As an independent Information Security Consultant, I can provide:
- Objectivity, experience and insight;
- A boost to your security staff in terms of expertise and efficiency;
- Credibility, for example if you need independent help achieving Security Compliance, or if someone in authority simply wants an ‘outside security expert’;
- Confidentiality and impartiality in potentially sensitive situations;
- Technical education or Employee Security Awareness Training;
- Technical facilitation/leadership, allowing your staff to fully participate in all the processes without having to fill several roles at once;
- Access to security resources that you may not have; and
- The right answers to the right questions.
With over a decade of experience in Information Security, I have a wealth of knowledge, experience and expertise, and so can help you whatever the size or nature of your business. My input will always be complementary to your business needs and objectives, whether you need assistance dealing with specific current issues or in working towards compliance with legal or regulatory requirements.
Sometimes, security problems may arise in your business that your staff can’t handle. You might consider taking on new employees to deal with the issues, but finding the right person to help from the outset will save you time and money in the long run.
A consultant should be objective and knowledgeable, capably identifying and implementing solutions more quickly and efficiently than your staff. His/her communication skills must be exceptional and s/he should possess logic and creativity in equal measure.
I work quickly without compromising quality – I have a keen attention to detail and I frequently achieve timescales that my clients considered impossible. As a lateral thinker, I bring fresh ideas to the table when other experts have given up, and I often discover the root cause where others have been concentrating on the symptoms. Unlike other security consultants you may have met before, I never say ‘no’ without first striving to find a solution you could actually implement.
I take on a cooperative role, working alongside your personnel to learn from their valuable insight and gently guiding them where necessary. I have frequently mentored other security professionals and provided bespoke education to entire technical workforces. Moreover, I am as comfortable working one-to-one with your staff as I am standing at the front of a lecture theatre addressing your entire workforce.
Below are some examples of how I’ve helped customers in the past, although the list is by no means exhaustive – 10 years’ worth of experience would fill several pages! If you have an Information Security or Assurance need that’s not covered by the examples here, I’m sure I can help – get in touch and I’ll respond quickly.
- ISO/IEC 27001 compliance/certification – I have helped clients start from scratch, defining scope, applicability and assessing current stance, as well as assisted organisations undergoing (or preparing for) compliance and certification reviews and formal audits. I have been working with the Standard and associated guidance since the early days (when it was BS7799 and then ISO17799).
- Compliance with Mandatory Requirements in the HMG Security Policy Framework, and understanding and implementation of all related Policy and Guidance documents to which it refers – this is applicable across Central and Local Government, Non-Departmental Public Bodies, Defence and even suppliers to Government. This aspect of my work is part of the remit of a CLAS Consultant – please see my separate page on CLAS Consultancy.
- Compliance with Joint Services Publication No. 440 (JSP440) and relevant Defence IA Notices – within UK Defence, this is essentially the equivalent to the Security Policy Framework – the MoD is one of the UK Government Departments that has chosen to take the Security Policy Framework and add its own enhancements, thus ensuring the required compliance with the SPF itself, but also allowing additional requirements that apply in that industry.
- Assistance with Data Protection legislation and associated guidance from the Information Commissioner’s Office (ICO) – if your organisations collects, handles or processes personal data, whether relating to the general public, customers or staff, I can help you ensure that it is being handled in line with all relevant legislation and guidance – taking steps to verify this is always less expensive than having to deal with the effects of a breach.
- On a related note, there are many specific additional requirements that relate to Government’s handling of personal data (as a result of the Data Handling Review) – I can advise on compliance with HMG Information Assurance Standard No. 6, which applies.
- Advising on Technical Security – both on a hands-on and hands-off capacity, helping organisations ensure their system configuration is as secure as it can be (without breaking it!), removing unnecessary software and services, configuring routing and firewall rulesets, etc.
- Following on from system hardening/configuration, running automated and manual Vulnerability Assessment against systems, networks and applications, internally to an organisation (perhaps to support a technical audit) or remotely, to verify security of exposed/published services, perhaps to support a wider Risk Management process. Often referred to as Penetration Testing, please see the System/Network Health Check service and Application Security Testing page for more details.
- Advising on Cloud Security – while there are many differing definitions of a “Cloud”, including simply “The Internet”, Software/Infrastructure as a Service (Saas/IaaS), virtualised shared hosting services or full-blown grid-based resource distribution, organisational needs to ensure the security of their information (and that of their customers) are ever-present.
- Provision of Security Awareness sessions, whether part of a formal training programme or as one-off sessions with developers, administrators or customer-facing staff to explain current and emerging computer threats in ways that they can identify with and understand. This can improve the application of secure coding practices, improve awareness of Data Protection requirements and increase general awareness of current threats and issues.
- Implementation of Information Security Management Systems (and processes), whether part of a wider ISO/IEC 27001 programme or in order to apply best practice across an organisation. This inevitably includes definition, creation and implemetnation of ongoing Risk Assessment and Management processes.
To find out how I can assist you in developing and implementing an efficient and effective security strategy, or help you to meet your existing Information Assurance targets, please use my enquiry form to get in touch. You will soon receive a response directly from me, and the initial meeting to fully define the issues you are facing is completely free of charge.
I can take specific requirements and give you a honest appraisal of how long it will take me to do the work, and how much it should cost. If you have been dealing with large consultancy firms, you might be surprised how much of your budget you can save by coming direct to me! Alternatively, if you have little information to pass to me at the outset, I will confidently talk with you about the situation until we work out the issues and how we can overcome them.