At CI-Discern, we scope, develop, and facilitate unique risk and resiliency assessment exercises that are based on Idaho National Laboratory’s (INL) Consequence-driven Cyber-informed Engineering (CCE) methodology.
We design each exercise to bring together business, operations, and cyber/technical team members to:
With insights gained from these exercises, you can identify single points of failure and hidden risks, allowing you to take proactive steps to enhance your organization’s resiliency and safeguard against future existential threats.
In addition to helping you focus mitigation efforts on truly important risks, this assessment can help participants and stakeholders better understand the business processes and supporting technologies that underpin critical organizational functions.
Our CCE assessments are fully flexible and customizable, designed to meet the unique needs, budget, and timeline of your organization. We can also tailor them to help you fulfill regulatory requirements such as technical and program assessments mandated by the U.S. Coast Guard in the new baseline cybersecurity requirements, by the EPA for America’s Water Infrastructure Act (AWIA), or the Transportation Security Administration (TSA) Security Directives.
In addition, we have a trusted network of penetration testing partners who can help to assess the real impact of potential consequences across IT and OT environments with confidence.
We begin by dedicating time to understanding the core of your organization—its people, mission, and operational goals. Through in-person kickoffs, workshops, and direct engagement with your team, we gather critical information to align our process with your strategic objectives and security needs. This foundation allows us to customize every step of the assessment to match your unique environment.
Once we have a deep understanding of your organization, we identify potential adverse cyber events. These events are ranked by severity based on customized criteria, including your business’s most critical functions and assets. By focusing on the consequences rather than probabilities, we prioritize high-impact events that could disrupt your operations. This phase allows us to target the risks that matter most to your organization’s resiliency..
We perform a comprehensive system-of-systems analysis by grouping and mapping your major systems, processes, and interdependencies. This approach helps us understand how your IT and OT environments interact and enables us to identify common paths of entry that could be exploited to execute high-consequence cyber events. By identifying interconnected vulnerabilities, we provide a detailed view of your infrastructure, ensuring that both hidden and obvious attack vectors are thoroughly evaluated. This approach allows us to gain a deep understanding of your operational ecosystem, enabling us to recommend targeted strategies to strengthen your defenses.
Next, we develop detailed, consequence-based scenarios simulating adverse cyber events. These plans help your team visualize potential attack vectors, vulnerabilities, and outcomes, providing actionable insights into the most likely impacts. Our accelerated process includes practical, real-world scenarios to prepare your organization for the most severe events, all within a compressed timeline.
We conclude the process by identifying the necessary short-term and long-term protections and mitigations to minimize or eliminate the impact of the identified events. Our recommendations are practical and actionable, ensuring that your team can implement them effectively. We focus on aligning these strategies with your organization's budget, resources, and regulatory requirements, providing a clear roadmap for building long-term resiliency.
We build long-term relationships based on trust and doing the right thing. We will take the time to understand your peoples’ needs, the intricacies of your business priorities, and the complexities of your operating environment.
Our diverse, high performing teams cross organizational silos to foster collaboration. Together, we can choose and develop the right long-term strategies to deliver sustainable results.
Our consequence-driven assessment is fully customizable to fit your needs, budget, and requirements, ranging from a high-level, 2-4 week evaluation to an in-depth, 6 month+ analysis. Additionally, penetration testing can be added to increase technical depth and meet regulatory requirements, if required.
We serve as your independent, trusted advisor, offering unbiased recommendations and strategies aimed at improving your security posture and business outcomes.