Information Governance


Governance is the secret sauce to optimize your compliance and risk management investments. Explicit information decision rights, authorities and accountabilities across the information lifecycle underpin effective programs.  Without appropriate governance to compel information risk and compliance management directives, a GRC program is ultimately sub-optimal.


Our service offerings in this practice include:

  • Information and data governance, strategy, and implementation
  • Supplier governance strategy, program, and implementation
  • Controls assessment (readiness, assurance, testing)
  • Process and organizational alignment and adoption
  • Technology design, and implementation support

Select the case studies of Information Governance below:

Information Risk Management

Part science, part art, some risks are worth taking and others seem just too dicey to be prudent.  But how do you and your partners decide?  Development of useful risk informatics and consistent application of empowered decisioning is key -and two of the most underdeveloped aspects of modern information risk management.

Our service offerings in this practice include:

  • Risk management framework development
  • Risk assessment process and implementation
  • Information protection technology services
  • Process and organizational alignment and adoption
  • Technology design, and implementation support

Select the case studies of Information Risk below:

Information Compliance


Compliance is risk management by another name -a recurring wits contest with rapidly evolving rules viewed through an often opaque lens of regulation. A strong program of compliance drives accountability while ensuring your regulators are content.

Our service offerings in this practice include: 

  • Regulatory compliance strategy and implementation support (e.g. SOX, PCI, HIPAA, ICD-10)
  • Integrated compliance assurance
  • Controls rationalization
  • Process and organizational alignment and adoption
  • Technology design, and implementation support


Select the case studies of Information Compliance below:

Application Lifecycle Security 

Considering the volume of business conducted online these days, it’s no wonder applications have become the preferred breach target. Applications handle a growing set of critical information in more complex ways, raising the risk to that information may be handled insecurely.

Traditional application security approaches that are isolated, disconnected, or identify issues just prior to product launch, cannot keep up with the demands of today’s real-time business environment. What’s more, waiting to address risk until late in the application lifecycle can result in a higher percentage of defects at a considerably greater cost to address.

We know a smarter way. To better protect yourself and maximize your application assets, organizations need to invest in an appropriate mix of complimentary and interconnected application security practices across their entire Software Development Lifecycle (SDLC); in effect securing the SDLC. Frameworks such as the Microsoft SDL can be used as guidance to architect fit-for-purpose programs that support time to market targets while also managing application risk effectively and efficiently.

We understand that different organizations have different needs, and our Secure Software Development Lifecycle (S-SDLC) approach works for companies at every level of maturity by identifying and delivering a tailored set of capabilities to fit each client’s development methodology and investment appetite.

There are four complimentary offerings that support our approach:


We work with our clients to thoroughly understand their existing capabilities across the S-SDLC, and then identify opportunities for focused improvement and capability development. 

  • Identify the S-SDLC value proposition across the organization
  • Discover secure software lifecycle impediments
  • Assess organizational S-SDLC maturity
  • Analyze S-SDLC domain capabilities
  • Review application security policies, standards, and controls
  • Investigate S-SDLC process flows and review release / development methodologies (e.g. Agile, Waterfall)
  • Validate the effectiveness of existing application security activities (e.g. threat modeling, penetration, static or dynamic testing)


Using our extensive industry and domain knowledge, we  help clients develop practices and apply the most up-to-date S-SDLC thinking across the areas of people, process, and technology.

  • Develop multi-year S-SDLC roadmap and implementation strategy
  • Identify program mission, vision, goals and objectives
  • Define S-SDLC control objectives, controls, and standards
  • Develop RACI-based S-SDLC control processes and procedures
  • Recommend organizational functional and staffing plans
  • Conduct stakeholder analysis and obtain near real-time feedback through Voice of the Customer (VoC) sessions
  • Determine the operating model to engage business units, partners, and other key stakeholders
  • Co-create new S-SDLC organizational services, and offerings supported by a service hierarchy, catalog(s), and playbook(s)


We help our clients implement their S-SDLC strategy using actionable and sustainable program initiatives,  coupled with awareness activities that drive sustained cultural change.

  • Provide initial and on-going project management support to influence and drive organizational and program change
  • Orchestrate and deliver broad awareness campaigns through effective communication of the value of the S-SDLC services
  • Provide integrated executive, senior management, line of business and other stakeholder communications 
  • Develop RACI-based S-SDLC capability implementation guidance and deliver S-SDLC capability training programs
  • Engage with key business units, partners and stakeholders to realize new service implementation at all levels
  • Co-evolve S-SDLC service delivery capabilities over time


We help identify impactful business metrics and governance processes that demonstrate the program’s value, and ensure the level of risk management is aligned with the needs of the organization.

  • Identify critical business drivers supported by the S-SDLC program and determine leading KPIs and KRIs of interest
  • Attach clear business outcomes to S-SDLC risk measures (e.g. % of incidents where customer data was at risk due to non-compliance of specific application development vendors)
  • Develop a robust reporting framework by understanding information needs of key stakeholder groups and individuals
  • Develop an operational approach collecting and “rolling-up” key metrics across the S-SDLC program
  • Design and implement an approach for sourcing, confirming, and articulating key leading metrics and embedding smart S-SDLC program governance into existing approaches



Explore more on S-SDLC

Information Security


Lack of effective Information Security has become the preeminent threat to business operations, and has proven damaging to long term business objectives. As evidenced in recent headlines, breaches of proprietary company information and customer data have led to a loss of customers’ trust, and an erosion of confidence among the stakeholder community. In addition to the risk of confidentiality, information integrity and availability are of tantamount importance to the modern organization and represent the other areas of significant information security risk that must be considered by a balanced program.

As organizations continue to improve customers’ digital experiences, shortening time to market of products, bolstering supply chains, and moving business processes to the cloud, a comprehensive, yet multifaceted information security program is required.  This program must cost-effectively address cybersecurity risks without hampering opportunities to drive growth -via development of new or integration of existing digital capabilities- while providing assurances that information is protected and assured in a responsible manner.

Our Information Security Offerings

Information Security Strategy

We help companies create and sustain a cost-effective, multifaceted information security program that counters cybersecurity risks, while enabling responsiveness to market opportunities. To achieve this, we work hand-in-hand with decision makers to fully understand their business model and longer term objectives, what information is strategic and valuable to the organization in the short and long term, and how that information flows through the organization and to partner organizations. Then we apply a risk-based approach that aligns resources (financial, managerial, personnel, operational) to better secure and protect critical information in line with the organization’s risk appetite and investment considerations. 


Information Security Organizational Design & Enactment

An effective and adaptable security strategy must be supported by a high-performing organization.  A wide array of factors must be considered when structuring the team: The experience, skills, roles and responsibilities of team members, incentive models, communications approach, geographic dispersions, and collaboration style/tooling needed to facilitate effective interpersonal relationships, and multitude of interdependencies with partners, customers, and suppliers must all be tuned to best execute the strategy. That’s why we work with decision makers to baseline and enhance team, personnel, and process elements, in order to securely protect business operations and enable longer term objectives to be achieved. 



Information Security Service Orientation

We work with decision makers to better understand the needs of their business partners and what is of value to them. Through a facilitated dialog approach, called Voice of the Customer, we identify the strengths, gaps, and opportunities and –most importantly- work with your customers to define ideal service aspects that may have been overlooked or misunderstood previously and result in high customer satisfaction.