Question 1

What makes Cyway different from traditional cybersecurity consultancies?

Accepted Answer

We combine deep technical engineering expertise with executive-level strategy work. Our methodology links security directly to business priorities, so decisions are justified by risk reduction, ROI, and regulatory impact—not vague maturity scores.

Question 2

How does Cyway approach AI security differently?

Accepted Answer

We treat AI as both an innovation accelerator and a new attack surface. Our services enable safe adoption of tools like ChatGPT and Copilot while helping you build secure custom AI systems aligned to OWASP AI Security and NIST AI RMF.

Question 3

What is the CY360 Effective Security Program?

Accepted Answer

A structured, NIST CSF 2.0–aligned methodology that creates visibility, prioritizes actions based on business impact, and provides ongoing governance via checkpoints, KPIs, and an integrated ISMS/GRC tool.

Question 4

How long does onboarding onto CY360 take?

Accepted Answer

Typically 3–5 weeks depending on stakeholder availability. The onboarding includes interviews, crown jewel validation, risk scenarios, technical spot checks, and full tool setup.

Question 5

How does the AI Adoption service help organizations?

Accepted Answer

We identify concrete AI use cases, establish safe usage policies, help integrate AI tools securely, and build custom AI solutions with security, privacy, and governance built in from day one.

Question 6

What is included in the AI Utilization offering?

Accepted Answer

Secure usage of ChatGPT, Copilot, Gemini and similar tools, plus data governance, DLP alignment, usage policies, guardrails, monitoring, and team training.

Question 7

Do you build custom AI models or RAG systems?

Accepted Answer

Yes. We design and implement secure architectures for LLMs, retrieval-augmented generation, agents, and domain-specific AI systems, including compliance, privacy, and risk controls.

Question 8

How does Cyway help with AI risk management?

Accepted Answer

We apply NIST AI RMF and real-world threat models to assess prompt injection, data leakage, model theft, bias, and other AI-specific risks, then define actionable controls and monitoring.

Question 9

What is External Attack Surface Management / ransomware prevention and how does it work?

Accepted Answer

A focused assessment that checks your external and underground exposure, identity posture, DMARC status, backup readiness, and Microsoft Cloud configuration to reduce your chance of being shortlisted by ransomware gangs.

Question 10

How often should an External Attack Surface / ransomware prevention check be run?

Accepted Answer

Most organizations choose 1–2 runs per year to track exposure changes, implement quick wins, and stay off threat actor radars.

Question 11

Do you also support deeper ransomware resilience work?

Accepted Answer

Yes via additional verifications of your MS Cloud Security settings, your AI settings as well as hardening process across the kill chain such as SecOps topics and IR exercises.

Question 12

What is included in the Microsoft Cloud Hygiene service?

Accepted Answer

A security verification of Entra ID, endpoint baselines, ASR, backups, sharing policies, license usage, and Defender/Sentinel posture, plus a prioritized improvement plan.

Question 13

Do you support advanced Microsoft cloud projects?

Accepted Answer

Yes. We offer custom Azure governance, Zero Trust architecture, Purview deployments, detection coverage tuning, and SecOps automation.

Question 14

What does the vCISO service cover?

Accepted Answer

Strategic cybersecurity leadership, risk management, regulatory alignment (e.g. NIS2, DORA), incident readiness, roadmap design, and executive steering—flexibly delivered T&M.

Question 15

How is Cyway different from a typical vCISO?

Accepted Answer

Our vCISOs combine boardroom strategy with deep engineering experience. We can talk to the board in the morning and fix an Entra misconfiguration in the afternoon.

Question 16

How do the CY360 Analytics services help?

Accepted Answer

We build insights for C-level visibility—KPIs, dashboards, SecOps metrics, cost optimization models, and data analyses that guide decisions instead of overwhelming with noise.

Question 17

Is the CY360 platform secure for sensitive data?

Accepted Answer

Yes. It uses Zero Trust design, Entra-based authentication, strict tenant isolation, encryption in transit and at rest, immutable logs, and Swiss/EU data residency.

Question 18

Who controls access to our CY360 instance?

Accepted Answer

You do. Authentication is through your own Microsoft Entra tenant, so MFA, Conditional Access, and access revocation remain under your full control.

Question 19

Do Cyway services help with regulatory readiness?

Accepted Answer

Yes. CY360 supports GDPR, nFADP, NIS2, DORA, ISO 27001, and TiSAX. Our risk-based approach connects controls to regulatory impact for executive clarity.

Question 20

Can Cyway help us define cybersecurity KPIs?

Accepted Answer

Absolutely. We design lean KPI and KRI sets aligned to NIST CSF 2.0 that reflect real risk reduction and executive decision needs rather than complex scorecards.

Question 21

Do you work with small and mid-sized businesses?

Accepted Answer

Yes. Our services are designed for SMEs up to mid-market enterprises, providing high-value outcomes without requiring large in-house security teams.

Question 22

How does pricing work for CY360 services?

Accepted Answer

Core packages are fixed-price and subscription-based. Custom services are T&M. Pre-commit volume gives discounts, and unused services expire after the defined period.

Question 23

How are service checkpoints delivered?

Accepted Answer

Checkpoints are remote or onsite sessions summarizing threat radar, KPI changes, treatment progress, and critical decisions—delivered using the CY360 ISMS/GRC tool.

Question 24

Can Cyway integrate with our existing security tools?

Accepted Answer

Yes. We integrate with Microsoft Cloud, SIEM/SOAR platforms, AI systems, and data sources via APIs or log ingestion to support analytics and program visibility.

Question 25

Do you use AI in your service delivery?

Accepted Answer

Yes, in a controlled way. Data is pseudonymized or processed under strict agreements, never shared externally, and handled within EU/Swiss compliance boundaries.

Question 26

How do you ensure executive buy-in during engagements?

Accepted Answer

We align recommendations with business outcomes—risk, revenue, compliance, and operational resilience—ensuring leadership can make informed decisions quickly.

Question 27

Can we start with one service and expand later?

Accepted Answer

Yes. Most customers start with an External Attack Surface / ransomware prevent or AI Adoption check and later expand into Effective Security Program, Cloud Security, or vCISO support.

Question 28

How does Cyway help reduce security spend?

Accepted Answer

By prioritizing actions with the highest risk-reduction-per-CHF, eliminating waste, optimizing licenses, and focusing on practical controls rather than theoretical frameworks.

FAQ

What makes Cyway different from traditional cybersecurity consultancies?

What makes Cyway different from traditional cybersecurity consultancies?

How does Cyway approach AI security differently?

How does Cyway approach AI security differently?

What is the CY360 Effective Security Program?

What is the CY360 Effective Security Program?

How long does onboarding onto CY360 take?

How long does onboarding onto CY360 take?

How does the AI Adoption service help organizations?

How does the AI Adoption service help organizations?

What is included in the AI Utilization offering?

What is included in the AI Utilization offering?

Do you build custom AI models or RAG systems?

Do you build custom AI models or RAG systems?

How does Cyway help with AI risk management?

How does Cyway help with AI risk management?

What is External Attack Surface Management / ransomware prevention and how does it work?

What is External Attack Surface Management / ransomware prevention and how does it work?

How often should an External Attack Surface / ransomware prevention check be run?

How often should an External Attack Surface / ransomware prevention check be run?

Do you also support deeper ransomware resilience work?

Do you also support deeper ransomware resilience work?

What is included in the Microsoft Cloud Hygiene service?

What is included in the Microsoft Cloud Hygiene service?

Do you support advanced Microsoft cloud projects?

Do you support advanced Microsoft cloud projects?

What does the vCISO service cover?

What does the vCISO service cover?

How is Cyway different from a typical vCISO?

How is Cyway different from a typical vCISO?

How do the CY360 Analytics services help?

How do the CY360 Analytics services help?

Is the CY360 platform secure for sensitive data?

Is the CY360 platform secure for sensitive data?

Who controls access to our CY360 instance?

Who controls access to our CY360 instance?

Do Cyway services help with regulatory readiness?

Do Cyway services help with regulatory readiness?

Can Cyway help us define cybersecurity KPIs?

Can Cyway help us define cybersecurity KPIs?

Do you work with small and mid-sized businesses?

Do you work with small and mid-sized businesses?

How does pricing work for CY360 services?

How does pricing work for CY360 services?

How are service checkpoints delivered?

How are service checkpoints delivered?

Can Cyway integrate with our existing security tools?

Can Cyway integrate with our existing security tools?

Do you use AI in your service delivery?

Do you use AI in your service delivery?

How do you ensure executive buy-in during engagements?

How do you ensure executive buy-in during engagements?

Can we start with one service and expand later?

Can we start with one service and expand later?

How does Cyway help reduce security spend?

How does Cyway help reduce security spend?