IT Security Consulting
Detection. Solution. Education.

Standards & Certifications

How we define IT security consulting and IT security consulting?

IT Security Consulting
With our consulting approach, we focus on increasing technical IT security as a result. This means that we specifically address the technical vulnerabilities in order to eliminate or minimize them with the appropriate solution approaches. In doing so, it is essential to identify these weak points in a preliminary measure for the transparency of IT security (on the basis of a penetration test, IT audit or similar).

The core task of the IT security consulting team is to eliminate technical weaknesses and security gaps by developing suitable solutions together with our customers.
Organizational aspects such as guidelines, requirements and processes must then be taken into account as a complementary measure.
Our motto is to first reduce the risk of occurrence through concrete measures in order to proactively work on further ideas and possibilities regarding security.

Information Security vs. IT Security Consulting

The two terms information security and IT security consulting are often interchanged or even interpreted in the same way. But what is the difference? Information security, for which there are various standards on the market, is not limited to IT security, but considers information of any kind that is worth protecting (so-called information assets).

Information security also includes, for example, paper documents and their disposal in accordance with special DIN standards, right through to personnel security to prevent incidents such as those at Unister TOP Management in 2018.

IT security consulting, on the other hand, is explicitly concerned with the security of IT systems and components - other assets are not considered as a matter of principle. The aim here is to consider only business risks with a high probability of occurrence (hacker attacks, fire in data centers, loss of smartphones due to theft, etc.).

ProSec accompanies you with our consulting on both ways, be it in information security on the way to an information security management system (ISO27001 & BSI Grundschutz) or on the more technical level with IT security consulting.

How do we differ with our
IT security consulting?

According to theory, a top-down approach is prescribed for IT security. From our practical experience, we believe the bottom-up approach is more appropriate. Why?

Vulnerabilities as a security risk usually do not arise in concepts, but in the implementation and maintenance of the up-to-dateness of the IT environment.

Improve the level of security with IT security consulting

This is exactly where we start, in order to improve the security level of a company sustainably in the first step by eliminating specific weak points. This gives us time to work out the concepts, processes and specifications together, based on practical experience, and to implement them in a targeted manner.

In this way, we want to avoid toothless paper tigers and ensure that compliances work as they should. Pragmatism instead of bureaucracy.

Play Video about PSN Video Thumbnail SOS

A cyber attack can not only affect your IT systems,
but also on your finances or your corporate image.

IT Security Consulting

Focus on protection against hacker attacks

We identify suspicious activities and counter with coordinated tools and the much more important know-how

Bottom Up without Theory

Action and project plans are always based on vulnerability detection assessments such as penetration tests or vulnerability analyses.

From practice for practice

By combining bottom-up with top-down, we achieve a high level of cost-effectiveness and avoid bad investments in the Infosec area.

Real and honest feedback

We are transparent and expect the same from the customer

Probationary period of 6 months

We often terminate customer contracts in the first 6 months because customers have no honest interest in security, the notice period is mutual, we take our job seriously!

Prioritization workshop

Prioritization and action will be aligned together,
with the creation of an action plan

Agile processing

We use monthly iteration loops (sprint) to get the defined amount of work done.

Quarterly or semi-annual report

We create reports for middle or top management

Establishment of an information security management system

Currently (as of January 2022), there are over 50 information security management systems on the market. All of them offer advantages and disadvantages, and in the end they all try to do the same thing - to create transparency in all risks for the respective target group of the system and to enable the company to sustainably increase its own information security level and keep it alive.

We basically accompany 3 ISMS systems:

ISO/IEC27001 is a recognized international standard for information security management systems. It defines the requirements for establishing, implementing, operating, monitoring, maintaining and improving a documented information security management system (ISMS).

The ProSec ISMS distinguishes itself very simply from existing standards, we do not try to reinvent the wheel, but deliberately use all the controls from systems that have proven themselves and "mix" working components from all current but also upcoming systems and that 100% transparent. This has the advantage that the effort for certification of various systems is lower and the ISMS remains generic and, above all, does not lose sight of the essentials. Minimize technical risks, validate them quickly and briefly in a cyclical manner (based on the MGMT "Lean Start-up" method) and transfer them sustainably into internal company processes.

Common mistake in practice

Many of our business partners, be it the federal government or medium-sized businesses, repeatedly make the mistake of approaching the topic of information security TOP down in the form of a management system (ISO/BSI, etc.). This always results in the fact that during our Quality Assurance process it comes out that the theoretically built systems can unfortunately be certified in the end, but never really have a protection against e.g. hacker attacks (tested by us by means of penetration tests) or are even able to detect these attacks really qualified and then react accordingly (cf. Incident Response).

After a penetration test, many of our business partners are sensitized and fall into actionism and an emotional compulsion to act. Unfortunately, this always results in considerable failures and problems in IT. In addition, the thought arises that a penetration test, which usually leads to a complete takeover of the IT within 8 test days at ProSec, gives the impression that the solutions to the problems are just as quick and easy as our "hacks". This is a fallacy, because often it is exactly mirrored. The more hacks lead to success, the more fundamental the problems in IT are and the longer and more complex their solution is.

Please trust us here, as emotional actionism and underestimating the topic leads to a wrong attitude in TOP management - "IT security is a matter for the boss".