Disciplines · 04 · Security

Security work is done before the attack. Not during it.

Most SMB security conversations start after something happened — a phishing click, a failed audit, an insurance renewal that pulled a thread. The posture that matters in those moments was built months earlier. Our job is to build it with you now, so the next call isn't the emergency one.

How we frame it

Three layers. Find the widest gap.

Security is a long list of things you could do. To keep the conversation honest, we reduce it to three layers and ask which one is the thinnest. That's the one worth going deep on — not the one easiest to sell, and not the one that happens to be in this quarter's vendor slide deck.

Layer 01

Surface

What's exposed to an attacker. Public ports, legacy authentication, published apps, conditional access exemptions, dormant admin accounts, external mail forwarding. Every one of these is an opportunity you can shrink before anyone tries to use it.

Layer 02

Visibility

What you can see when something happens — or might have happened. Telemetry from identity, endpoint, email, and cloud, correlated into one picture, tuned so the signal rises above the noise. Without this layer, every suspicious moment turns into days of guessing.

Layer 03

Response

What you actually do when it does. Playbooks for the common scenarios, air-gapped backups that survive a storage-fabric compromise, a clear chain of communication, and the muscle memory that comes from running the plan at least once before it's real.

The discipline line we hold ourselves to: find the widest gap and go deep on that one. Spreading a small security budget evenly across three layers usually produces three thin layers. Going deep on the gap that matters most produces posture.

Where most SMBs lose

The widest gap is almost always Visibility.

Surface work is tedious but obvious — the list of things to harden is known, and most of it can be done in a handful of change windows. Response work scales to the size of the business — bigger company, thicker playbook, but a small shop can get by with a short, well-rehearsed one.

Visibility is the one that breaks on SMB budgets. A modern SIEM running without an FTE to monitor it is just expensive logs. Most small and mid-sized businesses can't justify dedicated headcount to watch the screen, and most can't justify the SIEM itself when they already can't afford to look at it. That's the gap — and it's the one we focus on honestly, with options that match the size of the business.

Our rule on licenses We won't sell you an E5 upgrade just because we can. If you're already paying for Defender and it isn't tuned, tuning it is the answer. If you need a managed SOC because you won't staff it, we'll say so and help you pick one. The posture isn't the license tier.
The signature visual

Every engagement starts with this picture.

Before we recommend anything, we draw three bars — one per layer — and rank them honestly for the business in front of us. The shortest bar is where we go deep. The tall ones get maintained, not fussed with. Most engagements look something like this.

A three-bar chart showing Surface, Visibility, and Response layer maturity Surface and Response are shown as moderate-height bars; Visibility is dramatically shorter and highlighted in accent orange, representing the widest gap in typical SMB security posture. TARGET Surface LAYER 01 MODERATE Visibility LAYER 02 · THE GAP THIN go deep here Response LAYER 03 MODERATE POSTURE 0
The ranking changes from business to business. The discipline doesn't: find the widest gap, go deep on that one, then move to the next.
Three moments, three layers

What the work actually looks like.

One story per layer. Details anonymized. All three show the same thing from different angles — the work is done before the event, and the event is where that work shows up.

Visibility · the payoff

A phishing scare, answered in hours.

A 200-seat firm called after a user admitted he'd clicked a link he shouldn't have. Because Defender was already tuned, we could confirm within hours that nothing had happened — no suspicious sign-ins, no session persistence, no rule changes. From there, a clean MFA-and-password reset and the incident ended where it started. Without the visibility already in place, the same call becomes three days of "did we just get breached?"

Surface · the modernization

Taking the VPN and open ports out of the picture.

A client hosting dozens of custom apps across on-prem and cloud IIS had published them the way most shops still do — VPN for internal users, firewall NAT rules for public ones. We replaced that with Azure Front Door, Entra Application Proxy, and Global Secure Access: identity-aware gates on every app, MFA for guests and staff alike, no open ports to the outside, no VPN client to maintain. Whole classes of exposure disappeared at once.

Response · the incident

A ransomware attack that never became a ransom.

The back-end storage fabric for a client's VM environment was compromised in a ransomware attack. Because the backups were properly air-gapped, no ransom was ever negotiated. We restored the assets and spent most of the engagement finding the gap that let the attacker in. It got patched. The business resumed. The quiet lesson: the thing that saved them was done months earlier, when nothing was on fire.

What you walk out with

A clearer posture and a roadmap you can actually run.

Every security engagement ends with a picture of where the business really is and a short list of what to do next — ordered, reasoned, and built around the foundations that make the rest of it possible.

  • A clearer posture pictureWhat goes in, what leaves, what's watching — the traffic story of the business on one page
  • Security assessment documentFindings, recommendations, and critical issues flagged — aligned to a framework when one matters (CIS, NIST CSF, ISO 27001, whatever the auditor cares about)
  • A prioritized roadmapProcess, policy, infrastructure, and identity — the four foundations that make most other security problems resolve themselves
  • Honest licensing guidanceWhat you're already paying for and not using, where a SKU upgrade genuinely earns its keep, and where it doesn't
  • Options sized to the businessTuning what's there, standing up managed tooling, or handing off to a SOC — with clear tradeoffs and costs for each
  • Runbook for the likely incidentsShort, written, rehearsed. The plan you want to already have when something happens at 2am
"We don't sell licenses. We build posture. Security isn't a SKU upgrade — it's process, policy, infrastructure, and identity, done deliberately. Get those right, and most of the rest falls into place." The stance on security spend

Connected to

01 · Identity

Identity & zero trust

Identity is the first security signal. Every other layer reads from it.

 02 · Infrastructure

Azure landing zones

Private networking is the first security control, not the last.

 08 · Continuity

Backup & business continuity

The incident response plan and the DR plan are the same document.

 11 · Governance

Data governance & compliance

Security posture is the enforcement layer for governance policy.

Book a call

Audit coming? Insurance renewal? Quiet worry?

The common thread behind most of our security engagements isn't a breach — it's a forcing function. Whatever yours is, the first conversation is the same one: what does your real posture look like right now, and where is the widest gap.

Book a discovery call

Or reach us directly: info@fouronesixit.ca · (647) 371-0400