RC-logo


Home

Services

Business Transformation
Technology Services
CIO Service
Cyber Security

Company

About Us
Careers

Insights

Contact Us

Insights

Key insights you need to make smarter business decisions
Talk to an Expert

Risk based approach to managing cyber security

Client: Multiple Clients

Situation

  • The client was using multiple generations of technologies in his environment.
  • The client was a name to reckon with in the industry; therefore, any breach would hit the headlines, and the business loss and reputation damage would be extensive.
  • The IT team was constantly firefighting and focused on upgrading and bringing the environment to current standards.
  • Budgets were scarce, and the management team was not convinced of the need.

Task

  • Given the scenario, how can we plan to ensure a secure infrastructure?
  • What ways convince the management of the need to keep the environment current?
  • What does Information Security cover within the business, and why is not only an IT problem?

Action

We worked with the audit teams (Statutory and Internal) that had put together several compliance issues and understood what they were after! Also, working with the CIO and the IT Teams, we understood that there were no agreed policies and processes while they were talking about security. For example, when asked about Disaster Recovery, we were provided a document that spoke of all the right things; however, never been discussed and agreed upon with the management.

We used an international standard in Cyber Security and put together the current status under each head. The aspiration of the IT / Audit Team under each head was noted (also concerning the standards and guidelines) and hence the gaps.

 

These actions helped drive consensus of opinions and gave objectivity, weight, and credibility to work, opinions, and budgets.

Once this was done, a workshop was conducted across all stakeholders (audit, IT, Legal, and Finance) to show the current state and the challenges. Working with the teams, who also understood that correcting the entire gaps was not feasible and that foolproof security is a myth, we were able to prioritize risks; what risks were acceptable, what had some other mitigating controls, and what was necessary and the plans formulated.

    Results

    Management was presented with the identified business risks under each category, what could happen if these were not addressed, and the prioritised plans to address them. The story line echoed with the management team, who agreed with the approach and the plan.

    Value was delivered by;

    • enhanced reputation with peers
    • make more informed, data driven decision that created a 3 year plan to meet the final objective.
    error: Content is protected !!