Dr. Edward G. Amoroso, CEO of the Amoroso Group (TAG Cyber), recently published the 2017 TAG Cyber Security Annual, a practical handbook for IT security professionals tasked with protecting their organizations from cyberattacks.

The report offers IT security teams a comprehensive technical and architectural direction based on 50 distinct security controls that decrease risk of a cyberattack. Dr. Amoroso puts forward a cyber framework that “embraces cloud, virtualization, and mobility as solutions rather than problems.”

He argues for a three step process to improve existing security architecture and infrastructure:

  1. Divide traditional, perimeter-based infrastructure into smaller, distributed micro-segments
  2. Offload the segments onto virtualized, cloud-based systems with advanced security controls
  3. Reload their IT security stack with advanced technologies from top cyber security vendors

Download the Full Report

Learn about the 50 security controls every enterprise needs to protect itself from cyber attacks.

Download Now

Dr. Amoroso identified the following four focus areas to be most important in protecting IT infrastructure from cyberattacks:

  1. Compliance – Regulations such as HIPAA-HITECH, PCI DSS, FISMA, and others, serve an important role in protecting an enterprise’s information and should be viewed not just as a mandatory box that must be checked, but as an asset.
  2. Technology – The security technology stack employed can make or break an enterprise’s ability to protect itself from cyber attacks.
  3. Architecture – Enterprises need to rethink security and move away from the traditional perimeter-based security paradigm to one that focuses on virtualization, mobility, and cloud.
  4. Innovation – Enterprises need innovative strategies and techniques for applying security controls to their information.

TAG Cyber “Enterprise 50” Security Controls

The 50 security controls are categorized under perimeter, network, endpoint, governance, data, and industry controls.


  1. Intrusion detection/prevention
  2. Data loss prevention
  3. Firewall platform
  4. Network access control
  5. Unified threat management
  6. Web application firewall
  7. Web fraud prevention
  8. Web security gateway


  1. CA/PKI solutions
  2. Cloud security
  3. DDOS security
  4. Email security
  5. Infrastructure security
  6. Network monitoring
  7. Secure file sharing
  8. VPN/Secure access


  1. Anti-malware
  2. Endpoint security
  3. Hardware/embedded security
  4. Industrial control system/Internet of things security
  5. Mainframe security
  6. Mobile security
  7. Password/Privilege management
  8. Two-factor authentication 25.
  9. Voice security


  1. Brand protection
  2. Bug bounty support
  3. Cyber insurance
  4. Governance, risk, and compliance
  5. Incident response
  6. Penetration testing
  7. Security analytics
  8. Security information event management
  9. Threat intelligence


  1. Application security
  2. Content protection (DRM/IRM)
  3. Data destruction
  4. Data encryption
  5. Digital forensics
  6. Identify and access management
  7. PCI DSS Compliance
  8. Vulnerability management


  1. Industry analysis
  2. Information assurance
  3. Managed security services
  4. Security consulting
  5. Security recruiting
  6. Security R&D
  7. Security training
  8. VAR security solutions