The Situation

* The client was using multiple generation of technologies in his environment.
* The client was a name to reckon with in the industry and therefore any breach would hit the headlines and the business loss and the reputation damage would be extensive.
* The IT team were constantly firefighting and focused on upgrading and bringing the environment to current standards.
* Budgets were scarce and the management team was not convinced of the need.

The Task

* Given the above scenario, how can we plan to ensure a secure infrastructure ?
* What are the ways to convince the management of the need to keep the environment current ?
* What does Information Security cover within the business and why is not only an IT problem ?

The Action / Approach

I worked with the audit teams (Statutory and Internal) that had put together a number of compliance issues and understood what they were after ! Also, working with the CIO and the IT Teams, I understood that while they were talking about security, there were no agreed policies and processes. For example, when asked about Disaster Recovery, I was provided a document that spoke of all the right things. Never been discussed and agreed with the management.

I used an international standard in Cyber Security, put together the current statusĀ  under each head. The aspiration of the IT / Audit Team under each head was noted (also with respect to the standards and guidelines) and hence the gaps.

These actions helped drive consensus of opinions and gave objectivity, weight and credibility to work, opinions and budgets

Once this was done, a workshop was conducted across all stakeholders (audit, IT, Legal and Finance) to show up the current state and the challenges. Working with the teams, who also understood that correcting the entire gaps was not feasible and that fool proof security is a myth, we were able to prioritise on risks ; What risks are acceptable, what had some other mitigating controls and what was absolutely necessary and the plans

The Result

Management was presented with the identified business risks under each category and what could happen if these were not addressed and the prioritised plans to address them. The story line echoed with the management team, who agreed with the approach and the plan.

Value was delivered by;

  • enhanced Reputation with Peers
  • make more informed, data driven decision that created a 3 year plan to meet the final objective.

Pains relieved included;

  • Lack of Strategic Alignment across Business
  • Lack of access to relevant expertise

Focus In On: Responsible for Cyber Security / CISO

New Areas of Value:

Make more informed, data driven decisions

Reduce Risk of fines, theft & Reputational Damage

Improved Confidence in Role or function

Provide more Innovative Solutions to the Business

Improvements around:

Lack of Strategic Alignment across Business

Lack of Budget

Lack of access to relevant expertise

Resistance to Change