Cyber Security Health Check
Cyber Security Health Check
Our cyber security health check gives you clarity on risks, enabling you to take decisive action.
What you gain from a Cyber Security Health Check
A cyber security health check is a critical point in time analysis which will give you clarity on your level of cyber security risk, and enable you to act upon it with confidence.
- Visibility of all cyber security risks within your business
- Understanding of cyber risk levels throughout your business
- A detailed breakdown of your cyber strengths and weaknesses
- A prioritised list of cyber security improvements you can action plan and implement
- Cost vs risk guidance for cyber security investment
- The foundation of an effective cyber security strategy
- Identifying the ‘gaps’ that non-risk based or tactical approaches leave open
Our cyber security health check is designed to give you the exact information you need to both understand and improve the cyber resilience of your business.
For more information download the cyber security health check factsheet
How is a Cyber Security Health Check Delivered?
Business First Engagement
The main goal of a cybersecurity health check is to protect your business. For that reason that’s exactly where we start – right at the heart of your business.
We begin by interviewing the CEO and other members of the senior management team, such as the CFO, COO and CRO. Our aim at this stage is to understand exactly what types of cyber incident or breach could impact your business, and crucially to what degree.
We use this information to derive the core cyber business risks your business faces, and use these as the critical foundation for the rest of the review.
Next we determine which controls need to be in place to manage the core cyber business risks. We base these on a hybrid of the CIS Critical Security Controls and ISO 27001 Annex A. However if your business uses different controls we can tailor the health check to use these instead.
Importantly, where necessary, we also add in additional controls; for instance to protect extremely sensitive data we may recommend air-gapping networks, or something similar. Throughout this our focus is on tailoring the control set to your cyber business risks. This may mean some controls are not required or are less important, whilst other controls may be very important or even critical to your business.
Control & Risk Assessment
At Nicolson Bray we view controls as encompassing people, process and technology. So when we assess these controls, we assess all three as well.
That means checking you have adequately trained staff in place, the processes are robust and repeatable, and that the technology is in place and working.
Our approach to control assessment is to rigorously question and analyse each control. We begin by gaining an understanding for how the control fits within your environment, at the intersection of people process and technology. We then determine exactly how the control could fail and pursue a line of questioning until we are certain this could not happen. If we cannot be assured, we mark it as a fail and risk assess accordingly.
The breadth and depth of our assessment is what gives you visibility of all of your risks. If there is a cyber issue within your business, you can trust us to find it!
Presentation of Findings
The output of our cyber health check is a detailed report containing the following information:
- Cyber business risks with ratings you can understand
- Identified quick wins you can implement within weeks to significantly reduce risk
- Prioritised list of recommendations you can base your cyber investment and action plan on
- Detailed description of each risk and issue
- In depth analysis of your controls, which your technical teams can use to fully understand the issues
Gain peace of mind that your business is secure
Who will be involved in a Cyber Security Health Check?
Our consultants will carry out their activities in a way which has as little impact upon you and your colleagues as possible.
For that reason we will always begin with reviewing documentation, policies and procedures to learn as much about your company as possible before asking questions.
However obviously we will require time from several stakeholders.
For larger organisations we may engage at the level below the Senior Management Team, although our preference is to engage at as senior a level as possible:
- CEO – Initial engagement and reporting
- Senior Management Team – Building an understanding of cyber business risks
- Audit & risk management – For companies with internal functions
- CIO / CTO & Head of IT – Building initial understanding of technical architecture & resourcing
- Lead Architect – Further building architecture and data knowledge
- IT Engineers – Deep dive on technical controls in place
- IT Security Manager and Engineers – Deep dive on cyber security controls in place
When is the right time to carry out a Cyber Security Health Check?
If you haven’t yet carried out a cyber security health check, then we would advise you to carry one out as soon as possible.
Having visibility of cyber security risk is absolutely essential to ensuring that your business is safe from attack, and also making sure you are investing in the right people and technologies to keep cyber risk under control.
However we are aware that budget is not always available. With that in mind these events can be useful triggers for a cyber security health check.
- Preparation for next year's technology and cyber security budget
- On taking on a senior cyber security role at a new company
- In response to a recent cyber security attack in your industry
- Prior to large scale changes to your IT architecture – e.g. moving to the cloud
- As part of a strategic company change, such as M&A activity
Why Nicolson Bray?
Our consultants have decades of experience and deliver value across both business and technical domains. All our services are highly bespoke, tailored exactly to the requirements of your business, and our technology agnostic approach enhances our capability to identify and resolve security issues.
We leverage our expertise, built over years of working in high risk industries, to target your cyber investment exactly where it counts and ensure your business is secure.
Take the first step in enhancing your cyber resilience