Security Consulting Firms

“We are ISO 27001 certified, are we DORA compliant?” Not so fast. ISO 27001 and DORA both focus on cybersecurity and risk management, but they serve very different purposes. If you're a financial institution or an ICT provider working with financial institutions in the EU, DORA compliance is mandatory, and ISO 27001 alone won’t get you there. Let’s break it down: 1. Regulatory vs. Voluntary Framework ↳ ISO 27001 – A voluntary international standard for information security management. ↳ DORA – A mandatory EU regulation for financial entities and their ICT providers, with strict oversight and penalties for non-compliance. 2. Scope and Focus ↳ ISO 27001 – Offers a customizable scope tailored to organizational needs, focusing on information security (confidentiality, integrity, availability) based on specific risk assessments and chosen controls. ↳ DORA – Enforces a standardized scope across financial entities, extending beyond security to operational resilience. It ensures institutions can withstand, respond to, and recover from ICT disruptions while maintaining service continuity. 3. Key Compliance Gaps 🔸 Incident Reporting ↳ ISO 27001 – Requires incident management but doesn’t impose strict deadlines or mandate reporting to regulators, as it is a flexible standard. ↳ DORA – 4 hours to report a major incident, 72 hours for an update, 1 month for a root cause analysis. 🔸 Security Testing ↳ ISO 27001 – Requires vulnerability management but leaves testing methods and frequency to organizational risk. ↳ DORA – Annual resilience testing, threat-led penetration testing every 3 years, continuous vulnerability scanning. 🔸 Third-Party Risk Management: ↳ ISO 27001 – Covers supplier risk but with general security controls. ↳ DORA – Enforces contractual obligations, exit strategies, and regulatory audits for ICT providers working with financial institutions. 4. How financial institutions and ICT providers can address the delta? ✅ Perform a DORA Gap Analysis – Identify missing controls beyond ISO 27001. (Hopefully, you're not still at this stage now that DORA has been mandatory since January 17, 2025.) ✅ Upgrade Incident Response – Implement real-time monitoring and reporting mechanisms to meet DORA’s deadlines. ✅ Enhance Security Testing – Introduce formalized resilience testing and threat-led penetration testing. ✅ Strengthen Third-Party Risk Management – Update contracts, prepare for regulatory audits, and ensure exit strategies comply with DORA. ✅ Improve Business Continuity Planning – Move from cybersecurity alone to full digital operational resilience. 💡 ISO 27001 is just the tip of the iceberg - beneath the surface lie significant gaps that only DORA addresses. 👇 What’s the biggest challenge in aligning with DORA? Let’s discuss. ♻️ Repost to help someone. 🔔 Follow Amine El Gzouli for more.

Most third-party risk teams I speak with face the same challenge: Small staff, large vendor portfolios. 💼 The data backs this up: - The average portfolio is ~286 vendors; most TPRM teams have fewer than 10 staff. - 94% of teams say they cannot assess all vendors due to a lack of time or resources. - Nearly 50% of companies admit they don’t even reassess all vendors periodically. - Assessment cycles average 37+ hours per week, with vendor responses dragging 12+ days and 84% needing follow-ups. So, how do you cover more risk without more people? Here are some simple recommendations: ✅ Tier ruthlessly – Auto-tier vendors into 4 levels; reserve full assessments + monitoring for Tier 1. ✅ Use what exists – Accept SOC 2, ISO, or SIG Lite when fresh instead of sending new questionnaires. ✅ Streamline questionnaires – Keep only two: Core and Lite, with “proof selector” options to reduce doc sprawl. ✅ Event-based reassessments – Trigger quick checks after major incidents or CVEs instead of annual reviews for all. ✅ Automate workflows – SLA boards, templates, and parallel legal/security reviews speed decisions. ✅ Blend capacity – In-house for critical vendors, managed services, or external reviewers for overflow. Six metrics to prove efficiency to your board: 1) Coverage – % of Tier 1–2 assessed & monitored 2) Cycle Time – intake → decision 3) Risk Impact – remediation in 30/60/90 days 4) Accepted Risk Backlog – trend line 5) Reviewer Hours – per completed assessment 6) Cost – per Tier 1 decision Bottom line: You don’t need to assess every vendor equally. Focus depth where it matters, streamline the rest, and measure results. #ThirdPartyRiskManagement #TPRM #VendorRisk #OperationalResilience #RiskManagement #CyberRisk #Governance #Compliance #Procurement #SupplyChainRisk

Thrilled to share our latest episode of “All into Account,” J.P. Morgan’s podcast covering the fast-moving world of cybersecurity. I was joined by lead analyst for our annual report, Amy Ho (Strategic Research), Brian Essex, CFA , CFA (Security Software Equity Research), Pat Opet (Global Chief Information Security Officer), and JF L. . (Deputy CISO & Global Technology Chief Control Manager) for a deep dive into the trends shaping the industry. Key insights from our discussion and new report: ➡️ Cybercrime costs are projected to soar to $10.5 trillion in 2025—nearly 50x global cybersecurity investment. ➡️ AI is transforming the threat landscape, making attacks faster and more sophisticated, but it’s also strengthening defenses through smarter network monitoring and threat detection. ➡️ State actors are increasingly targeting critical infrastructure, and the number of active ransomware groups have doubled in the past three years. ➡️ AI-driven fraud and digital payment losses are set to triple to $40 billion by 2027. ➡️ Quantum computing is on the horizon, with the potential to break today’s cryptographic standards by 2035, with greater government investment anticipated. ➡️ The shortage of cybersecurity professionals continues to drive up the cost and impact of breaches. ➡️ Cyber insurance adoption is rising, yet regulatory approaches remain fragmented across regions. Thank you to my colleagues for sharing their expertise on these critical issues. Tune in for our perspectives on the future of cybersecurity, industry investment, and risk management! Listen to the full podcast here: https://lnkd.in/ep-bAm2k

Your “star employee” might be presenting to the board in the morning… …and cloning your entire trading platform at night. That’s not a movie plot. That’s a real investigation my team and I handled for a fintech where: -Source code and trading algorithms were stolen -Customer data walked out the door -A “new competitor” launched with a suspiciously similar platform And it was all done by their own employees In my new video, I break down how we cracked the case using: -Digital forensics (logs, devices, repositories, VPN trails) -AI-based pattern and code similarity analysis -Forensic interviews that shift from “I don’t remember” to “Let me explain…” -Tight coordination with General Counsel and external law firms to make the case court-ready from Day 1. If you’re a GC, CXO, or Board member in a data-heavy business (fintech, SaaS, trading, platforms) and you rely on proprietary IP, this is exactly the scenario you don’t want to face unprepared. 🎥 Watch the full breakdown in the video. Your IP is already under attack. The only question is whether you’ll find out in time, and whether you’ll be able to prove it. DM or Comment "Insider" to plan your protection against rogue insiders. #forensics #cybersecurity #fintech #insiderthreat #digitalforensics #legal #generalcounsel #trading #AI #investigations #dataprotection

💡 𝗗𝗢𝗥𝗔 𝗮𝗻𝗱 𝘁𝗵𝗲 𝗕𝗼𝗮𝗿𝗱𝗿𝗼𝗼𝗺: 𝗪𝗵𝘆 𝗧𝗵𝗶𝗿𝗱-𝗣𝗮𝗿𝘁𝘆 𝗥𝗶𝘀𝗸 𝗜𝘀 𝗡𝗼𝘄 𝗮 𝗦𝘁𝗿𝗮𝘁𝗲𝗴𝗶𝗰 𝗜𝘀𝘀𝘂𝗲, 𝗡𝗼𝘁 𝗝𝘂𝘀𝘁 𝗮 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗧𝗮𝘀𝗸 The EU’s Digital Operational Resilience Act (DORA) is redefining what “sound governance” means in finance. In our latest blog, featuring insights from our partner Anne Leslie CISM CRISC CCSP (IBM), we explore how DORA turns third-party and ICT-vendor management into a board-level responsibility, not a back-office process. 🔹 𝗖𝗵𝗮𝗻𝗴𝗲𝘀: DORA moves the conversation from “Do we have a vendor register?” to “Do we understand the operational dependencies behind every critical service?” Boards are now expected to ensure resilience across the financial supply chain, including the subcontractors (“nth parties”) several layers deep. 🔹 𝗪𝗵𝘆 𝘁𝗵𝗶𝘀 𝗺𝗮𝘁𝘁𝗲𝗿𝘀: Operational resilience is no longer just a technology topic. It’s directly tied to business continuity, reputation, and regulatory standing. Executives must be able to answer: – Which vendor outage could halt our core services tomorrow? – How concentrated is our risk across a few major ICT providers? – Have we negotiated audit, exit, and resilience clauses that actually work in practice? 🔹 𝗔𝗻𝗻𝗲’𝘀 𝗥𝗲𝗰𝗼𝗺𝗺𝗲𝗻𝗱𝗮𝘁𝗶𝗼𝗻𝘀: Anne’s article highlights that the most prepared institutions are already: ✅ Mapping dependencies end-to-end, across functions and business units. ✅ Embedding resilience metrics and KPIs into vendor scorecards. ✅ Treating supplier transparency and collaboration as strategic differentiators, not cost drivers. At Contextual Solutions GmbH, we see this mindset shift firsthand. The institutions that treat DORA as a transformation catalyst, rather than another compliance burden, build not only stronger controls but also more trusted ecosystems. 𝗗𝗢𝗥𝗔 𝘄𝗶𝗹𝗹 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲 𝗯𝗼𝗮𝗿𝗱𝘀 𝘁𝗼 𝗼𝘄𝗻 𝗼𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻𝗮𝗹 𝗿𝗲𝘀𝗶𝗹𝗶𝗲𝗻𝗰𝗲. 𝗧𝗵𝗼𝘀𝗲 𝘄𝗵𝗼 𝗿𝗲𝘀𝗽𝗼𝗻𝗱 𝗽𝗿𝗼𝗮𝗰𝘁𝗶𝘃𝗲𝗹𝘆 (𝗯𝘆 𝘀𝘁𝗿𝗲𝗻𝗴𝘁𝗵𝗲𝗻𝗶𝗻𝗴 𝘀𝘂𝗽𝗽𝗹𝗶𝗲𝗿 𝘁𝗿𝗮𝗻𝘀𝗽𝗮𝗿𝗲𝗻𝗰𝘆, 𝗶𝗻𝘁𝗲𝗿-𝗶𝗻𝘀𝘁𝗶𝘁𝘂𝘁𝗶𝗼𝗻 𝗰𝗼𝗹𝗹𝗮𝗯𝗼𝗿𝗮𝘁𝗶𝗼𝗻, 𝗮𝗻𝗱 𝘀𝘁𝗿𝗮𝘁𝗲𝗴𝗶𝗰 𝗰𝗼𝗻𝘁𝗶𝗻𝗴𝗲𝗻𝗰𝘆 𝗽𝗹𝗮𝗻𝗻𝗶𝗻𝗴) 𝘄𝗶𝗹𝗹 𝗲𝗺𝗲𝗿𝗴𝗲 𝘄𝗶𝘁𝗵 𝗮 𝗰𝗼𝗺𝗽𝗲𝘁𝗶𝘁𝗶𝘃𝗲 𝗲𝗱𝗴𝗲 𝗮𝗻𝗱 𝗮 𝗺𝗼𝗿𝗲 𝗰𝗿𝗲𝗱𝗶𝗯𝗹𝗲 𝗴𝗼𝘃𝗲𝗿𝗻𝗮𝗻𝗰𝗲 𝗽𝗼𝘀𝘁𝘂𝗿𝗲. 👉 Read the full article here: https://lnkd.in/dZcvKeYG #DORA #OperationalResilience #Governance #RiskManagement #BoardLeadership #Fintech #Banking #Regtech 

The Cybersecurity Titans beat their forecasts to fly past $13 billion in revenue last quarter. The titans - an index of 18 large cyber vendors - saw their Q2 revenues up 14.6%, to $13.47 billion despite prolonged sales cycles and ongoing headwinds. The Cybersecurity Titans’ growth far outpaced the growth of the IT spending as a whole (8%), and way ahead of GDP growth (2%). Some things stood out to our analysts: 1. ARR growth remained robust. CrowdStrike’s ARR hit US$4.6 billion, as it progressed toward its US$10 billion FY2031 target. Palo Alto Networks’ NGS ARR reached US$5.6 billion, as it progressed toward its US$15 billion goal. Zscaler’s ARR passed US$3 billion, SentinelOne’s ARR crossed US$1 billion and Trend Micro’s Vision One ARR grew 94%. 2. Flexible purchasing programs gaining importance. Zscaler’s Z-Flex, launched in May, generated over US$100 million in TCV bookings, marking 50% quarter-on-quarter growth. CrowdStrike surpassed 1,000 Falcon Flex customers, with over 100 re-Flexing their agreements, driving a 50% ARR uplift. SentinelOne launched its SentinelOne Flex offering and Qualys introduced Qualys Units (QLUs) in the quarter. 3. Proactive security a growing priority Check Point Software acquired VERITI, a Check Point Company to enhance its threat exposure management offering for multi-vendor environments. CrowdStrike’s Exposure Management module crossed US$300 million in ARR. PANW launched Exposure Management with Cortex XSIAM 3.0. Vulnerability management specialists, Qualys, Rapid7 and Tenable are evolving to focus on more proactive exposure management. The titans’ full-year forecast is expected to hit 13.7%. The Cybersecurity Titans are: • Akamai Technologies • Check Point Software • Cisco • Cloudflare • CrowdStrike • CyberArk • Elastic • F5 • Fortinet • Okta • Palo Alto Networks • Qualys • Rapid7 • SentinelOne • Tenable • Trend Micro • Varonis • Zscaler (The largest cyber vendor missing from the index is Microsoft - that’s because they don’t break out their cyber revenue on a quarterly basis, a critical criteria to be included).

📱 Mobile Forensics Breakthrough: The Case of the "Secure" Messaging App A corporate espionage case hinged on communications sent through an encrypted messaging app that claimed to leave "no trace." The suspect had deleted all conversations and performed a factory reset. Challenge: Extract evidence from a wiped device using an app designed for anonymity. Our approach: 🔧 Advanced physical extraction techniques 🔧 SQLite database reconstruction from unallocated space 🔧 Encryption key recovery from system partitions 🔧 Timeline correlation with network traffic analysis The breakthrough came when we discovered the app's "secure delete" function wasn't as secure as advertised. Hidden database fragments contained message metadata, contact information, and partial conversation threads. Result: Complete conversation recovery spanning 8 months, revealing the entire conspiracy network. This case demonstrates why mobile device forensics requires more than standard tools - it demands deep technical knowledge and creative problem-solving. Key lesson: No digital communication is ever truly "gone" if you know where to look and have the expertise to find it. Facing complex mobile evidence challenges? 📧 consulting@digitalshield.net #MobileForensics #DigitalForensics #CyberInvestigation #DataRecovery

The IIA has released the Third-Party Topical Requirement. It sets a clear baseline for how internal auditors must assess risks linked to vendors, suppliers, contractors, and even downstream partners. Why does this matter? Because working with third parties always comes with risks: strategic, operational, reputational, financial, legal, cyber, and even sustainability. When they fail, your organization suffers. The key reminder: Outsourcing the work does not mean outsourcing accountability. The primary organization always owns the risk. The requirement covers three big areas: ↳ Governance: Is there a formal approach, clear roles, policies, and timely reporting on third-party performance and risks? ↳ Risk management: Are risks identified, prioritized, and reviewed regularly with proper responses and escalation processes? ↳ Controls: Is there due diligence, strong contracts, onboarding, ongoing monitoring, incident management, and structured offboarding? Actionable Insights: ↳ Treat third-party risks as part of your risk universe. ↳ Don’t just rely on contracts. Test how effective monitoring and escalation processes really are. ↳ Keep an updated inventory of all third-party relationships. It sounds basic, but many organizations miss this. ↳ Make sure third-party offboarding includes revoking access and securing sensitive data. Reference: Third -Party Topical Requirement. 2025. The Institute of Internal Auditors, Inc (link to download in the comments) #internalaudit #ITaudit #digitaltransformation

Cybersecurity is having its AI moment. Every security leader is now building, acquiring, and partnering to execute a dual strategy: 1) AI for Security: Using AI to detect threats 2) Security for AI: Protecting AI workloads While a flurry of acquisitions grabs headlines (Palo Alto Networks <> CyberArk, F5 <> CalypsoAI, Check Point <> Lakera, CrowdStrike <> Pangea), our CB Insights analysis reveals the massive scale of partnerships as the real accelerator, with security leaders racing to build AI partnerships at unprecedented scale, including 300+ in the last 5 years. Why? Partnerships deliver what building and buying can't: ✓ Speed to market when AI threats evolve daily ✓ Access to specialized AI expertise at the frontier ✓ Scale to match a $230B market opportunity by 2032 Already, partnership performance speaks volumes: ↳CrowdStrike: Record $221M net new ARR through AI partnerships ↳Zscaler: AI partnership-driven growth surpassed $1B ARR ↳Palo Alto Networks: Sold 3M+ browser licenses in Q4 for AI agent security ↳SentinelOne: Purple AI grew triple digits with 30%+ attach rates ↳Cloudflare: AI inference requests exploded 4,000% YoY via partnerships ↳F5: Hardware revenue up 39% YoY, driven by AI-ready infrastructure partners The cybersecurity leaders who thrive in the AI era will be the ones who are closest to the emerging frontiers of AI, driven by more partnerships and more acquisitions.

Third-Party Risk: The Hidden Cybersecurity Battlefield in Modern Supply Chains In our interconnected digital ecosystem, your security posture is only as strong as your weakest vendor. Modern enterprises rely on 100s of third-party vendors, creating an exponentially expanding attack surface. Supply chain attacks have become the preferred vector for sophisticated threat actors. Instead of targeting well-defended enterprises directly, attackers exploit vulnerabilities in trusted vendors to simultaneously breach hundreds of downstream organizations. Game-Changing Examples SolarWinds (2020): Compromised software updates affected 18,000+ customers including Fortune 500 companies and government agencies, demonstrating how a single vendor breach cascades across entire sectors. MOVEit (2023): A single vulnerability led to data breaches affecting over 600 organizations globally, showcasing the massive scale of modern supply chain impacts. Why Third-Party Risk Monitoring is Critical Continuous Visibility: Traditional annual assessments are insufficient. Organizations need real-time monitoring of vendor security posture, breach notifications, and compliance status changes. Risk Amplification: When attackers target managed service providers or software vendors, the impact multiplies across all their clients. One compromised vendor can expose thousands of organizations simultaneously. Regulatory Liability: With GDPR, CCPA, and emerging supply chain regulations, organizations face increasing liability for third-party security failures. Proactive monitoring demonstrates due diligence. Building Effective Defense Continuous Assessment: Implement real-time vendor risk scoring across your entire ecosystem Zero Trust Extension: Apply least-privilege access controls to all third-party connections Incident Response Integration: Ensure your IR plans account for vendor breaches with clear communication protocols Contractual Protection: Update vendor agreements with security requirements and liability provisions The Bottom Line Organizations can no longer treat vendor risk as procurement afterthought. The question isn't whether your supply chain will be targeted — it's whether you'll detect and respond effectively when it happens. The strongest security programs extend beyond organizational boundaries to create defensible ecosystems, not just defensible enterprises. #ThirdPartyRisk #TRPM #SupplyChainAttack #CyberSecurity