Strategic Advisory Services
Proactive, Evidence-driven Security Services
Organizations of all sizes have a need to identify, assess and prioritize risk. The maturity of your organization often has a direct correlation on how risk is managed. Evidence-driven security helps organizations communicate and improve decisions and business outcomes. We can help you measure your performance, justify spending, and manage results.
Improving processes involves defining and implementing a security strategy and communicating security throughout the business. If you need to increase the level of organizational maturity and documentation processes we have the expertise to assist in creating and defining your mission and vision.
Prioritize Risks and Investment Roadmap
We deliver a complete package of process, tools, and training to enable consistent communication and decisions to formalize your assessment, prioritization, and communication processes. Your team will be empowered to drive proactive decisions with IT and business stakeholders.
Technical Risk Assessment Process
We provide process templates, definitions, risk assessment tools, templates, and deliverables. Your team will have a consistent way to assess and prioritize risks and evaluate the cost-benefit of control options.
Define & Implement Metrics Program
How are your current controls performing? What targets are right for your business? We help you identify metrics that matter to the business and evaluate appropriate metric target levels. The result is a set of measurements and decisions that communicate the existing and target performance across your control environment.
Measure Vulnerability Management Performance
One of the most valuable metrics is also the easiest to maintain: tracking the age of scanner-based vulnerabilities. Vuln scanners enable you to classify devices and identify patch and configuration vulnerabilities cost effectively. Unfortunately many organizations don’t have the ability to easily determine if remediation occurs within agreed upon timeframes.
We'll work with your scanning team to determine appropriate scanning coverage, configuration, network enumeration, and vuln severity levels. If you haven't defined remediation time frames by asset class and severity, we’ll work with you and your operations team to identify appropriate tolerances. Because vuln scanners do not provide visual reports on vulnerability age, Caliber Security Partners developed a simple tool to receive scans, age vulns, and report on past due items
Security Strategy Development
Developing, communicating, and maintaining an information security strategy provides clear direction to your internal team, stakeholders, and audit organizations. A strategy is more than a presentation. It’s a process to solicit input, crystallize direction, and build support across the organization.
Whether you’re updating an existing strategy or starting from scratch, our consultants offer experience building the mission, vision, and strategy to get there. Depending on your needs, this engagement may also include a process maturity assessment to frame your message, set expectations, and identify improvement areas.
Team Service Catalog
Those familiar with ITIL may refer to this engagement as building a Service Catalog. The ability to define what you do, who does it, at what maturity, and where your time and money are spent enables teams to align their capacity to demand. A Service Catalog enables you to set expectations and communicate where you’re actually spending your time vs. where others think you are. If you feel like you have insufficient resources or if you’re reacting more than leading, start with a Service Catalog to set a baseline.
Creating a Service Catalog seems like a straight forward exercise. However many teams struggle to document their processes with consistent levels of detail across managers. Our team will interview your leaders and help standardize your services into concise descriptions. Caliber Security Partners even developed a simple web application to store and manage your catalog over time.
Process RACI and Capacity Plan
Once you have a service catalog, you may want to determine where your team spends its time and money. Our team helps you allocate time across high level buckets of Business as Usual, Short Term/Unplanned Work, and Long Term Projects. The benefit is a visual representation to determine resource allocation and help communicate needed changes.
An optional step is to take advantage of the service catalog to assess the maturity of each process across people, process, and maturity. We leverage a maturity model similar to the capability maturity model for consistency. The benefit is a visual representation to set expectations on process maturity and drive investment decisions.