COVID-19
Our focus is on people, whether in our own business or that of our partners and clients.
Our focus is on people, whether in our own business or that of our partners and clients.
Read about how ICA Consultancy has supported Hampshire Trust Bank in the definition and delivery of an Enterprise Security Strategy
Click on the images below to read our current factsheets for some of the services we deliver.
ICA Consultancy’s focus is on delivering security leadership and advisory services through experienced resources that have previously held leadership position in industry.
However, we are often asked to support those services with technical delivery and/or managed services.
As to not dilute the value of the services we offer we fulfil these requests through a network of trusted partners, whose experience and expertise complements that of our resources.
Security testing is a critical part of any security model. Whether you require software development reviews, penetration testing, or full red team/simulations we can support you through our network of trusted partners. We can complement these services with our advisory services, helping you interpret the results and make risk based decisions on next steps. This ensures your investments directly reduce your risk profile.
Attracting and retaining the capabilities required to effectively manage security operations is difficult, let alone dedicating time to maintain and tune the required tools. Through our network of trusted partners we are able to provide a variety of services, including an identity focused offering providing unparalleled visibility into activity within your estate. Optionally coupled with our CISO-as-a-Service, we can ensure the right management decisions are made.
This form is protected by reCaptcha and the Google Privacy Policy and Terms of Service apply.
When an award-winning internet and hosting service provider undertook a new business strategy to expand their market share, they realised that a greater market presence would lead not only to increased brand visibility, but also increasing threat of cyber attacks.
As a result, they wanted to have the right strategy in place to manage the resulting threat landscape and support their customers.
Hosting Service Provider
United Kingdom
Our client required a security strategy that not only supported and enforced their compliance with ISO 27001, but also gave them a deeper, company-wide understanding of the current and future capabilities required to defend against their threat landscape and that of their customers.
Given the breadth of customers both in terms of scale and proposition the client was concerned that a templated approach to defining their strategy and supporting capabilities would ultimately leave them unprepared.
Having reviewed other approaches, and still keen to find a partner who would help them understand the capabilities required to manage their combined threat landscape and the types of services they could offer to their customers they approached ICA Consultancy.
Having sat down with the client and taken time to understand the challenges they face, we defined some clear objectives for this engagement:
provide an understanding of their specific threat landscape
assess their current capability against managing those threats
align the enterprise security strategy with their culture, inflight business strategy and pace of change
facilitate internal understanding of the issues the security strategy addresses, supporting its approval
enable the client to deliver the enterprise security strategy, through knowledge transfer and trusted advice
ensure compliance is an outcome, not an objective, of the enterprise security strategy
To support these objectives we defined three phases.
As a service provider for both residential and businesses, a comprehensive threat and capability review was required.
We went beyond simply understanding their current security implementation. We engaged with stakeholders from the CEO down; learning about their expectations regarding security. This gave us a broader understanding of the company’s perspectives on security strategy.
Using a combination of open threat intelligence, threat exchange platforms, and our industry experience, we provided the client with a list of threat actors who would likely target them directly or potentially use them to attack one of their customers; whilst also identifying any indirect impacts due to one of their customers being targeted. These threats were assessed against the client’s business strategy, anticipating how some might become greater or lesser threats as the business evolves.
Having completed the review, it became clear that some improvements were required. As a result, in parallel to defining the enterprise security strategy, we also provided our client with access to capabilities and experience to address some immediate gaps.
It was here that we focused on our objective of providing compliance as an outcome rather than a top-down objective: We built a capability model based on the NIST CyberSecurity Framework and extended this to include information security. This was mapped back to their ISO 27001 scope, ensuring any maturity improvements could be reflected in the compliance framework.
Using the output from phase 1 we defined an Enterprise Security Strategy, covering both corporate and customer requirements.
To align with the inflight business strategy, in both terms of pace of change and ensuring threats were managed appropriately, the strategy was scoped to be delivered over three phases, each proposed to be 12 months duration.
The strategy was socialised amongst relevant stakeholders and then presented for approval. The strategy covered:
The threat landscape, across the client and their customers
The client’s capability to improve their security
Tactical changes that needed to be affected immediately
Phases of implementation
A capability model, based on NIST and mapped to ISO27001
An initial security baseline to achieve in the first year
An approach to measuring security effectiveness
We followed the presentation of the strategy with a cyber resilience exercise to bring the threats to life. For the exercise we partnered with a specialist third party, delivering the strategy and the exercise as a seamless experience.
This was a real-time exercise using a real-world scenario tailored to the clients environment and services, designed to demonstrate the importance of implementing our strategy.
Having obtained approval for the Enterprise Security Strategy we then began practical planning for the first year of the strategy.
This entailed the development of a number of work packages, each supported by detailed initiatives. These worked towards building the client’s security capabilities and achieving the objectives of the strategy.
Mindful that much can change in a short space of time, we worked closely with the client to see if any ‘in-flight’ projects could be matched to completing these initiatives.
Having scoped the detail of each of the initiatives, we identified the capabilities, resources and dependencies. Where the client lacked the capabilities to deliver these initiatives internally, we produced detailed requirements and then either:
provided the client with the capabilities and frameworks to roll out the improvements; or
ran selection process, including RFI, RFP and Best And Final Offers.
Throughout the engagement we worked seamlessly with the clients own teams to deliver improvements across the business.
ICA Consultancy provides advisory and consultancy services, and Capability-as-a-Service (CISO, DPO etc.) engagements, helping organisations identify, manage and mitigate information, cyber and privacy risks.