Case Study: Enterprise Security Strategy

When an award-winning internet and hosting service provider undertook a new business strategy to expand their market share, they realised that a greater market presence would lead not only to increased brand visibility, but also increasing threat of cyber attacks.

As a result, they wanted to have the right strategy in place to manage the resulting threat landscape and support their customers.

INDUSTRY

Hosting Service Provider 

LOCATION

United Kingdom

Their Challenge

Our client required a security strategy that not only supported and enforced their compliance with ISO 27001, but also gave them a deeper, company-wide understanding of the current and future capabilities required to defend against their threat landscape and that of their customers.

Given the breadth of customers both in terms of scale and proposition the client was concerned that a templated approach to defining their strategy and supporting capabilities would ultimately leave them unprepared.

Having reviewed other approaches, and still keen to find a partner who would help them understand the capabilities required to manage their combined threat landscape and the types of services they could offer to their customers they approached ICA Consultancy.

Our Proposition

Having sat down with the client and taken time to understand the challenges they face, we defined some clear objectives for this engagement:

    • provide an understanding of their specific threat landscape

    • assess their current capability against managing those threats

    • align the enterprise security strategy with their culture, inflight business strategy and pace of change 

    • facilitate internal understanding of the issues the security strategy addresses, supporting its approval

    • enable the client to deliver the enterprise security strategy, through knowledge transfer and trusted advice

    • ensure compliance is an outcome, not an objective, of the enterprise security strategy

To support these objectives we defined three phases.

PHASE 1

Threat and Capbility Review
  • Understand the threat landscape
  • Assess capabilities and services
  • Identify and prioritise gaps

PHASE 2

Enterprise Security Strategy
  • Ensure business wide engagement
  • Define outcomes and objectives
  • Achieve board approval

PHASE 3

Detailed Plan Year One
  • Define detailed requirements
  • Scope resources and costs
  • Engage third parties

Client Outcomes

Talk to us today. We can help!

Phase 1: Threat and Capability Review

As a service provider for both residential and businesses, a comprehensive threat and capability review was required.

We went beyond simply understanding their current security implementation. We engaged with stakeholders from the CEO down; learning about their expectations regarding security. This gave us a broader understanding of the company’s perspectives on security strategy.

Using a combination of open threat intelligence, threat exchange platforms, and our industry experience, we provided the client with a list of threat actors who would likely target them directly or potentially use them to attack one of their customers; whilst also identifying any indirect impacts due to one of their customers being targeted. These threats were assessed against the client’s business strategy, anticipating how some might become greater or lesser threats as the business evolves.

Having completed the review, it became clear that some improvements were required. As a result, in parallel to defining the enterprise security strategy, we also provided our client with access to capabilities and experience to address some immediate gaps.

It was here that we focused on our objective of providing compliance as an outcome rather than a top-down objective: We built a capability model based on the NIST CyberSecurity Framework and extended this to include information security. This was mapped back to their ISO 27001 scope, ensuring any maturity improvements could be reflected in the compliance framework.

Phase 2: Enterprise Security Strategy

Using the output from phase 1 we defined an Enterprise Security Strategy, covering both corporate and customer requirements.

To align with the inflight business strategy, in both terms of pace of change and ensuring threats were managed appropriately, the strategy was scoped to be delivered over three phases, each proposed to be 12 months duration.

The strategy was socialised amongst relevant stakeholders and then presented for approval. The strategy covered:

    • The threat landscape, across the client and their customers

    • The client’s capability to improve their security

    • Tactical changes that needed to be affected immediately

    • Phases of implementation

    • A capability model, based on NIST and mapped to ISO27001

    • An initial security baseline to achieve in the first year

    • An approach to measuring security effectiveness

We followed the presentation of the strategy with a cyber resilience exercise to bring the threats to life. For the exercise we partnered with a specialist third party, delivering the strategy and the exercise as a seamless experience.

This was a real-time exercise using a real-world scenario tailored to the clients environment and services, designed to demonstrate the importance of implementing our strategy.

Phase 3: Detailed Security Strategy Year One

Having obtained approval for the Enterprise Security Strategy we then began practical planning for the first year of the strategy.

This entailed the development of a number of work packages, each supported by detailed initiatives. These worked towards building the client’s security capabilities and achieving the objectives of the strategy.

Mindful that much can change in a short space of time, we worked closely with the client to see if any ‘in-flight’ projects could be matched to completing these initiatives.

Having scoped the detail of each of the initiatives, we identified the capabilities, resources and dependencies. Where the client lacked the capabilities to deliver these initiatives internally, we produced detailed requirements and then either:

    • provided the client with the capabilities and frameworks to roll out the improvements; or

    • ran selection process, including RFI, RFP and Best And Final Offers.

Throughout the engagement we worked seamlessly with the clients own teams to deliver improvements across the business.

Talk to us today. We can help!

Client Outcomes

    • Situational Awareness: The client gained a deeper understanding of the threats they face and their information security management capabilities. Management gained a greater perspective on their roles and how they could deliver value.
    • Stronger Risk Management: Throughout our engagement we fostered cultural change in the client’s awareness and their appreciate of the need for strong risk management. The consequences of this included a revamp of their broader approach to risk management, a reappraisal of their business resilience and vastly increased commitment to security.
    • Improved Challenge Articulation: Our engagement with senior management also helped them to articulate the security challenges they face. We gave them evidence and research which gave them improved knowledge of the threat landscape.
    • Collaboration and Growth: We worked with teams across the business to implement a framework they fully understand. We worked in partnership to establish the secure operating environment they approached us for, fostering the understanding they wanted along the way.
    • Compliance as an Outcome: This has aided the maturity of the client’s security strategy. Shifting them from a compliance focus to a focus on providing a secure operating environment, which enables compliance.