Security Strategy & Governance

Consistently, we see that security risk is not well integrated with other business risk processes.  It often falls outside of good risk governance practices that exist as part of the overall business risk management.  As a result, security risk is often less understood or the remedial actions are less prioritised by senior management.  Our business-focussed approach aims to integrate security governance into the wider risk function.

Many of our clients come to us with specific compliance goals in mind.  Experience shows that compliance programmes often deliver limited results.  Our approach builds the specific compliance requirements into the broader governance of security and data protection, giving long term, wide-reaching improvements with the original need for compliance being satisfied as a by-product of effective governance.

We can deliver the following services whilst giving security and operational teams the knowledge and skills needed to maintain the effectiveness into the future.  

Security strategy

Identification and determining the real cyber risks to business operations and data. Focusing strategic security programmes on the critical assets, likely threats, business objective alignment, budget planning.

Security governance

Governance structure & process design, roles & responsibilities, policies & standards, three lines of defence integration, stakeholder engagement & agreement, preparedness for compliance assessments (e.g. PCI DSS, ISO2700x), reporting & metrics, third party / vendor management, asset management.

Risk management

Defining risk appetite, integration with wider risk management, threat & vulnerability identification, high-level & detailed risk assessment, control identification and prioritisation, operational support and understanding for risk assessments.

Data protection

Data flow mapping, data protection impact assessment, privacy by design, integrating privacy risk management into wider risk management, privacy notices, third party data transfer assessment, breach notification processes, data protection workshops for senior and operational staff, virtual DPO services.