IT Security On Demand

Home / Consulting

Why IT Security on Demand?

After decades of experience, we have found that there are six situations that really require IT Security oversight:

Security remediation coordination

New project design & Development

Monitor new threats

Why not full time?

Typically, companies experience a significant need for this type of oversight when they begin their security program and get their vulnerability and disaster preparedness programs running. However, after the first couple months, your need for Security gradually decreases down to a couple hours per week.

With such a decreasing need, it doesn't make sense for most companies to pay over $200,000 per year for a full-time security manager. For this reason, we established a part-time on-demand security manager service called "Find, Fix, and Protect."


Our consulting services use consistent, automated, and efficient sub processes. This allows ThreeShield to focus on your unique concerns and needs with a fully customizable -- yet very efficient -- approach. Although fully customizable, a typical engagement includes the following:

Phase 1: Find compliance and security vulnerabilities

  1. Initial scope discussion covering:
    • web sites and Internet-facing systems
    • networks, VPNs, and wireless systems
    • servers, workstations, virtual machines, and operating systems
    • established policies, standards, and procedures
    • business impact assessment, disaster recovery, business continuity plans, and backup processes
    • external systems and service providers
    • compliance needs
  2. Signed agreement with permission to perform vulnerability assessments.
  3. Internal and external vulnerability scans
  4. Partially-automated penetration tests
  5. Execution of proprietary configuration extraction scripts.
  6. Compliance assessment for:
    • PCI
    • NERC
    • privacy and personally-identifiable information (PII)
    • C-SOX and SOX financial statement controls
    • corporate policies
  7. Server, Active Directory, databases, applications, and cloud service configurations.
  8. Reporting at the level you need: from highly technical, executive risk statements, and customer assurance.

Phase 2: Fix: project and security management with hands-on support

We provide as much support to fix your security and compliance vulnerabilities as you need. Many companies have great IT teams that can take care of most changes. However, with competing priorities, they can often benefit from additional security and project management. Our most common services during this phase include:
  1. Chairing of a Security Council to ensure that senior leadership understand and prioritize security and compliance needs among other critical business concerns.
  2. Security project management to ensure the success of security-related projects. We will oversee your whole security program and provide hands-on support as needed.
  3. Documentation and improvement of critical policies, business impact assessments, disaster recovery plans, business continuity processes, and other regulatory needs.
  4. Training, including phishing simulations, OWASP developer training, PCI and NERC CIP-004 compliance, and other job-specific training requirements.

Phase 3: Ongoing training and monitoring

Once the high-priority items are in place, we provide:
  1. Monthly phishing simulations with additional training during peak phishing seasons.
  2. Annual security awareness training
  3. On-demand solutions for security design and configuration problems
  4. Continuous monitoring of emerging threats, missing patches, and configuration problems.
  5. Annual updates to disaster recovery and business continuity plans, business impact assessments, and other living documents

Ready to protect your business?



Working with Chris was a pleasure; the assessment was comprehensive and covered every aspect of the business risks.

-Thayer Ramahi, IMIT Director of Calgary Foothills Primary Care Network


As the Chief Compliance Officer of a payments entity, I have relied on ThreeShield Information Security to provide risk-based solutions that have satisfied regulators and business partners alike. While our Money Services Business is unique in that it supports commerce within virtual worlds and video game environments, the security standards that we have to meet are the same as they would be for any regulated financial institution.

ThreeShield has employed a dynamic, risk-based approach to information security that is specific to our business needs but also provides comfort to our external stakeholders.

I recommend their services.

-Scott Butler, CCO of Tilia Inc.


ThreeShield Information Security has provided customized IT security tools and consulting to organizations of all sizes, including the following:
1-Page  •   Calgary Foothills Primary Care Network  •   Carrier Corporation  •   Collins Barrow Calgary LLP  •   Computer Sciences Corporation  •   Deloitte  •   Ernst & Young  •   Escape Ops  •   First Gulf Bank  •   Government of Alberta  •   Hamilton Sundstrand Corporation  •   Hurricane Computer Solutions  •   International Aero Engines  •   KPMG  •   Linden Research (Linden Lab)  •   NASA  •   NORESCO  •   Otis Elevator Company  •   Plateau Systems  •   Pratt & Whitney  •   Red Link SA (Argentina)  •   Segurança da Informação e Conformidade  •   Sikorsky Aircraft Corporation  •   Tilia Inc  •   TOOT'n TOTUM  •   Towers Watson  •   United Technologies Corporation  •   Universidade de São Paulo  •   UTC Power  •   Whitecap Resources Inc