example of Impact - GOVERNANCE, RISK MITIGATION & CHANGE MANAGEMENT
Enhancing a cybersecurity divisiondetails
Client background and situation:
Growing company needed to urgently upgrade cybersecurity division - had some elements in place like multifactor authentication enterprise wide and a team to monitor and respond to threats
Growing company needed to urgently upgrade cybersecurity division - had some elements in place like multifactor authentication enterprise wide and a team to monitor and respond to threats
Wanted to understand how to get best return on investment in risk reduction and look at privileged access management, data loss prevention, and other areas. Opportunity to upgrade Cyber talent in a competitive market
Wanted to understand how to get best return on investment in risk reduction and look at privileged access management, data loss prevention, and other areas. Opportunity to upgrade Cyber talent in a competitive market
THe past
Prior approach & challenges:
Underinvested in cybersecurity and buried it within IT with limited connectivity to the business or prioritization of where to allocate limited resources (i.e. no risk appetite based approach)
Ad-hoc approach to build controls where they may not be needed which frustrated business leaders who felt there was unnecessary "interference" by the Cyber team
Underinvested in cybersecurity and buried it within IT with limited connectivity to the business or prioritization of where to allocate limited resources (i.e. no risk appetite based approach)
Ad-hoc approach to build controls where they may not be needed which frustrated business leaders who felt there was unnecessary "interference" by the Cyber team
solutions
Coppertree Partners approach:
enhanced strategy and internal alignment
Conducted workshops to bring business, IT, Cyber, Risk and other teams together to discuss vulnerabilities and options. Created inventory of all assets and led prioritization discussion to understand the risks of highest concern, where the value is in the business (i.e. a payment process), and overall risk appetite
developed remediation plan
Analyzed vulnerabilities and refined internal list including third party risk and helped plan and test responses to cybersecurity incidents such as vendors to assist with crisis simulations. Led effort on control plan to help optimize spending to achieve highest feasible risk reduction – more critical assets had stronger controls
improved internal communication and awareness
Developed employee awareness and training approach including phishing campaigns
Impact:
- Stronger cybersecurity program and resilience with greater communication between internal stakeholders
Additional insights and takeaways
Convenience and security are a challenging balance to maintain. If you make security onerous then people may take actions to circumvent the controls you have in place. You also need to ruthlessly prioritize – have a strong understanding of your assets and what to protect, be aware of your vulnerabilities and threats, and put in place controls that are in harmony with your risk appetite. Technology is key given the high complexity involved – data, infrastructure, applications and employees have exposure to different types and levels of threats. For instance big data is helping companies predict attacks such as detecting log-ins from unusual locations. Risk analytics on email activity are being used by some companies to detect insider threats from employees and contractors.
Get In Touch
917-727-6345