Fractional, Virtual, or Interim CISO
What it is:
While we advocate for dedicated in-house leadership, we realize there may be times when businesses may need external supplementation both for the short and long term. We provide services that allow you to engage as much or as little as you want/need. This will enable you to scale to your needs and your program’s requirements.
What to expect:
We will meet with you to determine the “right” CISO offering for your needs. This could include:
- CISO advisory – such as strategic help, coaching, or assistance standing up and overseeing your program
- Intermittent direction and leadership for a part-time staff or to fill a CISO leadership gap for a short time. We work with many types and sizes of organizations through this service and have unique, compelling expertise with large life sciences companies in particular.
- A fully managed vCISO service that fully leads and executes your program from beginning to end. This is popular for small to mid-sized businesses that can’t staff full teams but want to take advantage of the deep experience of the Reveal Risk team.
Cybersecurity Maturity Model Certification (CMMC) prep for DoD contractors
What it is:
Reveal Risk is a Registered Provider Organization (RPO) to help manufacturers, software developers, or consulting firms compete for DoD contracts. The CMMC standard is dictated under the DFARS (Defense Federal Acquisition Regulation Supplement) 252.204.7021. We help you prepare for the formal audit conducted by a separate CMMC Third Party Assessment Organization (C3PAO).
What to expect:
- Clear evaluation of your current state, gap analysis, and the appropriate goals/priorities based on the CMMC maturity level for your contract(s).
- Help build any necessary processes needed to show the C3PAO to pass the test
- Incident response readiness and reporting
- Assistance navigating “Prime” contractor audits or third-party assessments of your organization
- Audit readiness (and partnerships with trusted audit firms that are deeply skilled in CMMC)
Penetration testing and adversary simulation
What it is:
Our experts simulate attacks to help you find gaps in your IT controls and security program effectiveness. We provide prioritized recommendations on fixing the identified gaps using practitioners who have owned these processes within companies. We conduct penetration tests to check for system vulnerabilities and adversarial simulations (aka Red Team) to test the effectiveness and responsiveness of your incident response teams, controls, and processes. On a recurring basis, our team learns your environment and your business, improving with each iteration and ensuring your controls evolve to keep up with the threat actors.
What to expect:
- Certified experts in offensive security, who are trained to think and operate as real threat actors would; our team goes far beyond a simple scan and report to identify your real exposure.
- Multiple vectors, tailored objectives, and jointly-developed, relevant threat scenarios that evolve over time
- Custom-tailored testing methods designed for your unique environment.
- A full suite of pen testing options including internal, external, wireless, physical, application, social engineering, web, Red Team.
Incident response plan testing
What it is:
Our response preparation activities, including wargames, simulation/rehearsals, and executive prep sessions, are designed for cross-functional leadership to learn the plan, know their role, and practice handling stress and making decisions as the situation unfolds. Rehearsing good behaviors and working out issues before a real security event can improve outcomes and reputations.
What to expect:
- Facilitated, scenario-based learning session
- Dynamic and interactive simulations to keep stakeholders (whether local or executive) fully engaged and adding value
- After-action review that captures key learning and ensures your team improves over time
- Updated Incident Response Plan and organizational recommendations to improve response to real events
VRM as a service
What it is:
While our goal is to equip you and your team to manage your vulnerability and technical risk program, we realize there may be times when businesses need external support for the short or long term. We can become an extension of your team and provide ongoing support services to find and fix weaknesses that can undermine your security efforts.
What to expect:
Based on a vulnerability risk assessment, we will execute the strategy to address the identified technical gaps and weaknesses.
- Design of VRM program, processes, and governance structure
- Execution of scans (or assisting you in doing it yourself if desired)
- Process elements to triage risks and drive the right actions across IT asset owners (server patching, config changes, code changes)
- Oversight of governance processes and driving visibility and accountability to ensure commitments are made and upheld
Periodic assessments
What it is:
If your resources cannot execute and manage an ongoing internal assessment program, we can become an extension of your team to conduct ongoing assessments.
What to expect:
- Identification of your assessment needs or requirements
- Consolidated process that minimizes organizational disruption for crucial stakeholders
- Options for technology support for ongoing assessments
- Experienced, Action-oriented assessor support
- Cyber-experienced project management and execution leadership to ensure assessments are completed
Executive/staff advisory
What it is:
Get control of turnover, culture, and organizational change through independent advisory and staff coaching. We have been in your shoes and can help you and your team lead your organization forward.
What to expect:
- Deeply experienced executive advisory with robust experiences coaching senior leaders at Fortune 500 and smaller organizations
- Strong abilities to help your leaders grow and succeed (our resources consistent receive strong marks for impact and value)
- Experience building out new cybersecurity teams and helping fast track team knowledge and experience
- Experience helping CIOs and senior leaders hire full time CISOs and post-hire assistance in building out teams and processes to grow the program
Operations support
What it is:
While our goal is to equip you and your team to manage your program, we realize there may be times when businesses need external support for the short or long term. We can become an extension of your team and provide ongoing support services.
What to expect:
- We can supplement / augment your security operations or security services staffing.
- We have recent experience in augmenting elements such as:
- Building/enhancing SOC (security operations center) playbooks
- Augmenting engineering support
- Rolling out / scaling Privileged Access Management (PAM) tools such as CyberArk
- Running governance processes
- Augmenting or owning internal/external risk assessment team capacity