FAQs
Are you IT consultants?
No, we are a hybrid of Cyber Security, IT and Organizational Psychology consultants. We feel that you need all three to help in writing policies, implementing those policies in your IT infrastructure and embracing those policies at every level of your organization.
Does one size fit all?
Not at all. In fact, we offer three sizes of engagements, intended for different situations. See our Services page for more.
What makes you special?
Cyber Security requires policies (what to do to prevent problems), planning (what to do if problems arise) and monitoring (are there any problems in the making?). We address all three areas, not just one or two. Most importantly, we help you change your corporate culture so that looking for problems and solving problems becomes automatic instead of frantic.
Why the emphasis on culture?
Shifting to a cyber security stance is a change of culture. Not a change in culture but a change of culture from "out of sight in IT" to management awareness and practice to execute the plan. Managing cyber risks should be like managing any other aspect of your organization.
Why the emphasis on behavioral science?
While we hope it is an unlikely threat, insider threats often do the most harm. Behavioral analysis gives us insight into where the personnel vulnerabilities become writ large—malcontentment, misaligned expectations and understanding, lack of execution. These are, respectively, attitudes, cognition, and behaviors related to the kind cyber risks so often overlooked. You will find more detail here.
Do you have a custom methodology?
For level 1 engagements, we use our in-house methods. For level 2, we use whatever methodology was used to create the system we are updating. For level 3, we use the NIST CSF as our methodology for building your cyber security program.
We have custom methodologies to apply behavioral science to supporting your cyber security program. For example BARC which is introduced in this white paper.
Why did you choose the CSF for Level 3?
There a few commonly used methodologies for building cyber security programs, but we chose the NIST CSF for a couple of reasons, all detailed here in our More Info section.
What if we don’t have a Chief Information Security Officer (CISO)?
Then you are our ideal level 1 or level 3 client. Our ideal level 3 client doesn’t have a Chief Information Security Officer, but knows that they should be doing more than they are doing now.
What if we have a part-time CISO?
Then you are our ideal level 2 client. We are happy to help you go from part-time CISO to wherever you want to end up, from part-time CISO with a cyber security program to full-time CISO with a cyber security program and staff, or anywhere in between.
Why would we choose you over the usual suspects?
A general management consulting company is likely going to focus on reorganization and training, charge a bundle, and not focus on proving that they made your cyber risk demonstrably smaller, let alone smaller in self-sustaining way.
What are you selling, exactly?
For all levels, we offer guidance in following a process, not a program because you need a custom solution that fits your particular timeline, budget, situation and staff. We believe in teaching your people to fish. The bad news is that you have to do your share of the work. The good news is that you will become self-reliant by the (well-defined) end of our engagement. More about our level 3 method and process can be found here.
What is the first step?
For any level, the first step is a small project which will deliver standalone value even if you and we don’t ever do business again, but will be a solid first step if we go on. Try before you buy. We call this “The Gap Analysis” because it describes the gap between where you are now and where you want to be.
You don’t know if we are the right fit for your situation and we don’t know what exactly you need, so we can’t give you a budget and a timeline without some research. The gap analysis usually suffices for level 1 or level 2 engagements.
For level 3, we move on to our Inventory & Assessment (I&A). As is common, we take an inventory of your of your critical systems for accessing and storing important data. As is unique in our experience, we assess your staff’s openness to change and suitability for these new roles. Once we know what you need to protect and who you have to protect it, we can layout the road map from here to there. More about the I&A can be found here.