The core responsibility of the IT Security Consulting Team is to eliminate technical vulnerabilities and security gaps by collaboratively developing suitable solutions with our clients.
Organizational aspects such as policies, requirements, and processes are then to be considered as supplementary measures.
Our motto is to first reduce the entry risk through concrete measures, thereby proactively working on further ideas and possibilities related to security.
These two terms, information security and IT security consulting, are frequently interchanged or even misinterpreted as one and the same. But what exactly distinguishes them? Information security, which is governed by various standards in the industry, extends beyond IT security. It involves safeguarding valuable information of all kinds, often referred to as information assets or information values.
Information security encompasses various aspects, including physical documents and their disposal according to specific DIN standards, as well as personnel security to prevent incidents like those involving Unister's top management in 2018.
In IT-Security Consulting, the primary focus is on the security of IT systems and components, with other assets generally not being considered. The goal is to address only high-probability business risks, such as hacker attacks, data center fires, or smartphone losses due to theft.
ProSec supports you with our consulting services on both paths, whether it's in information security on the path to an Information Security Management System (ISO 27001 & BSI Basic Protection) or on the predominantly technical level with IT security consulting.
In theory, a top-down approach is prescribed for IT security. However, from our practical experience, we find that a bottom-up approach is more appropriate. Why?
Security vulnerabilities as security risks typically arise not in concepts but in the implementation and the maintenance of the currency of the IT environment.
That's exactly where we start – in the first step, to sustainably enhance a company's security level by addressing specific vulnerabilities. This provides us with the time to then collaboratively develop and implement concepts, processes, and guidelines effectively, based on real-world experience.
Our goal is to avoid toothless paper tigers and ensure that compliances work as they should. We prioritize pragmatism over bureaucracy.
A cyber attack can impact not just your IT systems,
but also your financial health and your corporate reputation.
There are currently (as of January 2022) over 50 information security management systems on the market. All offer advantages and disadvantages and in the end all try the same thing - to create transparency in all risks for the respective target group of the system and to enable the company to sustainably increase and keep information security levels alive.
We basically support 3 ISMS systems:
ISO/IEC 27001 is a recognized international standard for information security management systems. It determines the requirements for the establishment, introduction, operation, monitoring, maintenance and improvement of a documented information security management system (ISMS).
The ProSec ISMS differs very easily from existing standards, we are not trying to reinvent the wheel, but consciously use all the controls from systems that have proven themselves and "mix" functioning components from all current but also upcoming systems and 100% transparent. This has the advantage that the effort involved in certifying various systems is lower and the ISMS remains generic and, above all, does not lose sight of the essentials. Minimize technical risks, validate them quickly and cyclically (based on the MGMT method "Lean Start-up") and transfer them sustainably to internal company processes.
Many of our business partners, be it the federal government or medium-sized companies, repeatedly make the mistake of approaching the topic of information security TOP Down in the form of a management system (ISO/BSI, etc.). This always results in the fact that our Quality Assurance process shows that the theoretically constructed systems can unfortunately be certified in the end, but never really have protection against, for example, hacker attacks (checked by us using penetration tests) or are even capable of these attacks really qualified to recognize and then to react accordingly (see Incident Response).
After a penetration test, many of our business partners are sensitized and fall into actionism and an emotional compulsion to act. Unfortunately, this always results in significant failures and problems in IT. In addition, the thought arises that a penetration test, which usually leads to a complete takeover of the IT at ProSec within 8 test days, gives the impression that the solutions to the problems are just as quick and easy as our "hacks". This is a fallacy, because it is often exactly mirrored. The more hacks lead to success, the more fundamental the problems in IT are and the longer and more complex their solution is.
Please trust us here, because emotional activism and underestimating the topic leads to the wrong attitude in top management - "IT security is a top priority".
