There are many (MANY!) cybersecurity consulting companies out there. But their business model is usually the following:
- Perform a security assessment or a penetration test
- Based on the results, resell as many security products and solutions for a commission as they can
- Profit quickly, leaving your actual security posture where it was, with a few ‘security solutions’ installed. In essence these are not security companies, but efficient security product resellers who use their penetration tests as a business development tool
I do everything differently.
- I also perform a security assessment, but a very in-depth, security architecture and NIST 800-53 based one
- I then create a comprehensive Information Security Program for you – a strategic but also deeply technical plan on protecting 14 cybersecurity areas areas (or more), which cover the 17 cybersecurity attack types and protect your people, processes and technology from an architectural point of view, without purchasing ANY commercial products or solutions.
- Each of the 14 cybersecurity areas covered is usually split into multiple mini-projects and each of these projects’ performance and status is tracked on a dashboard so you could see your defenses improve every day for the duration of the Information Security Program implementation.
- It does take longer, but in the end you will be secure.