The Security Posture Review (SPR) is the newest addition to our suite of security offerings at Red Siege. We’ve combined our collective experiences in red team, blue team, and security operations protocols to provide comprehensive security posture reviews for small to mid-sized organizations across multiple industries. To provide a better understanding of our SPR offering at Red Siege, we’d like to provide a practical example of an engagement with a (fictional) mid-sized law firm, Medin & Partners. During our introductory call with Medin & Partners, our consultants noted security gaps and concerns highlighted by their Director of Security. With that information in hand, along with details gathered during subsequent scoping calls, we were able to plan our recommended engagement course of action. The following story is fictional and does not depict any actual person or event.

Initial Engagement Scope

Medin & Partners has increased process and policy concerns following rival firm’s highly publicized security incident. With 85 attorneys across three offices and a growing portfolio of corporate clients, they needed to ensure their security controls matched their risk profile. Our team was tasked with conducting a full security posture review, including:

• Network architecture assessment

• Access control evaluation

• Document management system security

• Employee security practices

• Incident response capabilities

• Physical security assessment

Key Findings

Our assessment revealed several critical* areas requiring immediate attention:

The firm’s document management system, while feature-rich, had poorly configured access controls. We discovered that over 40% of confidential client files were accessible to all employees, violating the principle of least privilege.

Remote work policies, hastily implemented during the pandemic, created numerous security gaps that hadn’t been evaluated for security risk. Partners were using personal devices without encryption or remote wiping capabilities to access sensitive client data.

Backup systems were inconsistently tested, and the disaster recovery plan hadn’t been updated to reflect current cloud-based operations. Their incident response plan was also stale and critical contact information was outdated, potentially adding hours to incident response time.

*Although we documented numerous high but non-critical issues, we’re limiting to critical findings to make this a quick read rather than a grueling 40-page blog post. 😊

Strategic Recommendations

Rather than overwhelming Medin & Partners with a laundry list of security tools, we developed a phased approach with recommendations focused on their highest risks first:

Identify (First 30 Days)

• Implement immediate access control changes in document management system

• Deploy MDM solution for all remote devices

• Update and test incident response procedures

Enhance (60-90 Days)

• Roll out enhanced security awareness training

• Implement automated document retention policies

• Deploy enhanced endpoint protection

Strengthen (90-180 Days)

• Establish security metrics and reporting

• Implement continuous security monitoring

• Develop long-term security roadmap

Implementation Challenges

The biggest challenge wasn’t technical – it was cultural. Law firms traditionally prioritize attorney autonomy and convenience. Red Siege needed to demonstrate how security controls could enhance rather than hinder productivity.

Our solution was to involve key stakeholders in the tool selection process and customize security policies to align with their workflow. For example, we recommended their IT Department configure their MDM solution to create separate containers for personal and professional data, addressing privacy concerns while maintaining security.

Measurable Results

Six months post-implementation, our metrics showed significant improvements:

• 95% reduction in exposed confidential documents

• 100% of remote devices now properly secured

• 87% decrease in policy violations

• Successful disaster recovery test completed in under 4 hours

• Successful incident response tabletop exercise completed in under 2 hours, as compared to 8-10 hours in initial evaluation

Red Siege successfully concluded our SPR engagement for Medin & partners by aligning the scope of our SPR with the goals of Medin & Partners strategic initiatives to improve their overall security posture and to enable sustainable business growth while maintaining the trust of their clients and partners. Our SPR helped Medin & Partners achieve both objectives, making the SPR one of their most valuable strategic investments last year.

Value

The value Red Siege delivered with our SPR extended beyond immediate security improvements. Our review helped Medin & Partners meet regulatory requirements, strengthen client trust, and avoid potential breaches that could have resulted in millions in damages and reputational harm. The CISO later shared that our findings helped secure additional budget for security initiatives and highlighted the importance of regular security assessments to the board.

This engagement reinforced that even organizations with mature security programs benefit from expert external reviews. Fresh eyes often shine a light on blind spots that internal teams may miss, and our experienced consultants at Red Siege help translate technical findings into business impacts that will undoubtedly resonate with leadership.

Deliverable: What’s going to be in your SPR report?

This is the big show! Regardless of your organization’s size or industry, we’ll deliver a comprehensive report that documents detailed findings and present an executive summary summarizing the current state of security within your organization. We’ll work with your team to make recommendations for a remediation roadmap that considers the severity of security findings as well as business needs. We’ll even help define success for your organization as you monitor the status of your new or modified security roadmap over the next 30, 60, and 90 days.

We’re here to call out your organization’s wins as well as areas of opportunity. We want to celebrate your security successes and our SPR reflects the robust security measures already in place across your infrastructure and operations. We’ll highlight your areas of strength while identifying opportunities for continuous enhancement of your security policies and controls. Through the course of our review process, we’ll do a deeper dive into areas we believe would benefit from additional resources or investment.

Speaking of Continuous Enhancement: When and how often should your organization perform an SPR?

There is never a wrong time to conduct an SPR. Your organization may have already conducted internal reviews, conducted or contracted penetration tests, or may be in the very early stages of shoring up your overall security. Our experienced consultants typically advise conducting SPRs annually, but Red Siege uniquely offers customized, targeted SPRs with smaller scopes. In these cases, we may recommend a shorter cadence of reviews, typically bi-annually or quarterly, based on your overall risk profile and business needs.

Click here to learn the differences between an SPR and a Penetration test and how they can compliment each other.

The Red Siege SPR Difference

At Red Siege, we’re not just adding another service – we’re providing a strategic partner to help you navigate the complex world of cybersecurity. Whether you’re a startup or an enterprise, we’ve got you covered. The SPR from our team of experts examines not just your technical defenses, but also the people, processes, and policies that underpin your organization’s security.

Interested in learning more? Drop us a line. We can’t wait to help level up your security game.