Bringing vulnerability management up to date for a family office-style investing firm
Snapshot
The family office model of investing is like a full-service concierge that helps maintain and grow an extremely high-net-worth family’s fortune across generations. Some offices serve just one family; others serve several. Given the vast wealth involved (generally upwards of $100 million), security issues are actively exploited by cybercriminals.
A family office-style financial institution reached out to Kalles Group for help with patching and improving vulnerability management processes to improve the client’s standing with a key financial services vendor. Kalles Group performed remediation planning and analysis to bring the client’s systems in line with the latest security needs.
Challenge
Responding to information security concerns raised by a third-party vendor
A rise in multi-millionaire families is driving demand for this personalized wealth management model, which combines investment management, tax planning, estate planning, philanthropy, and efforts to prepare the next generation to manage their wealth successfully. Since these offices manage their clients’ fortunes so intimately, and the clients are so affluent, vulnerability management is vital.
Implementation of cybersecurity measures for many family offices is lagging behind the increase in awareness regarding the risks, but pressure from other industry players can prompt action. In this particular case, a financial services vendor notified the client that they would need to partner on an information security assessment in order to maintain access to the vendor’s third-party system.
This system was critical to the client’s delivery of services, and the vendor’s due diligence process required them to submit responses to a detailed questionnaire based on the NIST cybersecurity controls framework. Responses needed to be truthful and transparent while also conveying the good practices that the team had put in place.
Approach
Identifying gaps in the due diligence process and creating a roadmap for remediation
Given the sensitive nature of the client’s operations, Kalles Group collaborated closely with them and their IT provider to implement a comprehensive vulnerability management strategy. It was understandable that there would be gaps in their vulnerability management processes, given that the requirements within the due diligence process were new.
Kalles Group helped the client team understand the gaps and led the development of a three-year roadmap to remediate items based upon a well-informed set of priorities. Inspired by discovery phase findings, the KG team added certain improvement and maturation objectives to the roadmap even if these were not related to the vendor’s due diligence process.
A step-by-step process for assessing and remediating vulnerabilities
Beginning with vulnerability scanning, the KG team ranked vulnerable systems, developed a patching plan, upgraded devices, and educated employees on the importance of timely patching and proactive vulnerability management. Here’s a breakdown of the steps involved:
- Vulnerability management implementation. Kalles Group instituted vulnerability scanning across the IT environment and prioritized vulnerabilities to help stakeholders make sense of their scope and range. The consultants then conducted vulnerability research to rank vulnerable systems.
- Patch management improvement. Kalles Group created a patch prioritization roadmap to explain proceedings to all stakeholders and an action plan to regularly patch systems and devices. Where patching wasn’t possible, the consultants provided vulnerability remediation options. This phase focused on implementing critical patches and reducing patch times.
- Broader network vulnerability assessment. Kalles Group identified fixes for long-standing vulnerabilities in various devices, including network devices and printers. The KG team consulted on feasible routes to mitigate vulnerabilities that couldn’t be immediately patched.
- Device upgrade program. Since outdated devices can pose security risks, Kalles Group consulted on an upgrade program for vulnerable endpoints.
- Employee education and engagement. To encourage employees to participate in the vulnerability management process and help them understand the importance of timely patching, the KG team launched an education program.
The consultants saw enthusiastic participation on pilots, most notably by the client’s Business Owners who “…learned a lot…” and “…felt it was eye opening.” Kalles Group introduced a new Threat Analysis & Modeling Guideline to define objectives, roles, and responsibilities and detail annual report criteria including metrics. Recorded Awareness and Skills modules were rolled out and integrated into New Employee Orientation training.
Results
A dramatic reduction in patch times and long-lasting vulnerability management improvements
Kalles Group’s stepwise vulnerability management consulting process had both immediate and long-term benefits. In the short run, the consultants reduced critical and high vulnerability patch times from several days to just a few days or even hours. They addressed long-standing vulnerabilities in network devices and printers to ensure that these endpoints wouldn’t pose a risk.
The financial institution benefits from overall improvements to their vulnerability management processes and enhanced employee participation in security practices. As a result, they have maintained good standing with the vendor and gets ongoing support from Kalles Group as they incrementally advance and mature their Cybersecurity program.
As it turns out, the client underwent a surprise SEC exam specific to their cybersecurity program, and found that the KG team’s help had prepared them for success here. In the words of a Business Owner, “without the assistance of Kalles, we would not have been nearly as prepared as we were… I truly appreciate the effort of Kalles to help us better understand what we have in place and what goals we have for the future to maintain a secure network.”