Services / Defense Capability Assessment

Company Security Assessments

Leverage our experts to rapidly determine your companies security status and develop actionable, high impact security initiatives to improve.

The Challenge

Pinpointing the Security Status of a Company

Most CISO's struggle in reporting the companies security status to executive management. Diagnosing a companies security status, pinpointing and articulating it is indeed not easy. It requires a highly structured, output-oriented approach, one that reduces the entire width and depth of a company into discrete, intuitive key insights that express security levels against a variety of different security dimensions.

Understanding the Individual Threat Model

One of the main challenges in determining a companies security status is to develop a detailed understanding its exposure to realistic threat scenarios. Without taking a threat centric approach and factoring in the attackers point of view, assessing defense capabilities and a security posture becomes a fairly academic exercises with little practical value. Hence, deriving a threat model that is tailored to the individual business environment is an important milestone in any assessment.

Deriving & Prioritizing Actionable Security Initiatives

In addition to pinpointing the security status quo, a good assessment must suggest forward-looking security initiatives that can be levered to drive security resilience and take it to the next level. Doing this in a way that produces actionable output is typically quite a challenge and requires the right level of abstraction and identification of cross-cutting defense capabilities that need to be brought up.

Our Unique Approach

Holistic View. Deep Analysis. Fast Execution.

CISOCON follows a unique approach in designing and conducting security assessments. We bring in top experts with different skillsets, enabling us to fly high and dive deep at the same time. Understanding context and the ability to zoom out is crucial to maintain focus on what matters most. Diving deep into technology is equally important to derive weaknesses hidden in implementation and configuration.

Synthesis of Attack & Defense Perspective

In order to derive true insights from the assessment, both from the defense side as well as from the attackers perspective have to be taken into account. We leverage experts experienced in hacking & exploitation techniques to match your existing defense capabilities against realistic attack scenarios.

Prioritizing What Matters Most

It is not uncommon for CISOCON assessments to reveal 20 key insights and up to 500 security initiatives. Such large amounts of data and information only unfold operational value if contextualized and prioritized in a meaningful way. Our reports are deliberately designed to achieve this goal and factor in priority from a number of valuable, practical viewing angles.

Actionable Reporting

Assessment reports contain large amounts of valuable detail and are designed to make it easily accessible to you. Select structural elements include:

  • Asymmetry in Attack & Defense
  • Attack Surface
  • Key Insights
  • Heatmaps / Security Posture
  • Heatmaps / Defense Grid
  • Initiatives
  • Adversarial Emulations
  • Vulnerability Exposure

Delivery Process

Overview

Designing the Engagement

The purpose of the design phase is to jointly discuss and agree upon objectives, scope and participants of the engagement. Depending on expectations, special emphasis during the project can be placed areas of focus or concern. Most importantly, a session agenda for later deep dives will be drafted at this stage. Sessions will be sliced based on topics and / or areas of responsibility to ensure the adequate level of depth can be achieved and the right output is yielded at the end.

Information Gathering & Initial Review

The second phase is meant to equip and prepare the engagement team to run deep dive sessions most efficiently. Based on checklist and bespoke custom scans of the environment, an initial understanding of the attack surface and digital footprint of the company is built. The team will further review documentation and other material that helps to save valuable time and connect the dots later on. Based on these results, the agenda for deep dives will be fine-tuned.

Deep-Dive Workshop Sessions

Deep-dive workshops - as the name suggests - aim to systematically dissect the scope at hand to derive strengths, weaknesses and potential attack vectors. Workshops are meant to be 30m-2h sessions. Depending on the context, we will selectively go deep into configuration and implementation or stay more shallow on an architecture, concept or process level. Observations made by the team will later be transformed into insights, initiatives and additional artefacts that drive resilience.

Deriving Key Insights & Initiatives

Assessment reports contain a lot of structured information and valuable detail to address both executives as well as operational stakeholders. At the core, reports lists numerous security enhancing initiatives. Initiatives describe the work required to elevate the security status from where it is today, to where it needs to develop. These are mostly tasks, in rare cases projects, or similar activities. Instead of vague objectives, initiatives are specific and atomic in nature, with a clear scope and designated person or team responsible for execution.

Our Service

We've created the following service for you

01
Services / Defense Capability Assessment

Company Security Assessment