security engagement timeline

Typical duration:   5-18 weeks
Scope impact:   # of practice and technology domains

1-4 weeks

collaborative workshops

We start with collaborative workshops and process walk-throughs with your subject matter experts and business stakeholders. We use these sessions to learn about your organization, culture, and business drivers, as well as your current state policies, practices, and technologies.

1-4 weeks

observations

We gather observations and document your current state environment. We compare your environment to common criteria and recognized good practice derived from relevant standards and frameworks. Common examples include SOC, NIST/CSF, COBIT, COSO, ISO, etc.

1-2 weeks

gap analysis

We articulate maturity hypotheses for each in-scope practice and technology domain by analyzing gaps and risk indicators using our assessment method and tools. We document strengths and opportunities for improvement by evaluating "maturity tests" and "proof points" gather during the workshops.

1-4 weeks

recommendations

We develop risk-informed recommendations to address every identified gap. Recommendations are influenced by your business drivers, culture, talent, risk posture, risk appetite, risk exposure, current technology investments, current projects, and planned budget.

1-4 weeks

roadmap

Recommendations typically consist of actions and projects. Actions are one time events, such as hiring talent or acquiring technology. Projects can be time-bound or ongoing efforts, and usually entail process re-engineering and technology implementation. We help you develop charters for every project, organize them into initiatives, and prioritize them on a 3-to-5-year roadmap.

Security Practices                                           

Asset Management
Auditing & Compliance
Business Continuity & Disaster Recovery
Classification & Labeling
Configuration Management
Governance & Personnel
Incident Response
Metrics & Reporting
Physical Security
Policies & Procedures
Project Management
Red Teams, Blue Teams & Penetration Testing
Risk Management
Security Awareness & Training
Software Development Lifecycle & DevSecOps
Threat Management

Security Technologies                                  

Application & Database Security
Cryptography & Data Protection
Data Loss Prevention
Endpoint Security
Identity & Access Management
Malware Defense
Mobile Security
Network Admission Control
Network Security
Security Monitoring (SIEM)
Security Testing Tools (SAST/DAST/PenTest)
System Configuration & Patching Tools
Vulnerability Scanning Tools