Cyber effectiveness


Who we do it for

Organizations needing a comprehensive evaluation of a security program with technical validation
Executives who need quick-turn program evaluation or critical third party review
Organizations needing a comprehensive program build, designed for effectiveness

how we do it

Our approach is grounded in the belief that effective security is not an end-state so much as it is a continuing process – founded in a cycle of activity to assess, mitigate and monitor security risk. We work continuously to incorporate insights we learn from client projects, discussions with government stakeholders and interactions with solution providers into our security risk management framework. As a result, we offer clients a differentiated approach to advancing key strategic objectives.


Risk Assessment

  • Compliance mandates are a “necessary but not sufficient” – planning must reflect changing business, technology, customer, regulatory and threat drivers.
  • Countermeasures must be aligned to reasonably foreseeable threat tactics, techniques and procedures.


Risk Mitigation

  • Constrain rapid spread and enable security operations to quickly and authoritatively identify, contain and recover from a compromise.
  • Anticipate implementation risks.


Risk Monitoring

  • Build in meaningful opportunities to measure program advancement through multiple lenses (risk-based countermeasures, operational performance, testing, etc.).


Preliminary Risk Assessment

Our streamlined, quick-turn assessment with a focus on cyber hygiene, foundational controls and key governance functions helps clients assess critical assets and potential threats.
  • Governance Assessment: Review of core governance functions (oversight, risk management, training, third party risk, policies)
  • Countermeasure Assessment: Focus on most risk-reducing controls. As an option, weighted score range based on level of implementation and perceived risk reduction
  • Testing & Validation: Analyze results from external risk scoring vendor as an option

Deep Dive Risk Assessment

The deep dive risk assessment is a thorough assessment oriented around an authoritative framework, with technical testing as an option.

Governance Assessment: PRELIMINARY RISK ASSESSMENT plus…

  • Evaluation of inherent risk factors
  • Consideration of key implementation risks

Countermeasure Assessment: PRELIMINARY RISK ASSESSMENT plus…

  • Full controls assessment mapped to authoritative framework
  • TTP/threat pathway analysis based on MITRE ATT&CK model
  • Insights from technical testing

Testing & Validation: PRELIMINARY RISK ASSESSMENT plus…

  • Vulnerability assessment
  • Internal and external pen testing
  • Tool optimization analysis

Cyber Risk Management Program Build

Our cyber risk management program build is a planning project designed to leverage existing client implementations, augmenting where appropriate, to develop a cybersecurity program with demonstrated effectiveness.

Governance Assessment: DEEP-DIVE RISK ASSESSMENT plus…

  • Security strategy document
  • Review of policies / standards library
  • Implementation planning guidance

 Countermeasure Design: DEEP-DIVE RISK ASSESSMENT plus…

  • Security Planning, Implementation & Reporting, informed by lessons-learned from testing, managed services, incident response and exercises
  • Security Tool Optimization
  • Managed Services as an option
  • Incident Response Services as an option
  • Exercises

Testing & Validation: DEEP-DIVE RISK ASSESSMENT plus…

  • Program metrics
  • Ongoing measurement & interpretation

How do you know if you have an effective security program?

At the Chertoff Group, we help organizations answer this question. We do so by framing security risk so they can build strong programs that are sustainable in times of change and communicate program effectiveness to key internal and external stakeholders.

Download Our eBook