We provide support to clients challenged with defining, managing and articulating the results of Cybersecurity and risk programs.

Goliath provides CISO-level support for organizations needing additional guidance on implementing strategic plans, aligning with the business against industry compliance and goals, managing existing projects and more.

We provide an experienced vCISO who can support existing CISO(s) or step in to provide CISO-level leadership in case of an open position.


What can a Goliath vCISO do for you…….

  • Breach/Incident Response Plan

o Review/update Breach Response plan
o Create communications templates
o Conduct Tabletop exercises with Business and IT

  • Secure Software Development Lifecycle

o Work with Project Management Team to provide Information Security guidance on new projects
o Implement Secure Code reviews/assessments/scanning

  • Lack of appropriate Security Policy Framework

o Failure to comply with documentation that DOES exist
o Absence of periodic review and update based on current environment

  • Privileged Access Issues

o No least privilege policy (too many people with privileged access)
o No periodic review / attestation of privileges
o Failed regulatory compliance for SOX/HIPPA/PCI, etc.

  • Vulnerability and Patch Life Cycle

o Lack of policy/standards to guide/enforce appropriate patching
o No regular Vulnerability Assessments across complete network
o Windows systems OS somewhat patched, but other platforms missed
o Middleware and applications completely missed

  • Monitoring, Reporting and Alerting Issues

o Either no monitoring is in place, critical assets are not all monitored
o No understanding of “use cases” for alerting/reporting
o No regular review of alerts / reports

  • Ongoing Posture Metrics and Trending

o Security metrics not collected/reviewed
o No “posture” visibility to the Corporate Executive
o No baseline established for comparisons
o No weekly/quarterly trends to gauge improvements

  • Security Awareness

o Build or review current Security Awareness program
o “Dated” annual presentation
o Proper attestation as to employee understanding


  • Security Policy Framework
    o Review and update Information Security Policy
    o Review and update Information Security Standards
    o Review and Update Information Security Procedures

  • Security Awareness
    o Review and update/create Security Awareness program
    o Roll-out Awareness program to employees and manage

  • Security Liaison with Executive Council, Auditors

o Manage communications with board of directors
o Manage internal and external information security audits

  • Privileged Access Management

o Conduct privileged access discovery
o Clean up excessive privileged accounts
o Develop periodic review process/ attestation of privileges
o Validate compliance for SOX/HIPAA/PCI, etc.

  • Vulnerability and Patch Life Cycle

o Implement regular vulnerability assessment program
o Review and update patch management process as per results of vuln scans

  • Monitoring, Reporting, and Alerting Issues

o Review current log event management
o Update/Create log/event management infrastructure
o Develop use cases based on business requirements
o Create regular review of alerts/reports

  • Ongoing Posture Metrics and Trending

o Collect, document, review security metrics
o Develop dashboards and baselines for information security
o Provide executive reporting on Security Posture

  • 3rd party assessments

o Review security controls of 3rd party
o infrastructure/software/service providers