1- Strategic planning and direction for technologies
We provide advice on upcoming technologies and terminologies as well as actively working with the client to ensure that strategic planning is linked to business objectives and those are inevitably successful so long as the technology choices are appropriate.
​
​The security program for the organisation will help to drive some of the requirements and characteristics required in new tools or an uplift in existing tools. By understanding the fundamentals of the organisation's risk management practice and by having a firm grip on their policies we are able to write those up in terms of technical requirements to the business.
2- Security architecture patterns and design
We offer a comprehensive security architecture review of any solution ranging from high-level design advice to low level consultation on the components that makeup the overall scope. By matching enterprise patterns and requirements on security and privacy we can determine control gaps and uplift in security capabilities. An information security architecture review is essential and an integral part of the process of delivery. This provides structure and assurance that the design and implementation align to the agency's mission and strategic objectives.
1
Build
Understand the risk appetite and key risks in your organisation
This will enrich each organisations process of identifying, analysing, evaluating and addressing the cyber threats and goals for the organisation. When we are talking to the business and service owners we ensure that we use business language and refrain from technical jargon as it dilutes the conversation and detracts from a coherent and comprehensive conversation.
2
Develop
Unify, standardise and collate risks across your organisation into one place
3
Maintain
Create a sustainable process that your organisation can easily use
4
Mature
Weave risk management into key decisions and funding
3- Developing information security programs
When defining an information security program we ensure that it:
​
-
Establishes a baseline and point in time for the organisation to work against;
-
Is able to be measured and reported on continuously
-
Has senior stakeholder buy-in otherwise it is doomed to fail
-
Works with the business and not against it by tying it back into the strategic security objectives of the organisation
-
Is actionable in that the program is right for the organisation based on where their levels of maturity are currently sitting
-
Is aligned to the risk management and/or control framework being used by the organisation. If there is not one being used we will suggest one suitable for the enterprise
We can enable and structure "Guard Rails" for your organisation to move fast in cloud environments. This combined with inherent knowledge of Well architected frameworks will have you running compliant evergreen workloads in weeks
4- Developing policy and governance
The policies that we create for our customers or our suggestions to improve policies, are around good practice that is achievable by the organisation in a reasonable amount of time with the possibility to demonstrate good progress as they conform towards the end goal. Policies are supplemented by standards, procedures and guidelines where necessary being mindful of the clients definitions of these and how they are currently consumed, formatted and styled. Risk management frameworks and appetites are considered as well as possible implications for when to decide not to implement a control Our approach ensures:
​
-
clear lines of accountability are defined
-
sound planning is in place
-
investigation and response practices are known and appropriate
-
assurance and review processes are developed and implemented
-
proportionate reporting is in place
This process then enables you as an organisation to effectively create meaningful commercial conversations in regards to security state. Understand who is the biggest supplier risk to your business and where to take steps to remediate this
5- Threat informed defence capabilities
We have specialists that have pioneered the usage of a new methodology of “Threat informed defence” from MITRE in New Zealand to augment your compliance, strategy, vulnerability and detection capabilities. This capability enables your security team to prioritise strategic decisions and proactively protect against changing threats.
​
We currently offer the following services:
1
Adversary Profiling
We will develop an adversary profile, that will provide, overview, TTPs, Detection rules, attack examples and IOCs
​Alternatively we can review training material and programs for adequacy with respect to business requirements and their impact on necessary knowledge, skills and ability.
2
Industry Threat Actor breakdown
Context collection on your organisation/industry that will orientate, OSINT, dark web and threat intelligence collection to build a catalog of threat actors. this will include the TTPs, Detection rules, attack examples and IOCs
3
Technology threat actor breakdown
Build the technology profile you are concerned for and using OSINT, dark web and threat intelligence to provide relevant threat actors, TTPs, Detection rules, attack examples and IOCs
4
Threat TTP detection pack
For core threat types like Ransomware, we can create comprehensive, TTP, detection rules, attack examples, IOCs and strategic approaches to protect,detect and prevent threats.
5
Threat based MITRE Att&ck assessments
Provide an in depth control effectiveness measurement assessments against key threats. Giving you quantifiable processes of understanding your susceptibility to key threats. We will also provide “choke point” analysis to recommend the core controls/detections required for identified threat actors in your organisation
6- vCISO
We sit on the outside of the day-to-day operations and provide sage advice to our clients on the more strategic elements of their information security. In this role we drive the creation and implementation of security programs, ours or otherwise, as well as other important aspects of the risk landscape such as the development of architecture and policy. The role will also embed as the likely certification authority for risk assessments.