The document provides information about IANS, a decision support service that helps information security professionals reduce risk and increase leadership within their organizations. IANS offers various resources to support security teams, including research, consulting, peer community events, and access to a faculty of security experts. IANS was founded in 2001 and has supported thousands of security teams on current threats, technologies, and risk mitigation strategies. IANS focuses exclusively on security issues and differentiates itself through its depth of knowledge, practitioner expertise over analyst perspectives, and level of peer interaction opportunities provided to clients. IANS aims to help security professionals reduce risk through expert advice and make better decisions, as well as increase leadership through assessments, workshops and frameworks.

1. Decision Support

2. About IANS
IANS, Inc.
Headquarters: Boston, MA
617.399.8100
www.iansresearch.com
info@iansresearch.com
The IANS mission: To support the information security professional in reducing risk and increasing
leadership within their organization.
IANS provides you with in-depth insights and decision support on your most challenging information
security topics. We help you make better, faster decisions and assist you in embedding information
security into the fabric of the business. Through a mix of research, consulting and interactions with
a peer community of security professionals and the IANS Faculty of experts, we act as a comprehensive
resource for your information security team.
IANS was founded in 2001 as The Institute for Applied Network Security. We have educated and
supported thousands of information security teams on current and emerging threats, technologies,
and risk mitigation, as well as with technical and leadership training.
Exclusive Security Focus
IANS works solely with IT security, risk management, and compliance issues.
Our specialization in these areas gives us a depth of knowledge and focus
that differentiates us from other decision support and advisory services
in the marketplace today.
Peer Community
With over 100 end-user security events annually, focused on both technical
and strategic topics, IANS is unmatched in the level of peer-to-peer interaction
we offer our clients.
Practitioner vs Analyst
IANS Faculty Members are expert information security practitioners who
deliver insights based on real-world experiences, enabling IANS to provide
more value than a typical analyst firm.
Extension of your Team
Our hands-on expertise enables IANS to act as a supplement to your security
team, filling in skill gaps and serving as an objective viewpoint.

3. To help navigate these challenges, IANS offers Decision Support: an annual
subscription service that connects you with knowledge resources and leading experts
who provide technical insights and strategic advice, delivered via peer-based events,
personal inquiries, and written research on IANS’ online portal.
Typical consulting and analyst/advisory services provide only a high-level viewpoint, relying
on management consulting axioms and stack rankings of technologies as a decision-support
model for dealing with challenges. IANS believes that this model falls short in today world of
evolving cyber threats. IANS Decision Support delivers practitioner-level insights and step-by-step
recommendations, enabling your information security team to take immediate action.
IANS supplements your team with skills and advice that can be
applied to virtually any type of information security challenge. There
are no limitations to how you can use your Decision Support Service.
• Inquiries through our Ask-an-Expert service are unlimited.
• Attendance at IANS events is open to all clients.
• All of the content published to our research portal is made available with no restrictions.
IANS’ Decision Support is designed to address the two topmost challenges
facing information security professionals today:
Reduce Risk
Through expert advice, educational content, and peer
community events, IANS helps you make faster, more
informed decisions around information security, compliance
and risk management issues – allowing you to reduce the
information security risk that your organization faces and
help strengthen your position within an evolving market.
➔➔ Ask-an-Expert Inquiry
➔➔ Ask-an-Expert Answers
➔➔ Faculty Reports
➔➔ InfoSec Newsflashes
➔➔ Information Security Forums
➔➔ Webinars
➔➔ Symposiums
Increase Leadership
Technical skills, while essential, are not enough on their
own to deliver maximum value to the business. In order
to deliver true impact, you must establish yourself as a
leader who can transform information security into an
integral component of your organization. IANS’ CISO Impact
framework provides you with the ability to assess your
team’s current state, identify strengths and weakenesses,
prioritize goals, build action plans to accelerate
improvement, and measure progress over time.
➔➔ Diagnostic Self-Assessment
➔➔ Custom Workbooks
➔➔ CISO Impact Center
➔➔ CISO Impact Roundtable
➔➔ CISO Impact Workshop
➔➔ Connector Events
About Decision Support
The increasing
complexity of
decisions, the rate
of technological
change, and the
resulting resource
constraints all
hamper the ability
of information
security teams.

4. IANS Faculty
IANS Decision Support is spearheaded by the IANS Faculty: a diverse group of expert practitioners who understand the key issues
you face, diagnose those challenges and deliver actionable recommendations, research, and data to help you achieve fast and successful
results. Because our Faculty work in the industry - and don’t just write about it - they are uniquely qualified to provide real-world,
actionable, field-tested advice to even the most advanced security teams.The IANS Faculty includes:
• SANS Institute instructors and curriculum authors
• Several founding members of the Penetration Testing Execution Standard (PTES)
• Authors of well-known security books, including the author of Metasploit: The Penetration Testers Guide and the author of
Offensive Countermeasures: The Art of Active Defense
• Ex-CISOs of Fortune 1000 companies
• Major contributors to open source projects like Metaspolit, MobiSec, and SamuraiWTF.
IANS’ Faculty deliver technical and strategic insights that help clients reduce risk and elevate the information security leadership
role within their organizations.
A sample group of IANS Faculty Members is below; for a complete list of our Faculty, please visit the IANS website.
Dave Shackleford
Founder and Principal Consultant
with Voodoo Security
Specialties: Security Operations,
Infrastructure Security, Information Protection
Gunnar Peterson
Managing Principal
at Arctec Group
Specialties: Identity & Access Management,
Application Security, Security Management
Dave Kennedy
President and CEO
of TrustedSec
Specialties: Information Protection,
Application Security, Infrastructure Security
Paul Asadoorian
Founder and CEO of
Security Weekly
Specialties: Security Operations,
Information Protection, Infrastructure Security
Davi Ottenheimer
President of flyingpenguin
EMC Senior Director of Trust
Specialties: Security Operations
John Strand
Senior Security Analyst/Principal
of Black Hills Information Security
Specialties: Security Operations,
Information Protection, Security Management
Marcus Ranum
Chief of Security for
Tenable Network Security
Specialties: Security Operations, Application Security
Kevin Johnson
CEO & Security Consultant
with Secure Ideas
Specialties: Application Security,
Security Operations, Infrastructure Security

5. Through our Ask-an-Expert (AAE) service, you will access a virtual team of security experts who act as an extension of your team
and provide you with the knowledge, skills, and expertise you need to solve challenges as they arise.
Clients submit unlimited AAE inquiries on topics and issues critical to their information security needs. The IANS Client Services team evaluates
your request and, based on the subject of your question and your knowledge of the topic, matches you with the appropriate IANS Faculty
Member. Depending on your preference, the answer to your AAE can be delivered as a written report or through a one-on-one phone call with
the IANS Faculty Member.
Ask-an-Expert
Step 1:
Submit your
question through
the IANS Portal
or by calling your
Account Manager.
Sample AAE Questions
Step 2:
IANS Client Services
recieves and evaluates
your question.
Step 3:
Your questions is
assigned to an IANS
Faculty Member.
Q:
Internal Audit identified
inability to block TOR as an
item. We want to be able to
block TOR connections from
our network but what is the
best way to go about this?
A: Blocking TOR
Connections
Q:
We are looking to engage a
service that will monitor social
and underground networks for
signs of attacks against company
executives (cyber and physical).
In addition, it should monitor the
executives’ use of the Internet to
ensure they are protected. Can
IANS offer some suggestions?
A: Review of Executive
Cyber-Protection Services
Q:
A:
What does upper
management typically want
to see in a GRC tool? What
kind of metrics? How should
we show risk? How should we
articulate risk to the business?
For example, has the risk
gone up or down - how can
we leverage GRC for this?
Designing GRC for
Senior Leadership
Reduce Risk

6. Decision Support clients have access to the online IANS Portal, an always-on content resource that contains thousands of
research articles, news updates, Ask-an-Expert responses, and IANS event takeaways. Anonymized questions submitted
by clients and answers from the IANS Faculty are published on the Portal daily, giving you a real-time point of view on the
challenges and topics that are facing information security teams.
IANS Portal Content Categories
Faculty Insights:
Research-based
documents written by
Faculty on topics most
relevant to clients.
AAE Answers:
Written summaries of
IANS’ most popular
Ask-an-Expert calls.
InfoSec Newsflashes:
Timely responses from
IANS Faculty on breaking
information security news
stories.
Forum Insights:
Summaries of the key
findings from roundtable
discussions at IANS
Information Security Forums.
Symposium Summaries:
Summaries of key
takeaways and actionable
insights on deeply technical
topics discussed at IANS
Symposiums.
Webinar Summaries:
Slide decks, summary
reports, and videos of
Decision Support webinars.
The Ask-an-Expert Tracker is a live feed of the Ask an Expert (AAE) queries
posed to IANS Faculty during the past 12 months. This Portal feature provides you
with a searchable listing of AAEs, giving you insight into the questions that your
peers are asking and allowing you to determine “am I asking the right questions?”
Recent questions posed to our experts include:
• Can IANS provide some guidance on what is deemed acceptable for internal penetration tests to satisfy PCI penetration testing
requests? We have a list of 94 internal applications that are not covered by our normal application hacking routines (because they
don’t have the risk/exposure rate to require them by our normal programs). What (affordable) offerings do others use to handle this?
Is there a standard PCI approach?
Answer: Penetration Testing with an Eye Towards PCI Compliance
• Can IANS provide benchmark data on Security Staffing?
Answer: Sizing and Scoping the Security Team
• We are conducting a deferred maintenance risk assessment of our platforms (i.e., determining if we are running platforms such as
Windows 2003, which will soon be out of support). Does IANS have any bench marks in this area that would allow us to compare the
age and supportability of our systems with other organizations?
Answer: Assessing the Risk of Using End-of-Life Products
Online Portal
SEE QUESTIONS CLIENTS ARE ASKING
Reduce Risk
Unlike typical
analyst firm
“thought pieces,”
IANS content is
highly actionable,
containing
step-by-step
recommendations
as well as pointers
to other on-line
resources that you
can use to take
immediate action.

7. Our research topics are influenced by our clients’ needs. The inquiries submitted to our experts give us a clear line of vision into the
issues that are most relevant to information security professionals. The Faculty researches and publishes responses to these issues
on the Portal – company-specific information is removed - providing you and your team with the opportunity to have your own specific
questions answered as well as gaining real-time access to the questions and answers of other information security professionals.
Below is a sampling of IANS’ planned research content in 2015, organized into the eight categories which make up our 2015 curriculum taxonomy:
Research Curriculum
Think Business
• By the Numbers: Tracking Metrics That Matter to the Business
(Faculty Report)
• Social Media and Security Awareness: Getting Them in Sync
(Faculty Report)
• Preserving Evidential Admissibility When Logging and Monitoring
(Answers)
Tame Compliance
• Quarterly International Security, Privacy and Compliance Laws
Update (Faculty Report)
• GRC in the Cloud: Is It Ready for Prime Time? (Faculty Report)
• The EU Data Protection Directive Explained (Event Takeaway)
• Audit Logging in a Hybrid Cloud Environment (Answers)
Improve Visibility
• SIEM Use Cases: An Overview (Faculty Report)
• Log Monitoring 2.0: Honing in on What Really Matters
(Faculty Report)
• Integrating Behavioral Detection into the Security Program: Practical
Strategies (Event Takeaway)
• Building a Purple Team Capability (Answers)
Regain Control
• Security in the Emerging SDN World (Faculty Report)
• The Dark Side of IoT: Ensuring Your Network Can’t Be Turned
Against You (Faculty Report)
• From Dropbox to OneDrive: Securing Cloud Storage (Event Takeaway)
• Getting a Handle on Browser Data Collection (Answers)
Fight Advanced Malware
• Best Practices in C2 Hunt Teaming (Faculty Report)
• Retailer PoS: Securing the Weakest Link (Faculty Report)
• SDLC Strategies for Security (Faculty Report)
• Recognizing a Slow Burn: Tricks for Uncovering Slow, Stealthy
Malware (Event Takeaway)
• Identifying and Defending the Attack Surface (Answers)
Provide Perimeter-less Data Protection
• Quarterly Cloud Security Update (Faculty Report)
• Mobile Authentication: Limiting the Avenues of Attack
(Faculty Report)
• Document Sharing: Beyond Email (Faculty Report)
• Best Practices in Securing Hybrid Clouds (Event Takeaways)
Foster Talent
• Don’t Get Yourself Outsourced – or Are You Up to the Soft Skills
Challenge? (Faculty Report)
• Tools vs. Staffing: Getting the Balance Right (Faculty Report)
• Tips for Acing the CISSP Exam (Answers)
Do More With Less
• A Comparison of Big Name Security Suites (Faculty Report)
• Security Budget Zero: Quick Wins at Low/No Cost (Faculty Report)
Reduce Risk

8. CISO Impact
As technology evolves at an exponentially rapid pace, Information Security teams must reduce risk by protecting business’ assets and
client data – while confronting increasingly frequent and complex challenges. This mission is complicated by a lack of control over the
people and processes that expose the organization to risk through their day-to-day operations.
Technical skills, while essential, are not enough on their own to effectively combat these challenges and
manage organizational risk. Information Security must also proactively engage with business leaders and
work to accomplish two objectives:
Align security’s focus with business strategies, and;
Embed security practices more deeply into the business.
IANS has developed the CISO Impact framework to assist security leaders and their teams in achieving these goals. Through interviews and
assessments of more than 600 security leaders at large enterprise organizations, we discovered a set of capabilities that we call the 7 Factors
of CISO Impact. These Factors are crucial to success and founded on business acumen and management skills often lacking among security
leaders with deep technical backgrounds.
In order to deliver maximum impact, security leaders must develop their team’s skill sets in each of these Factors, learn to speak the language
of the business, and drive deeper organizational engagement. Towards this end, IANS’ CISO Impact framework provides you with the ability
to assess your team’s current state, identify strengths and weaknesses, prioritize goals, build action plans to accelerate improvement, and
measure progress over time.
Increase Leadership
Communicate the Value
of Information Security
Organize for
Success
Develop a Technical- &
Business-Capable Team
Run Infosec
Like A Business
Embed Information
Security
Gain Command
of the Facts
Get Business Leaders
to Own Risk
7Factors
of CISO
Impact

9. Getting Started
The CISO Impact framework is designed to support senior leaders in driving information security deeper into the fabric into
the business and delivering increased value to the organization. Working to improve your performance across the 7 Factors
of CISO Impact will help you develop business and management skills that increase the impact that you and your team can
have on your organization’s success.
What Will CISO Impact Do For Me?
Through peer group exercises and expert-led discussion, you will build new insights into how to:
• Take a leadership role in defining meaningful information security risk metrics and reporting at the highest levels of the organization
• Gain the cooperation of business leaders in building an inventory of key assets and establishing consensus on the business impact of loss
• Develop policies and processes that foster and drive accountability for information security risk by business leaders
• Win agreement from business leaders to weave information security into the fabric of business operations – for example,
implementing code verification into SDLCs
• Ensure that Information Security is always included in the vendor assessment process, and over time, moves up the food chain
to strategic decisions, such as M&A
• Run your shop like an efficient and effective business with measurable, concrete value delivery to the company
• Attract and retain talent that your team needs to become effective matrix risk professionals.
• Establish and deliver a brand message for information security that truly captures its vital value, and elevates the CISOs stature
as an accepted business leader
A 25-question online self-
assessment tool that quantifies
the maturity of your information
security organization against the
7 Factors. Receive immediate
comparison data on where you
stand versus your industry peers.
Focus in on one of the 7 Factors
in a half-day deep-dive gathering
of CISO-level peers. Develop an
action plan based on individual
work, peer review, and IANS
facilitation and support.
Review and discuss the 7 Factors at a
gathering of CISO-level peers. Explore
common challenges and solutions in a
private, closed-door session.
Increase Leadership
Diagnostic
Roundtable
Workshop

10. Peer Community Events
The IANS peer community is made up of thousands of information security professionals, ranging from technical practitioners
to senior executive leaders. IANS facilitates an ongoing and diverse set of events that provide our community with educational
resources and peer-to-peer engagement around the most pressing technical and strategic topics. Our clients have unanimously
agreed that IANS’ peer communities are among the top resources they count on to support their decision-making and
professional development objectives.
Participants are eligible to recieve 1 CPE credit per hour of the event.
For a full schedule of IANS peer community events, visit our website.
Reduce
Risk
Webinars
Decision Support Webinars are hour-long interactive
discussions examining hot topics in information
security. Held once a month and conducted by IANS
Faculty, they will arm you with the insights, tools
and strategies you need to navigate the trends and
innovations of information security. Our webinars
are attended by hundreds of information security
professionals who engage in rich Q & A sessions
with IANS Faculty and their peers.
Symposiums
Symposium events are end-user only explorations of
technical and operational information security topics,
moderated by IANS Faculty. During a symposium,
you will join a community of senior information
security professionals for in-depth discussions,
peer-to-peer sharing and actionable information that
you can start using right away. Symposium topics are
selected by IANS clients and our dynamic research
curriculum process. Sample topics include:
• Architecting the Cloud for Security Success
• Finding the Lurkers: C2 Detection / Hunt Teaming
• Learning From Patient Zero: Dissecting Recent
Data Breaches to Evolve Our Defenses
Forums
Information Security Forums bring together experienced IT and information
security practitioners for confidential information sharing on the industry’s
most important issues, technologies and trends. These two-day events
include keynote addresses, technical and strategic roundtable discussions,
networking events and the opportunity to learn about new technologies.

11. Peer Community Events
Increase
Leadership
CISO Impact Roundtable
The CISO Impact Roundtable is a one-day, CISO-only
meeting held at IANS Information Security Forums
throughout the year where you will:
• Learn how to interpret your CISO Impact Diagnostic
Report and, through discussions with your peers, see
how your practices and performance compares to
those of your fellow attendees.
• Gain an understanding of the 7 Factors of CISO Impact
and how the CISO Impact Program will help you
increase your performance across each Factor.
• Use IANS-designed worksheets to guide you in iden-
tifying your competencies and gaps in one or more of
the 7 Factors, and determine where to prioritize efforts.
• Hear how others have overcome obstacles from IANS
experts and your peers
CISO Impact Workshop
The CISO Impact Workshop is a half-day deep-dive into
one of the 7 Factors of CISO Impact, where you will
evaluate your current performance in a specific Factor
and develop an action plan for improvement. Workshops
will provide you with strategies for achieving success in
real-world situations. For example, you’ll learn how to:
• Establish and deliver a brand message for information
security that truly captures its vital value, and elevates
the CISO’s stature as an accepted business leader.
• Win agreement from business leaders to weave informa-
tion security into the fabric of business operations – for
example, implementing code verification into the SDLC.
• Attract and retain talent that your team needs to
become effective matrix risk professionals.
• Take a leadership role in defining meaningful informa-
tion security risk metrics and reporting at the highest
levels of the organization.
Connector Events
Connector Events bring together small groups of senior level information
security professionals from a broad spectrum of industries and experiences
for facilitated deep-dive discussions of important challenges and solutions in
the information security space.

12. IANS, Inc.
Headquarters: Boston, MA.
617.399.8100
www.iansresearch.com
info@iansresearch.com