Security Consultant, Chris Leppard, explains how you can discover your Cybersecurity Maturity Score, enabling you to prioritise cybersecurity spend and demonstrate ROI with our Aegis platform developed from decades of cybersecurity expertise.

1. The Aegis Programme
What is your Cybersecurity Maturity Score?
Presented by:
Chris Leppard CISSP, PCI QSA, ISO27001 LA
Managing Consultant – GRC / Lead QSA for CNS

2. Six Degrees – What We Do
Intelligent Growth
The Agile Workspace
Stable Foundations
Core
Infrastructure
Managed
Workplace
Business
Continuity
Cyber Security
Detection &
Defence
Unified
Communications
Simplified
Collaboration
Enterprise
Mobility
Management
Modern
Workplace
Multi-Cloud
Management
Consultancy &
Advisory
Business Insight
& Analytics
Cyber Security
Assessment &
Compliance

3. Agenda
• CNS Background & Experience
• The Role of Risk Management
• How Aegis Can Help
• Demonstration
• Questions

4. • Established in 1999
• PCI QSAC since 2008
• Consulting & technology led
• Extensive & varied client list
• Industry & pan-government
accredited
• Security cleared & vetted staff
• All full-time staff
• Acquired by Six Degrees
in 2018
About CNS Group

5. The Role of Risk Management
“Risk is like fire: If controlled it will
help you; if uncontrolled it will rise
up and destroy you.”
Theodore Roosevelt

6. Problem #1
Board-level issues
Of businesses have experienced one or more cybersecurity breaches in the past 12 months
Of medium to large enterprises have experienced one or more cybersecurity
breaches in the past 12 months
Or just three in ten businesses have a formal cybersecurity policy or policies in place
43%
27%
72%
Source: Cybersecurity Breaches Survey 2018 – HM Government
Published: 25 April 2018

7. Problem #2
Confusing and expanding compliance landscape
Data Protection Act 2018

8. Source: ENISA Threat Landscape Report for 2018
Published: January 2019
Problem #3
A challenging threat landscape

9. 0
1
2
3
4
5
6
7
8
9
10
£0
£5,000
£10,000
£15,000
£20,000
£25,000
£30,000
£35,000
£40,000
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Traditional Cyber Spend
Testing Advisory Solutions Managed Services Internal Maturity Visibility
Assess AssessFix Fix & Manage Manage
Year One Spend £138,000
Year Two Spend £245,000
Year Three Spend £245,000
Total over 3 years £628,000
Problem #4
Unpredictable and ineffective spending

10. A Aegis |Comprehensive Cybersecurity
Maturity Service
 Provide a concise and contextual reporting mechanism for situational cybersecurity to the board / stakeholders.
 Expedite cybersecurity maturity and visibility
 Show return on investment for cybersecurity spend and organise / prioritise future cybersecurity spend for
greatest risk reduction
 Highlight the greatest areas of cybersecurity weakness for immediate action and identify greatest threats to an
organisation (by type)
 Reduce a client's overall cybersecurity spend over a 3-year period
Primary Objectives

11. Aegis measures your Cybersecurity Maturity by scoring preparedness and activity across 5 domains:
 Compliance & Accreditation (10 sub-domains)
 Technical Compliance (21 sub-domains)
 Transformation & Maturity (10 sub-domains)
 Events, Alerts & Threat Intelligence (14 sub-domains)
 Governance & Policy (19 sub-domains)
74 Sub-domains selected from and common with
 International Standards Organisation (ISO) 27000/1
 Payment Card Industry (PCI) Data Security Standard (DSS)
 Top 20 Critical Control Set
 Cyber Essentials +
 Sarbanes Oxley
 EU General Data Protection Regulation
 Securities & Exchange Commission (SEC) Office of Compliance, Inspections and Examinations (OCIE)
 Public Services Network (PSN) Code of Connection
Aegis | Overview
Too often, dashboards and reviews omit one of these critical areas

12. Aegis | Overview
Different versions can be used
• Originally built as cybersecurity maturity across various domains (best practice)
• Best practice version took “best of breed” compliance regimes (5 domains) from :
 ISO 27000/1, PCI DSS, Top 20 CSC’s, Cyber Essentials +, HMG CSP, EU GDPR, NIST CSF, CSA CCM
• Feedback from customers; “love it……..but wish you had it against X or Y regime…..so, now have specific version:
 Best Practice (Original version)
 NIST Cybersecurity Framework
 ISO 27001
 PCI DSS
 Cyber Essentials +
 HMG Cloud Security Principles
 Cloud Security Alliance – Cloud Control Matrix

13. Aegis | Overview
How we intend to deliver it (lifecycle)
Phase 1
Initial Benchmark
Workshop
(Typically half day to full day event)
Phase 2
Presentation of Findings to
Client Exec
(Initial score, threat landscape,
recommendations, etc.)
1 week after Benchmark
Phase 3
Prioritised Risk Treatment
Plan (RTP)
(Taken from Aegis workstream
output)
Delivered with Presentation
Phase 4
Agreed SFIA level and
dates of return
(Dates set, not changed if at all
possible)
Project Managed
Phase 5
RTP Updates and Review
on Anniversary
(From agreed dates, typically half-
day)
Depends on results
Phase 6
Aegis Benchmark Rerun
(Based on RTP findings)
Run irrespective to demonstrate
done/not done

14. Year One Spend £138,000
Year Two Spend £245,000
Year Three Spend £245,000
Total over 3 years £628,000
Year One Spend £200,000
Year Two Spend £187,000
Year Three Spend £187,000
Total over 3 years £574,000
Compliance &
Accreditation
18
• Risk Assessment
• RTP
• ISO27001
• PCI DSS
• PSN
• DPA
• CE+
• Regulation
Technical
Compliance
12
• Build Status
• Firewall Ruleset
Review
• Penetration test
• Vulnerability Scans
• Code Review
• Patching
Transformation &
Maturity
4
• Project Status
• Outstanding Items
• Change programme
• Control Coverage
Events & Alerts
18
• SOC Report
• Incident Reporting
• Cyber Emergency
Response Team
• Internal and External
Threat Intelligence
Governance &
Policy
16
• Policy Compliance
• Policy Exceptions
• Governance
• Change Management
DomainsSub-domains
Northwind Traders
AEGIS Score: 68
Aegis
The Bench Marking Dashboard

15. Year One Spend £138,000
Year Two Spend £245,000
Year Three Spend £245,000
Total over 3 years £628,000
Assess Fix Manage
0
1
2
3
4
5
6
7
8
9
10
£0
£5,000
£10,000
£15,000
£20,000
£25,000
£30,000
£35,000
£40,000
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Aegis Programme Spend
Testing Advisory Solutions Managed Services Internal Maturity Visibility
Year One Spend £200,000
Year Two Spend £187,000
Year Three Spend £187,000
Total over 3 years £574,000
Aegis Cyber Spend for Midsize Organisation
Assurance

16. London sessions - 25 July | 22 August | 19 September
6dg.co.uk/pen-test-training
READ MORE
Whitepaper:
6dg.co.uk/cyber-security-
maturity-bridging-gap-board/