When an award-winning internet and hosting service provider undertook a new business strategy to expand their market share, they realised that a greater market presence would lead not only to increased brand visibility, but also increasing threat of cyber attacks.
As a result, they wanted to have the right strategy in place to manage the resulting threat landscape and support their customers.
Hosting Service Provider
Our client required a security strategy that not only supported and enforced their compliance with ISO 27001, but also gave them a deeper, company-wide understanding of the current and future capabilities required to defend against their threat landscape and that of their customers.
Given the breadth of customers both in terms of scale and proposition the client was concerned that a templated approach to defining their strategy and supporting capabilities would ultimately leave them unprepared.
Having reviewed other approaches, and still keen to find a partner who would help them understand the capabilities required to manage their combined threat landscape and the types of services they could offer to their customers they approached ICA Consultancy.
Having sat down with the client and taken time to understand the challenges they face, we defined some clear objectives for this engagement:
provide an understanding of their specific threat landscape
assess their current capability against managing those threats
align the enterprise security strategy with their culture, inflight business strategy and pace of change
facilitate internal understanding of the issues the security strategy addresses, supporting its approval
enable the client to deliver the enterprise security strategy, through knowledge transfer and trusted advice
ensure compliance is an outcome, not an objective, of the enterprise security strategy
To support these objectives we defined three phases.
As a service provider for both residential and businesses, a comprehensive threat and capability review was required.
We went beyond simply understanding their current security implementation. We engaged with stakeholders from the CEO down; learning about their expectations regarding security. This gave us a broader understanding of the company’s perspectives on security strategy.
Using a combination of open threat intelligence, threat exchange platforms, and our industry experience, we provided the client with a list of threat actors who would likely target them directly or potentially use them to attack one of their customers; whilst also identifying any indirect impacts due to one of their customers being targeted. These threats were assessed against the client’s business strategy, anticipating how some might become greater or lesser threats as the business evolves.
Having completed the review, it became clear that some improvements were required. As a result, in parallel to defining the enterprise security strategy, we also provided our client with access to capabilities and experience to address some immediate gaps.
It was here that we focused on our objective of providing compliance as an outcome rather than a top-down objective: We built a capability model based on the NIST CyberSecurity Framework and extended this to include information security. This was mapped back to their ISO 27001 scope, ensuring any maturity improvements could be reflected in the compliance framework.
Using the output from phase 1 we defined an Enterprise Security Strategy, covering both corporate and customer requirements.
To align with the inflight business strategy, in both terms of pace of change and ensuring threats were managed appropriately, the strategy was scoped to be delivered over three phases, each proposed to be 12 months duration.
The strategy was socialised amongst relevant stakeholders and then presented for approval. The strategy covered:
The threat landscape, across the client and their customers
The client’s capability to improve their security
Tactical changes that needed to be affected immediately
Phases of implementation
A capability model, based on NIST and mapped to ISO27001
An initial security baseline to achieve in the first year
An approach to measuring security effectiveness
We followed the presentation of the strategy with a cyber resilience exercise to bring the threats to life. For the exercise we partnered with a specialist third party, delivering the strategy and the exercise as a seamless experience.
This was a real-time exercise using a real-world scenario tailored to the clients environment and services, designed to demonstrate the importance of implementing our strategy.
Having obtained approval for the Enterprise Security Strategy we then began practical planning for the first year of the strategy.
This entailed the development of a number of work packages, each supported by detailed initiatives. These worked towards building the client’s security capabilities and achieving the objectives of the strategy.
Mindful that much can change in a short space of time, we worked closely with the client to see if any ‘in-flight’ projects could be matched to completing these initiatives.
Having scoped the detail of each of the initiatives, we identified the capabilities, resources and dependencies. Where the client lacked the capabilities to deliver these initiatives internally, we produced detailed requirements and then either:
provided the client with the capabilities and frameworks to roll out the improvements; or
ran selection process, including RFI, RFP and Best And Final Offers.
Throughout the engagement we worked seamlessly with the clients own teams to deliver improvements across the business.