Cybersecurity Risk and Posture Assessment

Long View’s approach to cybersecurity reporting is right sizing the strategy recommendations and the report for your organization. All organizations have different requirements so one solution does not work for everyone. Additionally, a report hundreds of pages long will typically go unread and unresolved. Core to our approach are the following principles:

• Incorporate established industry assessment frameworks as inputs to ensure guidance and recommendations are based on systematic methodology and quantifiable data, rather than subjective feelings
• Prioritize the implementation of basic security measures before proposing more advanced solutions for your enterprise environment
• While it is not feasible to fully eliminate risk, it is important to prioritize the protection of critical assets, for the short- and long-term
• The cybersecurity strategy is developed with the needs and concerns of multiple stakeholders in mind, including business leadership, IT leadership, and the team responsible for implementing the strategy
• The report serves as the foundation for a successful cybersecurity program and must be aligned with the goals and objectives of your business

The written strategy is typically 30-40 pages with the following elements:

• Executive Summary to provide your business leaders budget requirements to move forward, timeline, five (5) key findings, and five (5) calls to action
• Assessment Methodology discussing the frameworks leveraged
• Current State Observations and Recommendations broken down into three (3) themes based on the findings for all levels of the business
• Roadmap based on approximately ten (10) initiatives/projects in alignment with the three (3) main themes discovered during assessment, and high-level budgetary estimates/hours of effort to implement
• After the baseline assessment, two (2) additional Target State Assessments are created leveraging the roadmap to predict potential state half-way through the roadmap, and upon completion of the roadmap
• Evidence provided in a clickable Appendix for each framework assessed, for when your organization/team wants to dive into specific details

Core to the assessment process are business and technical workshops. These workshops should not be considered an audit, and instead are intended to be collaborative and educational. These workshops are used to gain insight into upcoming projects, pain points, and educate the teams regarding security technologies and concepts.

The business workshop typically takes three (3) hours spread over three (3) sessions with the goal of understanding the alignment of your business and IT needs (and direction), processes and procedures (including effectiveness), risk management, organizational structure, staffing, budget, and roadmap brainstorming. Stakeholders typically involved in these workshops include IT directors and executives such as CIO, CISO, and CFO.

The technical workshop is interactive and typically takes eight (8) hours spread out over several days. The technical workshops work through all the safeguards of the 18 CIS Controls (153) and are used to provide context into any gaps within business and technical processes, as well as any vulnerabilities to the organization. Typically, these workshops involve staffing from security and infrastructure teams. Participation from both technical and management resources are important to understand how the IT and security teams interact with the business.