Project Security Assurance Review
Capability Model Enables Effective Assessment and Progress
By i-confidential Staff
Following an audit, a large financial services client wanted to undertake an assessment of its approach to assuring project security. An immature set of processes and limited resources meant this function was ineffective, with every project receiving the same treatment, irrespective of risk. There were also two teams undertaking similar work, but at different points in the project lifecycle, with considerable and costly duplication.
The challenge facing the client was how to design a new operating model that combined the two teams into one organisation, with a single set of processes and tools that would more effectively use scarce resources and reduce costs.
We helped the client using i-confidential’s Assurance Capability Model, which has been developed based on our experience of resolving cyber issues across many of the UK’s largest financial services companies.
The first step was to baseline the existing operating model, processes, and tools across the two assurance teams. This involved gathering information and documents in conjunction with interviewing key stakeholders. We also worked closely with the project sponsor to understand and shape the desired outcome.
With the baseline established, we compared the findings against our capability model. It contains all the required elements for effective project assurance, such as risk profiling, risk assessment, and governance. In our evaluation, we assigned a rating for each area along with detailed commentary. This was based on how well the existing capability aligned with industry best practice, and described the impact of any gaps.
The assessment sections of the report were complemented by a set of recommendations for each capability gap. These recommendations formed the basis of a new operating model for project security assurance.
Any action points from the review were then translated into a phased delivery roadmap. It addressed priority gaps and their dependencies within a suggested delivery timeline agreed by the project sponsor. This was supported by a high-level cost plan aligned to the phases of work.
Our Assurance Capability Model provided a reliable framework for comparing the client’s approach against industry best practice, and allowed us to meet its stringent cost and timescale goals.
The client used the report’s recommendations to secure additional funding for commencement of early phases of building and implementing a new operating model. It also made a compelling case for additional headcount to support these changes.
“These recommendations formed the basis of a new operating model for project security assurance.”