What kind of consulting services do you offer?
We offer security consulting services in our security workshop, assessment, architecture and custom formats for our core areas of expertise including general security architecture, cloud security, identity management, Privacy By Design, endpoint security and cybersecurity. The answers to the questions below describe some of our engagement formats. Multiple consulting services can be combined in a larger project to create a complex security architecture starting from scratch.
What is a security assessment?
A Security Architects Partners assessment is a consulting project that culminates in a written evaluation of your security program or some subset of the program. During the assessment, we interview key staff on a scoped area of your security program or infrastructure against specified criteria. Afterwards, we produce a summary report detailing our findings on your baseline environment, identifying gaps and providing initial recommendations for changes or improvements. Our assessments are based on security evaluation criteria derived from many years of experience in research and consulting.
We offer both “Comprehensive Assessments” (for a broad view) and “Focused Assessments” (for a drill down into a subset of the security program or architecture). Depending on which type you choose, we use different assessment criteria. We tailor the criteria for your organization’s maturity level, vertical industry, project objectives and agreed scope of work. This convergence on assessment criteria is accomplished during a preparatory phase of the engagement.
The key difference between all the assessments we do versus those done as part of a formal security audit is that we don’t strictly follow a checklist, but rely on our knowledge and expertise to evaluate the risks, practices, and technologies in play.
For more information on our Expert Assessments, and our Standard of Practice Assessments, see our page on Security Assessments.
What is a security architecture?
For the purposes of our consulting projects, a security architecture is a set of documented artifacts defining the desired “to be” state for the security components within a defined domain, or scope, of your IT environment. The architecture defines both organizational standards and guidelines. It also describes people and process requirements associated with the technical recommendations and generally includes a roadmap for implementing the recommendations.
In addition to helping clients define their target state for security, our architecture projects take them on a rewarding journey towards a better understanding of the threat landscape as well as the risks for organizations in their vertical industry, and of their current security posture. We help clients achieve consensus on and clearly document shared stakeholder requirements and good practices for the security program in their architecture. With our assistance, clients find it earlier to identify and choose among alternative strategies and to set priorities. In addition to delivering excellent architecture documents, we help clients build the ability to maintain the architecture – and run an effective security program – over time. We can also provide an option for ongoing coaching to help ensure you stay on track. For more information, see our page on Security Architectures.
What kinds of security workshops do you offer?
We offer workshops in both a classroom-style tutorial format and in an interactive facilitated decision-making format on each of our core topics. Workshop projects are typically short, requiring just 1 or 2 days onsite and some preparation ahead of time. A workshop can be provided in a standalone engagement or as part of a larger engagement. Depending on client needs, a standalone workshop can be delivered with a purely educational purpose, or as a facilitated decision-making session for security stakeholders. For more information, see our page on Security Workshops.
What are some examples of “custom consulting”?
We’ve done all kinds of consulting projects that don’t exactly fit the assessment, workshop or architecture mold. These include research projects on a particular security risk, technology or practice; competitive analyses or product strategy review for security vendors; requests for proposal (RFP) development and response evaluation for enterprises. See our service catalog menu for more details on custom consulting.
How do you price your consulting engagements?
Our preferred pricing is based on a firm fixed price estimate to provide the specified deliverables in a defined statement of work (SOW) according to a defined schedule and process.
Who would you use to deliver an engagement?
We have a core team of expert security consultants, each with over 20 years of experience across a broad spectrum of security disciplines, practices, and technologies in multiple vertical industries. We also have a small group of trusted partners with similar or complementary expertise that we can bring to the table.
How can we justify external security consulting from Security Architects Partners to our senior management?
Assuming your project need is already cost-justified on a risk basis, and that you require external consulting assistance with the project you can justify using Security Architects Partners to support it. Security Architects Partners only uses top experts in the field as its consultants. These experts have years of research and consulting experience. Dan Blum, for example, built the consulting organization for Burton Group in the early 2000s; this helped Burton Group grow more than 10-fold over the next several years. That growth could not have been achieved without hundreds of satisfied customers and continuous improvement of the research and consulting service using methodologies and best practices such as Burton Group’s Reference Architecture. We retain and have built on, the knowledge that clearly benefited so many customers. Security Architects Partners’ practice is expanding very carefully, and only leverages as partners similarly highly-experienced, high-caliber and high-integrity resources. Please let us know how we can support you with any further data to justify your desired project.
Do Security Architects Partners assist in vendor selection?
Yes. Security Architects Partners has extensive knowledge of the market and the vendors, products and cloud-based services within its areas of expertise. We also maintain policies of vendor neutrality and transparency on any dealings we have with vendors so as to avoid any real or perceived conflicts of interest for enterprise security departments, who are our core audience.
Can you help us implement the security improvements you recommend?
We will not provide implementation or integration services because we consider it important to have separation of duty between developing specifications and verifying the quality of implementations of the same specifications. However, we sometimes support and advise clients and/or third-party system integrators (SI’s) as part of our custom consulting services. Also, we have experience handing off architectures we’ve developed to qualified partner SI’s in a way that maximizes the usefulness and transfer of knowledge. Some of our clients engage us to monitor an internal or SI implementation of the architecture we recommended, and thereby keep the implementation “on the rails.”