The Challenge
A leading Business Process Management services company required a comprehensive third-party security review of their large, complex IT environment. Having seen competitors in their sector in the news due to a cyber security breach, they were keen to substantiate their own current cyber security posture with a trusted partner and take any remedial actions recommended to protect themselves from similar breaches. They found their way to Criticalis and we handled this sensitive work for them.
The Insight
A change of perspective:
The company already held ISO 27001 and PCI accreditations, so we intentionally used a different framework to benchmark their systems. This helped to identify areas of improvement or attention by looking at tools, software, systems and processes through a different, but equally valid, cyber security lens.
The Objective
The key objective was to obtain an accurate picture of the company’s current cyber security status, distilled into a consumable summary that could be reported to and clearly understood by the (non-expert) board executives. The secondary objective was to highlight current mitigations deployed against potential attack vectors, to identify areas of further improvement. Achieving both these aims would help the leadership team determine if the existing cyber security controls were sufficient, or if investing to enhance their cyber maturity was required and desired.
The Solution
The challenge for any company seeking this type of support is locating a trusted third-party partner with a cyber security heritage of expert experienced professionals. It’s vital to provide the confidence that the objectives would be comprehensively achieved. Fortunately, Criticalis was exactly what the client wanted. We delved into the details of the complex environment and, using our expert eye and experience, provided an impartial assessment and valuable feedback for the board.
We reviewed their systems against 18 different control areas and identified 15 main areas of recommendations by assessing against a differing framework to the existing benchmark, providing that all-important alternative perspective. Upon conclusion of the review, the clear and accessible report outlining the findings and the recommendations was followed by a call to discuss the detail and provide further insight and context. The report indicated high level areas and recommendations for improvement, as well as mapping attack vectors to control mitigations already deployed.
Results
The partnership proved to be highly successful, courtesy of the positive collaboration between our team and the client’s in-house technical teams, and benefited from the experience and expertise of our security consultants.
The client’s board has developed a programme to address the findings based around our report’s clear areas of recommendations. There is the expectation of working further with us in future so we can help them to ensure their business remains resilient in the face of a changing threat landscape.