CIS Controls Simplify Finance & SMB Client Cyber Strategy

PC Pharm Limited is a specialized IT consultancy operating in Trinidad and Tobago—a small open economy (SOE) where high regulatory expectations often collide with the reality of limited small to medium-sized business (SMB/SME) budgets. Managed Service Provider (MSP) PC Pharm has positioned itself as more than just a technical vendor; it is a vital bridge between high-level governance frameworks and real-world implementation.

Under the leadership of Managing Director Marlon Ramanan, the firm’s mission is to help clients build a "defensible" cyber strategy. Whether complying with Central Bank of Trinidad and Tobago (CBTT) mandates or navigating the emerging liability of the Data Protection Act (DPA), PC Pharm utilizes the  CIS Critical Security Controls^® (CIS Controls^®) and the CIS Risk Assessment Method (CIS RAM) to achieve meaningful, business-aligned outcomes. 

The Challenge: Navigating the "Compliance Gap" 

Despite offering traditional security tools like firewalls and antivirus, PC Pharm found that many clients remained "compliance-fragile."

Financial institutions were tasked with submitting annual self-assessments to the Central Bank per Circular CB-OIFI-2976/2023 but lacked a methodology to produce the "detailed action plans" the regulator demanded. Meanwhile, high-value professional service firms, such as medical clinics and law firms, found themselves overwhelmed by the technical complexities of protecting sensitive personal data.

Internally, Ramanan recognized that PC Pharm needed to evolve. "Fixing IT" was no longer enough; the market needed a Virtual Chief Information Security Officer (vCISO) who could translate technical gaps into business risks that a Board of Directors could understand.

The Solution: CIS Controls and CIS RAM as a Strategic Foundation

To help clients strengthen cybersecurity while navigating resource constraints, PC Pharm adopted a combined framework built on CIS Controls v8.1 and the CIS RAM. This strategic pairing enabled the consultancy to offer structure and impact for regulated entities..

With CIS RAM, PC Pharm conducts detailed risk assessments that generate client-specific risk registers. By applying Implementation Groups 1 and 2 (IG1 and IG2), the consultancy ensures that safeguards are proportionate to the client’s size and risk profile.

The CIS Controls provided the blueprint for prioritizing security measures based on cost-effectiveness and relevance. By focusing on Implementation Groups 1 and 2 (IG1 and IG2), PC Pharm tailored its approach to match each client’s needs and risk appetite. Many improvements required no additional investment, as clients were guided to enable unused features within existing tools, such as audit capabilities in antivirus software.

This methodology allowed PC Pharm to move beyond generic security recommendations and deliver guidance that was risk-informed, compliance-ready, and grounded in the client’s actual environment.

The Impact in Numbers

The adoption of CIS resources has yielded measurable efficiency gains across the PC Pharm portfolio:

• 40% Reduction in Assessment Fatigue: Regulated financial institutions reduced their annual risk assessment preparation time by nearly 40 percent. By replacing manual spreadsheets with a CIS-aligned automated GRC (Governance, Risk, and Compliance) workflow, data collection became a "continuous" process rather than an annual fire drill.
• 25% Operational Cost Savings: Clients cut compliance reporting costs by an average of 25 percent. This was achieved by consolidating redundant tools and aligning security spend with the highest-priority CIS Safeguards.
• 70% "Zero-Capital" Wins: For SMB clients, over 70 percent of Implementation Group 1 (IG1) Controls were satisfied at no additional cost. PC Pharm achieved this by leveraging unused features in the clients' existing Kaseya 365 and Microsoft 365 environments — such as enforcing MFA, enabling mailbox auditing, and configuring endpoint encryption.

The Result: A Trusted Partnership Model

The shift from "IT support" to "Risk Assessment" has fundamentally changed PC Pharm's relationship with its clients. Financial institutions now submit credible, framework-backed returns to the Central Bank with a 100% success rate in meeting deadlines.

“As a vCISO, I can now show a client a 3-year Maturity Trend Analysis. We aren't just selling a firewall; we're selling a verifiable roadmap. The fact that clients can hold us accountable via the risk register has transformed us into a trusted governance partner."

— Marlon Ramanan, Managing Director, PC Pharm

What’s Next: Governing the Future of Privacy and AI 

Looking toward 2026 and beyond, PC Pharm is evolving its model to support the full operationalization of the Trinidad and Tobago Data Protection Act (DPA). The firm is pivoting to offer Compliance-as-a-Service (CaaS), specifically designed to protect corporate directors from personal liability under Section 96 of the Act.

The "Human Moat" and Professional Ethics:

In an era of AGI and automated threats, PC Pharm remains committed to the highest ethical standards. This includes a clear Segregation of Duties:

• PC Pharm serves as the Risk Assessor and Compliance Support Partner (the "Internal Line of Defense").
• To maintain the objectivity required of a CISM (Certified Information Security Manager) holder, the firm explicitly discloses that it does not perform the periodic Section 2.A Independent Review mandated for financial institutions. Instead, it acts as the Audit Readiness Partner, ensuring clients are perfectly prepared for third-party examiners.

By combining the rigor of CIS Controls with a "governance-first" mindset, PC Pharm is proving that even a lean team can lead the way in securing a nation’s digital economy — one defensible roadmap at a time.