Cyber security, you may have noticed, relies on assurance to prove worth. That is, where the web designer can demonstrate the new corporate site, and where the IT manager can light up Internet connectivity on everyone’s PC, the security engineer has trouble showing value. There’s no good demo. Perhaps worse, no one’s life seems better because the firewall has been installed or data has been encrypted. It’s a total bummer for CISOs.
Now, I’ve made the above claim many times in front of large groups, and the pushback is predictable. Security is an enabler, I am told, and everyone’s life is made better by installing that firewall or encrypting that data. Without the assurance such security mechanisms bring, there would be no websites to show off or Internet connectivity to demonstrate. And that is precisely my point: Cyber security relies on assurance to prove worth.
To accomplish this goal, our discipline has invented a process known as a security assessment, and it can be done in one of three ways: First, you can hire or employ hackers to break into your stuff, which is quite useful if you (or some of your company executives) believe your stuff cannot be broken into. What such penetration testing does not do, ironically, is provide any assurance whatsoever that unknown flaws are absent.
Second, you can run tools called scanners that will discover devices and endpoints. The scanner will then either knock gently with a packet, or climb inside and begin noisily banging around. This activity is a useful endeavor, and there are many fine firms who will be happy to help you blast out scans and interpret the output. Just be ready, should you choose the noisier option, to knock at least one server on its butt.
Third, your assessment can take a more holistic view of target systems, services, and infrastructure, using human intelligence, expertise, and experience to identify potential weaknesses. This review process can be done in an hour, or a year, or everything in between. It can be done for free, for millions, or for every price in between. It can focus on prevention, response, or anything in between. TAG Cyber focuses on these types of security assessment.
Each year, TAG Cyber can take on a limited number of security assessments for organizations with challenges that would benefit from such expert attention. Our experience base spans all industrial and government sectors. We tend to restrict our attention to United States-based organizations, but we have experience in international engagements. Our expertise spans architectural, technical, compliance, and management aspects of cyber.
If you are interested in engaging our professional services, please drop us a note via the contact form on this site. We will quickly respond and engage in a brief discussion to determine whether we are the best group to add value. In cases where we cannot, we will help you find the right partner. Our goal is to be helpful to anyone who reaches out, regardless of their posture or circumstances. So, don’t be hesitant.
We look forward to hearing from you.