Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
As any seasoned cyber security professional will tell you, good security only works when it’s embedded as culture within an organisation – and that must come from the top. But sometimes, the top doesn’t want to know. Even with recent events highlighting the vital importance of cyber security and the average cost of a breach reaching an eye-watering £3 million, many organisations still struggle to get security on the boardroom agenda. This leads to critical levels of under-investment, leaving organisations wide open to cyber attack. Let’s look at the problems in more detail.
Let’s start with the obvious: some boards don’t have a CISO. Not having a CISO means boards are likely to be simply unaware of the very real operational risks to the business that poor cyber security presents. Unaware, that is, until it’s too late: over half of medium and large businesses have suffered a cyber security breach or attack in the last 12 months. Without a board member literally bringing it to the table, it’s going to be an uphill struggle for any security manager to get cyber on the agenda. Even boards who want a CISO might struggle to get one thanks to the security skills gap.
Those boards who do have a CISO, and so have hopefully invested in cyber security in some degree, still face the challenges of making their security investment truly effective in the real-world. This requires the CISO to have the full trust of the board and the resources to move and react quickly. Effective controls can only come from understanding hackers’ motives and abilities, as well as fully analysing the risks of internal threats.
Security service providers can even make matters worse by trading on fear, uncertainty and doubt (something we at Bulletproof work hard to avoid). This only serves to muddy the waters for organisations trying to manage their cyber risk profile as it obscures threats and confuses priorities, which ultimately – and not to mention ironically – can leave businesses less secure.
Source: https://nominetcyber.com/major-global-study-of-senior-cyber-security-professionals-reveals-increasing-pressure-workload-and-budgetary-deficits
Having outlined the problems, the common theme running through these problems is clear to see: lack of knowledge. Boards don’t have a CISO because they don’t know they need one. CISOs don’t always invest wisely because they aren’t given the resources they need to uncover the real threat profile. In our experience, even organisations who have invested wisely in cyber security often lack the capability to detect a hack. To put it more succinctly, board-level investment doesn't include cyber, or cyber controls aren’t effective despite investment, because of a lack of knowledge.
To demonstrate the problem in action, we have some real-life examples from Oliver Pinson-Roxburgh, our Co-founder and from Nicky Whiting, our Head of Consulting. These are all real and repeated scenarios they’ve encountered during the course of their security careers when trying to educate a board on the importance of security.
Oliver: “This is a great demonstration of the lack of knowledge of a typical board. Anti-virus is one specific tool in the cyber security armoury. On its own it’s nowhere near enough. As any good penetration test will show, hackers have many tools and techniques that can compromise your environment and steal your data without ever setting off an anti-virus alert. Then there’s the threats that come with newer tech such as containerisation – how many board members will know what containerisation is or understand it as a risk?”
Nicky: “The cost of data breaches is rising year on year, and if personal or financial data is involved (and it almost always is) then it’ll increase hugely thanks to things like GDPR and PCI DSS. Insurance can sometimes cover some of the cost, but it can’t save you from reputational damage – and that destroys companies much quicker than financial damage.”
Oliver: “Most hackers don’t care who you are, only if you’re an easy target. That makes anyone with weak security a target. Plus the larger you are, the more likely you are to be targeted by a determined attacker as well as hit by opportunistic ones. This presents an additional threat to mid-market and larger organisations over SMEs.”
Nicky: “Many organisations don’t have the technical staff – but that’s not actually a problem. Here cyber security can take a leaf out of the modern compliance playbook and look at managed options. With outsourced Data Protection Officers being so common, increasing numbers of organisations are also looking at a virtual CISO, and even managed SIEM services to fill the gaps.”
Oliver: “What I always say to this is: how do you know? Typically most organisations lack the capability to detect an attack. Your data could already be being sold on the dark web. There could be a ransomware-laden email sitting in someone’s inbox right now. Statistically there’s almost certainly a few phishing emails just waiting to be clicked on. They don’t usually have an answer for that.”
For those stressed security managers trying to combat the problem and get the board on-side with cyber, we feel for you. To help you win them over, here’s our handy guide to what you can do.
You are essentially selling your requirements to the business. That means it’s a sales pitch, and like all sales pitches, it works better in person. Get in front of your board by any means necessary. If you’re not the point-person who reports to the board on cyber, work closely with the person who does.
Regular communication with valuable, insightful information is key to getting board engagement. This means sticking to simple metrics presented in easy-to-read, visual ways. There’s absolutely no room for ‘death by Powerpoint’ here.
Upskilling the board should be a primary goal. Where a board is reluctant to take on additional training, sneak extra training into mandatory or already in-place training regimes (such as GDPR, ISO, etc). Add in a few additional slides that are catered specifically for the board.
Boards are largely non-technical and a lot of people go wrong because they focus on tech. Sell it to them in a way that outlines the benefits of the approach, such as regulatory requirements, winning more tenders, reducing risk, rather than the technology required.
GDPR and ISO 27001 can create a more focussed way of spending money on security. Shiny new tech might be tempting for the IT team, but there will be other things the business needs more that will be revealed through the risk work and data mapping that comes from ISO and GDPR. Compliance helps organisations target their spending better and focus on what’s really needed, rather than what’s nice to have.
Well-implemented security forces an organisation to analyse workflows, implement new structures and drive consistency, leading to streamlined processes and procedures. When security spending leads to increased efficiency and better ways of working, it becomes an investment, not a cost.
To finish up, here are 6 security tactics that every board can follow to solve their problems of security – whether they’re aware of them or not
Dear board, I’m going to cut right to the chase: it’s 2020 and you know you need to have a CISO. If you can't justify a full-time a CISO – and many can’t – then hire a virtual CISO on a retainer basis. This lets you access all the experience of a seasoned security pro for a much lower cost. Without this, you’ll never understand the threat landscape and your true cyber risks. And what that means in practice is, you’re going to have a data breach.
If you have a CISO, they need to make sure they’re being listened to. They should be talking non-technical so you can understand the impact of what they’re saying. If you have a CISO but are still struggling to meet your security challenges, then it’s time to look at the relationship you have with your CISO and examine your communication.
Basic security awareness training for all staff, from frontline call loggers right up to board members, is an absolutely essential, fundamental security control. You have probably heard of phishing, but are you aware of whaling, CFO fraud, and the advancements in deepfake technologies? This is just the tip of the iceberg. Security is everyone’s duty, and the board needs to have a level of security understanding in-line with their responsibility.
Ask for options. As senior strategy setters, it’s not the board’s job to be researching what the many technology options are and their varied impacts. Instead ask for a curated selection of options and explore the outcomes of each to see what’s the best direction for the business. This also means understanding that high spending does not equal high security. Use your vCISO or a trusted security manager to empower yourselves to spend wisely, not freely. Again, where you don’t have the staff and/or can't afford the CapEx to deliver security outcomes, look at taking a managed service.
Compliance isn’t security, but they’re often treated as one and the same. Leverage compliance, be it a mandatory standard or not, to enable wise investment in key projects that will have an impact to your security posture. This way compliance can be a benefit instead of a chore. You probably won’t have the in-house expertise to manage this, so look for cost-effective operational support.
If your risk analysis warrants it, explore a SOC/SIEM service. With high-tier features such as proactive threat hunting, it can be the gold standard of security, but only when it is implemented and run correctly. Check out this guide for options of building, buying or outsourcing a SIEM. If not done correctly, a SOC/SIEM service can actually be worse than useless, as you'll think you're secure when you’re not.
You must realise your power of influence and take this responsibility seriously. It’s important to support security and compliance initiatives by practicing what the business preaches. If you don’t, every security project and every compliance project will fail. You need to be the change.
Involve your CISO in discussions at the earliest opportunity so they can contribute perspectives on business strategies. Another tip is to get your CISO/vCISO to talk to your DPO (or whoever’s responsible for data protection within your organisation). Cyber security and data protection aren't the same but they are related, and synergies and cost savings will appear with communication.
Consultant-led cyber security assessment to assess your risks & boost business resilience. Find the next step in your strategy with this insightful review.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.