The Situation

Thomas Cook wanted to restablish the office of the CISO and deliver cost savings

EBITDA improvement was the focus.

The cyber security function had been completely disbanded some years before when the previous CISO was made redundant.

Thomas Cook had undergone a series of ‘break and restructure’ moves which meant it’s focus had changed and much of its culture and financial priorities.

Fragments of cyber security were operating in the Digital Service and Architecture space only.

There was no defined operating model nor organisation design.

There was no clear strategic direction for cyber security  and no clear target maturity state.

The Task

Reporting to the Group Business and IT Director and in partnership with the Group CFO, successfully and rapidly delivered the key objectives which were:

a) Re-establish the Office of the CISO 

b) Turnaround the information and physical security improvement programme.  I then added an objective which was

c) as part of the ‘cost reduction and EBIT improvement drive’, identify innovative quantitative cost reduction benefits for the programme and operations based around annual BAU run-costs and 3rd party desktop auditing/support costs.  Budgetary responsibility: circa £25

The Action / Approach

My steps were as follows:

  1. Understand current state through stakeholder interviews and questionnaires
  2. Established people-first communication channels so everyone knew what was going on
  3. Formulated an achieveable TOM and TOD in partnership with the CIO and peers to ensure maturity and other benchmarks were normalised
  4. Gained board–level approval
  5. Built business case and initaited a major improvement programme
  6. Worked with HR to effect organsational change using interim OM/ODs
  7. Achieved restructure

The Result

  • Ensured that security was embedded in agile coding processes (SCRUM) and that TCs growing digital presence was strengthened. Devops automation tooling and compliance too.
  • Ensured effective incident handling by collaboration that operational, day-to-day security and a disparate team of in-house and 3rd party developers, IT and on-site security personnel were affecting critical security measures and ensuring no fires were left burning. This included leading the Security Governance Board which included the attendance of the group CFO.
  • Re-established the office and function of the CISO from ground zero in four months, including defining its Target Operating Model and Organisation Design whilst ensuring BAU GRC security design, risk assessment and operations continued and were under control; This meant that there were no unnecessary blockers to either business or IT delivery and operations.
  • Reduced estimated losses due to fraud by 8 points from a total of 20. This was through the implementation of group CCTV monitoring solution and application of more targeted resources improved and focussed in-store risk scenarios
  • Re-launched and re-centred the scattered Information Security team taking into account HR and employment law considerations for existing headcount transfers etc.
  • Defined a robust Security Strategy, supporting policies based on five objectives: Protect, Detect, Deter, Respond, and Recover.
  • Ensured that we were ready for GDPR readiness by ensuring that the main data foundational controls were in place and that the Programme would actively identify and improve any areas that needed improvement.
  • Re-focussed, re-scoped and bolstered the flagging security improvement programme’s business case to include 50% reduction of projected annual BAU operational run costs
  • Specified the security improvement programme’s workstreams which included IS027001 compliance, IncSOC/SIEM, DLP, General staff and targeted, developer Training, Awareness and Phishing defence.
  • Introduced a risk management system into a virtually green field/grey field estate which included a risk assessment methodology requiring little tooling and other support PPT (People, Process and Technology) and meant that the FD could be supported in the production of risk and audit reports to the board

Relevant Business Perspectives