Services Roadmap

What's the next step for your program?

A Complete Security Blueprint

This blueprint breaks our service offerings out into a roadmap for your organization to follow. By analyzing your existing program, work completed, and using our categorization—foundational, developing, and mature—you should be able to place yourself and get an idea of what’s next for your security program.

Ongoing Engagements

These are services that information security programs of all maturity levels might implement and benefit from.

Asset 27

vCISO (Virtual CISO)

Virtual CISO is an all-encompassing engagement. A vCISO will help identify what initiatives and technologies are needed and when they are appropriate to deploy, regardless of the overall maturity of your security program.
Asset 24

Risk Registration & IR Retainer Hours

Risk registration and IR retainer hours ensure that, should an incident occur, you’re ready to respond and you have access to a dedicated incident response team just in case. 

Foundational Services

These services provide the framework your security program and ensure that the basics are firmly in place. The fundamentals are often overlooked or hastily completed, so these steps are crucial to addressing easily exploited gaps in your security.

Asset 17

Risk Assessment & Roadmap

  • Quantify risk
  • Prioritize remediation actions
  • Establish a baseline security posture

Risk assessments identify and quantify risk, providing a roadmap of actions to be taken to improve your organization’s security posture.

Asset 4

Policy Coaching

  • Sets the framework for the program
  • Formalizes things like risk assessment and penetration testing frequency
  • Defines things like acceptable use of systems

Policy coaching is intended to educate clients on what should be included in policies and WHY those things are included.

Asset 7

Training & Awareness

  • Educating users on common attack methods used by threat actors
  • Should be done at least annually with supplemental materials sent out regularly
People, while the most valuable asset for a company, can also be the weakest link. Having an effective training and awareness program can reduce your overall susceptibility to threats. 
Asset 9

Asset Management

  • Know what systems you have
  • Know what software is installed and where 
  • Know what data/information you have and where 

You can’t secure what you don’t know you have. If you experience a compromise, do you know what data and systems have potentially been affected?

vulnerability management

Vulnerability Management

  • Asset management
  • Vulnerability scanning
  • Remediation prioritization and assistance
Vulnerability management helps companies understand what they need to secure, identify gaps in their security, what vulnerabilities to prioritize, and how to implement the fixes.
SVG 26

IR/DR Plan Coaching

  • Having a plan in place can significantly reduce the impact of an incident/disaster if one does occur
  • Should be updated and tested annually

This coaching is done with the organization’s team to ensure that the IR/DR plan is comprehensive. It also helps educate the organization on the different roles and responsibilities in each plan.

cloud security assessment icon

Cloud Security Review

  • Was there any customization of your instance or did you use the default settings?
  • Align Azure, AWS, or GCP security controls against industry best practices

Companies often migrate quickly, thinking cloud hosting is inherently more secure, and don’t bother to configure security beyond default configurations.

Asset 23

Regular External/Internal Vulnerability Scanning

  • Identify openings that allow attackers to infiltrate your network
  • Ensure patches are applied properly

Verify your patch management tool is doing what you think it is by regularly scanning to double-check.

Asset 26

IR/DR Tabletop Exercise

  • It’s one thing to HAVE a plan, but do you know that it works?
  • Must have a plan in place to test

The worst time to test your plan is during an incident or outage. Test the team’s understanding and readiness to respond to a specific scenario.

Asset 27

vCSIM (Virtual Cybersecurity Incident Manager)

  • Similar to a vCISO
  • vCSIM works with your team to improve IR capabilities.

Ideal if you have in-house staff that may have other responsibilities. Bolsters your readiness with a resource that is solely focused on IR.

Developmental Services

You have developed the foundation of your security program, and you’re ready to begin addressing more advanced threats, and expanding your in-house team’s capabilities. 

Asset 22

Penetration Testing

  • Uncover issues through emulated, real-world attacks

You want a trusted partner finding vulnerabilities before an attacker can. Pen tests identify gaps and provide remediation recommendations to make your environment more secure.

SVG 29

Threat Hunting (as Needed)

  • Understand attack surfaces and identify remediation actions that can reduce risk
  • Crucial if you are acquiring another organization.

If you are looking for peace of mind or are worried you may have experienced a breach without any firm Indicators of Compromise, a proactive search for malicious activity may be worth it.

SVG 23

Third-Party Risk Management

  • IT may not be aware of all your vendors if they are not involved with them directly
  • Important even for organizations without a regulatory requirements

Understand who your vendors are and what risk they present to the organization based on what services they provide and what assets they have access to.

Asset 10

Social Engineering

  • Supports training & awareness program
  • Allows remediation of personnel-related gaps in your security program

Test employees’ awareness of popular attack techniques threat actors use to try and compromise accounts by confronting your users with real-world scenarios.

Asset 19

Red Team

  • Simulates a threat actor actively attempting to compromise an organization
  • Employs tactics observed in real-world cases

The primary objective is to accurately simulate adversaries to the organization and perform attacks that assess an organization’s ability to respond.

Asset 8

Purple Team

  • A combo of Red Team (attack) and Blue Team (response)
  • Evaluates people and processes as opposed to standard pen testing which primarily tests tech 

Penetration testers start with an assumed breach approach and see what an attacker could do once they gain access to the environment. The IR team works with the organization to identify the attack indicators using your existing tools.

Asset 3

RPM (Response Preparation & Management)

  • Develop an internal IR team

A dedicated resource is assigned to help build an IR plan, perform a risk assessment, and help ramp up your internal team’s skills.

Mature Services

When security programs enter the “maintenance phase,” it’s important to verify that established processes are being followed, security teams are accountable, and ongoing requirements are being met. This is not to say you’ll never need to perform another security initiative again, but a mature security program should be primarily concerned with upkeep as opposed to implementation.

Asset 7

Compliance Requirements

  • Align your security program with regulatory requirements and industry standards

Our approach is that by developing a mature security program over time, you should meet most of your compliance requirements naturally. However, for organizations in highly-regulated industries, it’s important to make sure regulations are being met.

Asset 13

Business Impact Analysis

  • Identify and rank critical business processes in order of potential impact
  • Establish what systems and processes are required for supporting them

It is important to understand how critical processes being unavailable would negatively impact the business. Without knowing what is required to bring up critical systems back online, recovery times will be longer.

SVG 05

Internal Audit

  • Examines a security program’s actual operations
  • Verifies stated processes are being followed 

Not all organizations have an internal audit department. Leveraging an outside team can ensure that audits are performed objectively and thoroughly