Identify, assess and manage cybersecurity and data risk in all its forms

Information technology is a wellspring of business opportunity. From achieving operational efficiencies through automation, to delivering a better customer experience with new digital services, IT is the engine of business innovation, and data is the fuel. 

The only caveat is that every new digital opportunity comes with risk. In IT, that includes the threat of downtime, adversarial hacking and data privacy violations. It could arise from malicious activities or human error, an external attack or an inside job. 

But backpedaling on IT is simply not an option for today’s companies. Business success has never been more dependent on digital and web-based technologies. Despite the inherent risks tied to IT innovation, there is only one direction for companies to take their digital strategies: forward. 

How CFGI Helps

Every company’s IT environment has two core components:

  1. IT systems: This includes application software, operating systems, infrastructure such as servers, modems, routers, or switches, endpoints such as laptop computers, peripherals, IoT or mobile devices, vendor IT systems and other technology used in the course of business operations. 
  2. Data: This may include customers’ personal data, business-process data, intellectual property, financial data and other digitally stored, processed and/or transmitted information.

Establishing a highly effective cybersecurity and data privacy risk program that minimizes exposures in both areas requires a strong understanding of what data must be protected, and how to safeguard any and all IT systems that store, process or otherwise access that data.

At CFGI, our cybersecurity and data privacy advisors help companies understand the risks to their systems and data and the sources of those exposures within their IT environment. We also rely on  a variety of industry-leading practices and information-security guidelines, tailored to the size and complexity of each of our clients, to minimize vulnerabilities with effective cybersecurity and data privacy policies and controls. 

The result: You can safely leverage digital technologies as a competitive advantage. 

Our cybersecurity and data privacy advisory services

CFGI cybersecurity advisors work directly with your internal and external stakeholders to identify, assess, manage and mitigate risks in your IT environment. Each engagement is tailored to our clients’ unique circumstances and requests, however a typical workflow for cybersecurity and data privacy projects may entail the following:

  • Identify the client’s needs and select the standards for compliance and framework against which to build the program. 
  • Collaborate with key stakeholders and review policies, procedures and documentation to create a current-state report and gap listings. 
  • Define a future state, and reevaluate policies, procedures and documentation to identify a remediation plan that will achieve the future state. 
  • Help execute remediation steps in the plan of action, and provide implementation support and/or training, as needed. 

Every company is different, and therefore has different cybersecurity and data privacy needs. That said, we most frequently assist companies in four core areas:

1. Cyber maturity

Benchmarking your company’s cyber maturity is a key step toward understanding your cybersecurity posture and how to strengthen it. Audit committees, shareholders and investors want assurances from the board that the company is security savvy and is sufficiently protecting data and IT systems while maintaining compliance.

At CFGI, we can assess your company’s cyber maturity through close examination of your policies, people, processes and technologies. In doing so, we help you:

  • Understand the unique cybersecurity risks based on your industry, the types of data you maintain and the security capabilities currently in place.
  • Use industry benchmarks to help you measure the maturity of your security controls and processes. 
  • Assess your compliance with cybersecurity regulations and guidelines.
  • Identify gaps and weaknesses within the business and develop a remediation roadmap.
  • Create an audit plan that considers cybersecurity risk in addition to other risk factors.

Cyber maturity starts from the top-down. We can coordinate with the C-suite, including the CISO and CFO, to make sure the board recognizes risks and is compelled to take action.

2. Incident response

Businesses no longer face the question of if they will be hacked, but when. A failure can – and probably will – occur at some point. Enduring that adversity is about having measures in place to respond swiftly and effectively. 

At CFGI, we can assess where your incident response protocols are weak and recommend people, processes and technology improvements accordingly. Some of the ways we provide assistance include, but aren’t limited to:

  • Creating and implementing an incident response plan using best practices, such as NIST SP 800-61, as the foundation.
  • Developing an incident response process framework and governance structure. 
  • Identifying incident response program owners, roles and responsibilities, and establishing a communication framework across the company.
  • Creating policies and documentation to comply with internal requirements and with regulations such as NYDFS Cybersecurity Regulations.
  • Providing incident-response and security awareness training. 

The actions you take when you get hacked determine whether you a) respond and recover quickly, or b) suffer consequences such as data loss, reputational harm, downtime and other fallout. 

3. Business continuity and disaster recovery

In the event of a system outage, DDoS attack, ransomware or other disruption, the ability to commence with business as usual is crucial. Should you fail to maintain business continuity, your disaster recovery program needs to be ready to restore critical operations and pull you out of crisis mode. 

To this end, our experts work directly with company stakeholders, including CFOs, CIOs and other board members to prepare your IT environment for a worst-case scenario. We help you:

  • Develop and implement a business continuity and disaster recovery program using leading industry practices such as ISO 22301.
  • Conduct business impact analysis to understand the effects of unplanned downtime on business operations and customers.
  • Define roles and responsibilities related to business continuity and disaster recovery across the organization.
  • Define key business continuity and disaster recovery metrics. 
  • Create policies that comply with regulations. 

You cannot predict the future, but you can be ready for it. We will help you manage threats to business continuity and, when all else fails, have a reliable disaster recovery plan as a safety net.

4. Data privacy and security

Data is as valuable as currency in the digital world. Cybercriminals attempt to pilfer it and sell it for profit on the dark web or hold it for ransom to extort companies who need it to sustain critical business operations and comply with regulations such as the Health Insurance Portability and Accountability Act (HIPAA). 

At CFGI, we enhance data privacy for businesses in a variety of ways:

  • Identify what data you actually need and don’t need, whether that information needs to be protected, where that information resides and where the risks lie for theft, unauthorized access and data loss. 
  • Determine whether data-privacy laws like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) apply to your business.
  • Identify gaps in your current GDPR and CCPA compliance programs, if applicable.
  • Help remediate those gaps – and other data-privacy protection weaknesses – with control recommendations and ongoing support.  

By prioritizing data privacy, companies avoid the reputational harm, non-compliance penalties and consumer distrust that stem from unauthorized or unconsented access to information. Our data privacy advisors will help you cost-effectively comply with key regulations and maintain consumer trust.


We are not a purely technical IT shop. We understand your business and strategy and we engage with executives from the C-suite and the Board every day. We’ve built out a Risk Advisory group that staffs specialists from every facet of finance and IT, with expertise in IT operations, cybersecurity and data privacy. This cross-functional team of experts can provide well-rounded Risk Advisory services that help you maintain compliance and, more importantly, tap into IT’s value-add potential without being dangerously exposed to risk.