website templates


broad & comprehensive

We offer comprehensive security assessments as standalone consulting engagements, or embedded within a security architecture improvement project. Comprehensive assessments span people and the organization, processes and procedures, and security technologies.

We help our clients plan, implement, and govern their identity, security, and risk management architectures. Project deliverables can be aligned as necessary with cloud-first, hybrid cloud, BYOD, or next gen application dev ops requirements. They address process as well as technology to help organizations succeed at growing maturity in the target domains for optimal results.

We can provide a full set of policy review and policy development services. We craft new, targeted policies suited our client's IT environment, governance style, security objectives and maturity level. We can develop custom policies or work from a variety of industry templates to create or optimize top-level policies, standards, guidance, and procedures.

Responding to adverse events is a key capability of any security, privacy, or risk management program. We can help craft tailored incident response plans and facilitate table top exercises to practice and fine tune related procedures.

We have developed a unique approach to providing strategic guidance in the aftermath of a breach or other adverse events. Our approach combines failure mode analysis with retrospective kill chain analysis, control identification, and risk assessment. The result is a set of recommendations and a detailed roadmap for remediating the identified failures to improve the organization's communication with its board, leadership team, and regulators.


deep & focused

Using our standard assessment methodology, we offer security assessments in both “rapid” and “deep” formats. We’ll work with the client to determine what level of depth or breadth makes most sense for a given situation and budget. The “rapid” assessment involves a lighter level of analysis with fewer questions and follow up interviews on any given domain than the “deep” assessment. However, the rapid assessment will still capture the critical points of analysis for the domains covered based on our consultants’ expert experience.

We offer toolkits and services to empower security and IT teams to continuously self-assess at the optimal level of detail and focus for their unique environment. By conducting such self-assessments, the organization will be better prepared for formal audit and regulatory scrutiny, and can improve its security-related decisions.

Discipline-specific engagements focus on a single practice area from the security, identity, privacy, or risk management regime. These focused engagements typically involve evaluating skills gaps, identifying procedural improvements, conducting table top exercises, and assisting with operationalizing of detailed recommendations for improvement.

Technology-specific engagements focus on a single technology component from the security, identity, privacy, or risk architecture. These focused engagements typically involve identifying business drivers, functional requirements, technical requirements, constraints, and dependencies (derived from current state environment). Outcomes typically include recommendations for architecture improvements, identification of technological gaps, suggested solutions to address gaps (including open-source and commercial solutions), and execution roadmaps.

We have extensive experience both in preparing requests for information (RFIs) or request for proposal (RFPs) for technology vendors and managed service provider. Our expertise includes evaluating, assessing, and scoring vendor responses. In many cases, we’ll feed business, operational and technical requirements collected during assessments and architecture improvement engagements into the RFI/RFP’s underlying technical specifications. Leveraging our experience from multiple engagements, we’ll efficiently organize the material utilizing pre-built templates, requirements matrices and scoring instruments. Working with us, your team will hit the ground running with sample requirements, weightings and scoring methodologies – all completely customizable.

We help our clients develop sound business cases for investing in technology or procedural improvements. We assist with estimating the financial impact and likelihood of expected losses from risks to be covered by a project. We rank the best available risk mitigation strategies (or alternative sets of controls) by their ability to reduce the impact and likelihood of loss. We estimate the capital costs, levels of effort and other costs of each strategy. And we analyze the costs and benefits of the strategies against a set of scenario-based assumptions to recommend and drill deeper into the optimal approach.


ongoing support

We are no strangers to the challenges CISOs face in modern organizations. Through our standard security assessments, we provide an unbiased review; through our architecture improvement programs we provide an extension of staff to help increase the maturity of security programs or security architecture, allocate resources in the right ways and places, and get security-related processes and infrastructure operating more effectively. We can also help CISOs craft the right message, calibrate the metrics and craft the content in reports, presentations and other communications with both business and technical audiences.

With our "embedded expert" model, we can participate in regular governance meetings to provide the CISO with an unbiased, external expert opinion on critical decision-making matters.

With our "embedded expert" model, we can participate in regular architecture review board meetings to review new solutions, new solution patterns, and system or appication design reviews. We can assist the architecture team with developing a consistent set of architectural artifacts, including contextual, conceptual, logical, physical, and service management renderings.

We offer the following workshops in both public and private venues. Topics currently include:
Refreshing your Security Strategy and Architecture
• Developing a Comprehensive, Agile Risk Management Framework
• Modernizing your Identity Management Architecture and Program
• How to Self-Assess Security and Prepare for Any Audit
• Developing an Enterprise Authorization Framework
• Securing your Enterprise Journey to the Cloud
• Using Privileged Access Management to Protect what Matters
• Planning Blockchain Security, Applications, and your Business
Rebuilding through Strategic Assessment in the Aftermath of a Breach
All workshops are highly-customizable and can be tailored for multiple needs.

In addition to packaged workshops, customized training and education services on any of our areas of subject matter expertise. Using our strong research, analysis, facilitation, project management, and writing skills we will tailor training materials to the desired audience, ranging from board members, C-suite, directors, and practitioners.