Cyber and Information Security


In today's business environment, you have a responsibility to your stakeholders, employees, clients and customers to ensure the confidentiality, integrity and availability of the critical data that is entrusted to you. In addition, some also have data security responsibilities related to regulatory compliance or fiduciary responsibilities. The threat of a security breach of your company's data, under your watch, is a fear that is increasingly real for so many. Just because breaches are common, doesn't mean they aren't preventable.

Grassi's Cyber and Information Security Practice provides needed peace of mind by guiding you to understand risk profiles, recognize potential threats, determine risk tolerance and create a cyber and information security strategy to support your organization's business goals, growth and strategic objectives.

The professionals at Grassi believe that the cornerstone of all security programs lie within managing an organization's cyber risks and measuring them against business strategy.  Borrowing from the adage that, "if you can't measure it you can't manage it", Grassi guides clients in understanding and reducing the value-at-risk they have from inevitable cyber threats.

The Grassi team ensures you and your organization are successful at building and maintaining a robust cyber and information security strategy that is in alignment with your business goals and objectives.

Services We Offer:
  • Penetration Test—A cyber assessment that is an adversarial approach to assessing an organization's security posture by simulating threat actor actions.
  • Vulnerability AssessmentA cyber assessment that is an automated and human-led approach to identifying existing vulnerability within an organization's infrastructure.
  • Security Architecture Review—A cyber assessment human-led approach to assess, review and improve an organization's architecture through design review.
  • Phishing Simulation—A cyber assessment that is an adversarial approach to assessing an organization's susceptibility to phishing threats.
  • Security Awarenss Training—A cyber assessment human-led approach to training an organization around appropriate operational security practices in accordance with the organization's culture and policies.
  • Incident Response—A cyber defense and response, human led approach to managing, analyzing and remediating cyber security incidents.
  • Incident Response Readiness Assessment—A cyber defense and response, human-led approach to assess an organization's efficacy and maturity with detecting and responding to incidents.
  • Table Top Workshops—A cyber defense and response, human-led approach to testing and evaluating an organization's Incident Response Plan.
  • Digital Forensics—A cyber defense and response, human-led approach to performing forensic analysis and providing an expert opinion as it pertains to digital mediums.
  • Expert Testimony—A cyber defense and response, human-led approach to providing an Expert Witness in terms of Digital Forensics.
  • Managed SOC—A cyber defense and response, human and machine-led approach to monitoring an organization for unauthorized activity on an organization's computing infrastructure.
  • Managed Endpoint Detection & Response—A cyber defense and response, human and machine-led approach to hunting for threats on an organization computing infrastructure that is not detected by the organization's security tooling.
  • Virtual Chief Information Security Officer (VCISO)—A governance, risk and compliance, human-led approach that acts as an organization's senior security management in defining the security roadmap, policies, procedures and defensive measures.
  • Security Policy Development—A governance, risk and compliance, human-led approach to writing and developing an organization's security policy in accordance to their culture.
  • Risk Assessment—A governance, risk and compliance, human-led approach to assessing an organization's threats, vulnerabilities and business impact to define the organization's risk based on value to the organization.
  • Compliance Assessment—A governance, risk and compliance, human-led appraoch to determining an organization's ability to adhere to regulatory and standards-based compliance.

For more information, please contact Anthony Tomaro, Consulting Services Leader at or 212.223.6017.


Articles & Alerts

What Every New York Business Needs to Know about Cybersecurity

Crain's New York Business asks Carl Oliveri, Grassi's NYC market leader, about the cybersecurity challenges and opportunities that exist for NYC businesses looking to protect their sensitive data against the latest digital threats.


Alert: Validating Cyber Risks in the Cannabis Industry

With information gathered from assets in the underground (involved with the dark web) and conversations with federal authorities, investigations disclosed that, while there is no specific group actively targeting the cannabis industry, there are hackers focusing on three areas within the Seed to Sale lifecycle: research and extraction; growing; and consumption and retail operations.


Push for Scam Techniques Increases

The end of January marks the beginning of the push for some known scam techniques, but there are also some new ones on the scene. Scammers are targeting organizations large and small, as well as individuals, attempting to steal money and/or information. Below are some of the more common scams that are being reported around the world.


EAlert: Freezing Credit—Avoiding Fraud

As you may have seen in our social media posts, October is Cyber Awareness Month. In keeping with our intention to keep our clients informed, it’s very important for us to assist you in helping to grow in your understanding of how to identify potentially dangerous emails. 


Prepare For A Cyber-Attack Now—Don’t Wait!

Ransomware is a type of malicious software designed to block access to your computer system until a sum of money is paid.


Cyberattacks of Nonprofits on the Rise

Cyberattacks and data breaches are commonplace in the news now—it would be easy to miss the changing trend on where these attacks are being focused. Financial institutions and banks will always be prime targets due to the information they contain, but the marked increase of attacks aimed at non-profit organizations, with particular focus on charitable and educational institutions, isn’t as understood.


Insulating Your Cyberworld—One Step, and One Day, at a Time

Target, Ashley Madison, the DNC, Twitter, LinkedIn, PayPal, multiple healthcare institutions—it seems not a day goes by we’re not hearing about another data breach. Whether it’s a nation-state infiltrating governmental institutions, a breach of usernames and passwords that have numbered into the millions in a single instance, or, the most prevalent of them all, another case of ransomware holding files hostage until a payment is made. It often feels like we’re being inundated to the point of exhaustion and it seems to happen so often that there’s nothing to do to protect ourselves from being the next victim. The ugly truth is that there’s no way of ensuring, beyond any shadow of a doubt, that one will not fall victim themselves. The good news is that there are steps that can be taken to help lower an attack profile, greatly reducing the chances of being victimized.