Careful Assessment Builds Platform for Better Security
“An important consideration in this case was the cultural challenge of getting the best from what were effectively three independent security teams.”
A global venture capitalist (VC) firm required a security assessment of three organisations it was investing in. They had worked together strategically as a key resource for the UK government during the COVID-19 pandemic. Each organisation, however, acted as a single entity, with different standards, methods, and processes.
One of our security partners was made aware of this requirement and recommended that the VC firm speak to us. It was keen to understand what these organisations needed to improve, how any required activity should be prioritised, and how much that would cost.
Unlike an ordinary assessment, which reviews the security practices of one organisation, in this case we had to review three. Because of this, good communication was important to ensure everyone knew who we were and what we were doing.
Interviews were conducted with specialists in all three organisations. This gave us a good understanding of their security controls and how they were operated. Our findings were consolidated in a report that looked at their security posture and risk profile, both individually and collectively.
As well as highlighting any gaps in security, we also provided a comprehensive view of the activities required to reduce their current level of risk.
Although it’s easy to focus on control gaps, this doesn’t always address the underlying problem. We assessed why some of those gaps existed. There are always aspects of the way an organisation works that stops them from being more secure, and our analysis was able to clearly highlight some of these.
An important consideration in this case was the cultural challenge of getting the best from what were effectively three independent security teams. Arriving at an acceptable way forward that everyone can get behind is often difficult anyway. For these organisations, however, it was necessary to carefully ‘blend’ their approaches to deliver improved security and risk reduction.
The VC client started out not understanding the security posture of the three organisations in question. Following our assessment, it gained a full picture of where they were and how they could improve. The report provided to the client reflected their risk position and what it would take to both establish a risk appetite and move within that appetite for each security domain.
It was made clear what additional investment would be required to improve on each of the weaknesses identified. As a result of the report, the organisations went on to employ a joint CISO and started to take forward many of the recommendations.