How We Work

From assessment to assurance.

Every engagement follows a proven methodology that combines technical depth with organizational understanding. Here's what working with Merek actually looks like.

Our Philosophy

Security built on understanding.

Most firms hand you a checklist. We start by understanding your business — your culture, your people, your risk tolerance, and your mission. That context shapes everything we do. Because a security program that doesn't fit the organization it protects is a security program that fails.

Our methodology draws on 25 years of cybersecurity experience across the Pentagon, Los Alamos National Laboratory, Boeing, and IBM — combined with cyberpsychology research that treats human behavior as the critical variable in every risk equation.

The Engagement

Four phases. One commitment.

Leave your organization stronger than we found it.

01
1–2 weeks

Discover

We listen first. Before we assess anything, we need to understand your environment, your culture, and what success looks like for your organization.

Stakeholder Interviews

Conversations with leadership, IT, operations, and end-users to understand the real security landscape — not just the documented one.

Environment Mapping

Inventory of systems, data flows, third-party connections, and the human processes that touch sensitive information.

Scope Definition

Clear boundaries, timelines, and success criteria so there are no surprises. We align on what we're protecting and why.

Regulatory Landscape

Identification of all applicable frameworks — NIST 800-171, CMMC, HIPAA, GDPR, CCPA — and how they intersect with your operations.

02
2–4 weeks

Assess

This is where the depth happens. A rigorous, multi-dimensional assessment that goes beyond checklists to uncover real risk across technical systems, operational processes, and human behaviors.

Technical Controls Review

Evaluation of access controls, encryption, network segmentation, endpoint protection, logging, and monitoring against industry frameworks.

Policy & Documentation Audit

Gap analysis of existing security policies, incident response plans, business continuity documentation, and training records.

Human Factor Analysis

Cyberpsychology-informed evaluation of security culture, behavioral patterns, phishing susceptibility, and organizational awareness. This is where most firms stop — and where we go deeper.

Threat Modeling

Scenario-based analysis of your most likely and most impactful threats, mapped to your specific environment and adversary profile.

SPRS Score Calculation

For defense contractors: precise scoring against NIST 800-171 controls with full documentation of assessed values and rationale.

03
4–12 weeks

Implement

Findings without action are just expensive documentation. We translate every assessment into clear, prioritized remediation that your team can own and execute.

Prioritized Remediation Roadmap

Risks ranked by impact and exploitability. Quick wins identified alongside strategic investments. No 200-page report that sits on a shelf.

Policy & Plan Development

System Security Plans (SSP), Plan of Action & Milestones (POA&M), incident response plans, and security policies written for your organization — not templated boilerplate.

Technical Remediation Support

Hands-on guidance implementing controls — from MFA deployment to network segmentation to SIEM configuration. We work alongside your team, not above them.

Security Awareness Training

Cyberpsychology-based training programs that create lasting behavior change, not just annual compliance checkboxes.

04
Ongoing

Sustain

Security isn't a project — it's a posture. We stay with you, providing ongoing advisory, monitoring, and continuous improvement so your security program evolves with your business.

Ongoing Advisory

Regular check-ins with leadership, quarterly risk reviews, and strategic guidance on emerging threats and regulatory changes.

Compliance Monitoring

Continuous monitoring of your compliance posture against applicable frameworks. No surprises at audit time.

Board & Executive Reporting

Clear, non-technical risk communication for leadership. Quarterly presentations that translate cybersecurity posture into business language.

Incident Response Readiness

Tabletop exercises, plan updates, and response coordination so your team is prepared — not just documented.

The Merek Difference

Why organizations choose us.

Cyberpsychology-Informed

We don't just assess technical controls. We understand why people click, why they share, why they bypass security — and we build programs that address root causes, not symptoms.

Practitioner-Led

Every engagement is led by certified practitioners — CISSP, CISM, CAP, CDPSE, CyberAB RP — with real operational experience, not junior analysts following scripts.

Relationship, Not Transaction

We embed with your team. We learn your business. We build programs you can sustain long after the engagement ends. Security is a relationship, not a deliverable.

Framework Fluency

NIST 800-171, NIST 800-53, CMMC, HIPAA, HITRUST, GDPR, CCPA, FedRAMP — we speak every framework and know how they intersect for your specific compliance obligations.

Ready?

Let's assess where you stand.

Every engagement starts with a conversation. Tell us about your organization and we'll show you exactly how we can help.