-prioritize any gaps discovered with the additional context of the company’s size and challenges.

vCISO Essentials

Based on the results of an annual assessment one year combined with a change in leadership and challenges associated with natural growth of a company, now 350 employees and growing, it was mutually decided that Masterclass needed more continual oversight of its security than just between annual gap assessments. At this point, the main point of contact was the CFO. We decided that having a virtual CISO, at least on a fractional basis, was important to help address IT security needs that arise with a fast growing startup, especially now as the company was surpassing 350 employees.
Since a gap assessment was recently conducted and intimate knowledge of the company and operations over the years, we had a solid foundation to hit the ground running. As part of our playbook, we formed a Security Working Group consisting of a representative from Legal, IT, and Engineering led by Ayman Elsawah.
During this time we helped the company build a security awareness program, promote a security culture, build and improve workspace and ??
  • Pentest Support
  • General Security Awareness Training
  • Engineering specific security awareness training

vCISO Enterprise

Addressing the needs of any scale-up required additional security oversight and involvement in areas of Enterprise Sales Support, Product Security, Formal Security Awareness Training, and responding to security incidents.
As the company decided to expand its product offerings into the B2B space, creating a product offering for enterprises, the security needs of the company increased.
The company required assistance with the completion of security questionnaires from enterprise customers, as well as a security representative in sales meetings. Additionally, as they were building out the product, Masterclass required technical security guidance for their enterprise product offering.
Additionally, supply chain attacks were on the rise and companies across the board were affected by security incidents and required additional expertise to function as an Incident Response lead and provide expert guidance.

Product Security

During the development of the enterprise product, expert guidance was provided to shape the product roadmap in the following areas:
  • SSO Integration and Authentication
  • Authorization Models
  • Admin Portals
  • Shared vs Dedicated infrastructure

Incident Response

In 2020 and 2021, there was a significant increase in supply chain attacks across industries, and many companies were directly affected. If Masterclass experienced any incidents, prompt and expert leadership was provided in Incident Response. We worked directly with executive leadership, as needed, to help resolve the incidents and provide expert guidance and support.

Security Questionnaires & Legal Addendums

As Masterclass sold subscriptions to enterprises, additional security requirements arose, primarily in the form of security questionnaires and legal addendums that we had to agree to. We provided support in completing these questionnaires and also provided training to other staff to help them answer the questions.

Security Awareness Campaigns

As the company grew and phishing attacks increased, especially during the pandemic, we decided to implement a formal security awareness campaign. This campaign aims to track and deliver security training to all employees on an annual basis. The training materials were carefully selected to align with the company's culture and supplemented with quarterly live training sessions during all-hands presentations.

Enterprise Sales Support

Our dedicated team is here to provide comprehensive support to sales teams in their interactions with enterprise clients. One of the key aspects of this support is assisting sales teams in completing security questionnaires and engaging directly with enterprise security teams. We understand the importance of speaking the same "language" as the security teams, and we ensure that sales staff are equipped with the knowledge and skills to effectively communicate and address the security requirements of potential clients.
To streamline the process, we developed a system that allows sales staff to take the first pass at answering questionnaires based on previous answers. This not only saves time but also ensures consistency and accuracy in the responses. Our goal is to reduce friction in the sales process and provide sales teams with the necessary tools and resources to successfully navigate security-related discussions with clients.
By providing sales teams with the support they need in understanding and addressing security requirements, we empower them to confidently engage with enterprise clients and build strong relationships based on trust and a shared commitment to security.

Security Leadership Search

Upon identifying the need, we collaborated closely with the Masterclass leadership to establish the position of Director of Information Security within the company. This process involved the following steps:
  • Evaluating best practices and options for organizing the structure
  • Developing the budget for the first year, including considerations for headcount and necessary tools
  • Crafting a comprehensive job description
  • Screening potential candidates
  • Conducting interviews with selected candidates
  • Creating scorecards in greenhouse to evaluate candidates
Masterclass excelled in implementing comprehensive security measures, demonstrating their commitment to protecting their organization. They established a robust security awareness program, received thorough pentest support, and had a dedicated representative in sales meetings. Expert guidance was provided in product security, incident response, and completing security questionnaires. Additionally, they successfully implemented a formal security awareness campaign and provided valuable support to sales teams in engaging with enterprise clients. Furthermore, they demonstrated their dedication to security by establishing the position of Director of Information Security, following best practices in the selection process. Masterclass's exceptional performance in prioritizing and addressing security needs is evident throughout their journey.