Bridging the gap between IT functionality and cyber resilience
The Challenge
An organisation that provides secure professional services to blue chip customers was concerned that they were susceptible to a data breach, and weren’t sure where best to focus their efforts in improving security. While they had capable IT staff in place, the focus was predominantly based on ‘making things work’ rather than ‘making things secure’.
They also found it difficult to make a case to the board for the budget and resources required to support cyber security. The technical output from security assessments that were being conducted, such as penetration testing, was difficult to translate into language that their board could understand, and was not sufficient to provide any clarity as to how best to improve security based on a prioritised approach.
The Solution
Daisy* was engaged to conduct an initial Cyber Security Review in order to both identify deficiencies in the organisation’s cyber security defences, and to help determine a plan to achieve an appropriate level of security in the coming years.
The outcome of the review showed that there were significant gaps that needed to be addressed, and while security was being considered in pockets of the business, there was no consistent approach. Using the priority recommendations in our report, the organisation had a clear plan of action for improvement, and the board had a clear picture of where the organisation was and where it needed to be.
Since that initial review, Daisy has been engaged to perform a repeat exercise every year. With each review, areas that have been addressed can be reviewed, and a new plan of action agreed for the following year. The findings of the review form a prominent part of board reporting, giving the board assurance that data is being protected and demonstrating the significant progress the organisation has made.
The Result
• An understanding of gaps in the organisation’s cyber security countermeasures
• A framework through which to focus improvement activities, and measure the effects of security initiatives undertaken
• The ability to report at board level on progress made, and on required future activities
• An assurance that their data, and that of their customers, is being adequately protected
