Our client, a premium global retailer, recognized the need for enhancing their company’s information security as well as the need for further protecting customer security. To help address these needs, they enlisted Kalles Group to partner with their Information Security and Compliance team to develop and implement a solution.
The security precautions and risk management had to range across the entire organization. This would include:
- Retail employees maintaining email security and customer privacy.
- IT administrators maintaining the highest network security protocols.
- Security operations sharing and using the same tools and guidelines.
- Leadership agreeing to new risk management strategies.
With such diverse stakeholders, the challenge was to create a business strategy to minimize security risks both internally and externally, using a holistic approach to security regulation compliance and data security.
Kalles Group recognized the need to develop a new organization-wide “culture of security” to overcome barriers such as perceived inconvenience or lack of urgency.
Our initial effort produced a SharePoint site for document management and a dashboard for status and communication.
Essential to change was working with the client’s compliance director to gain support for the project. Kalles Group focused on finding the balance for a company where the necessary security does not negatively affect the day to day business operations. Leadership was assured that they were enabling the
productivity of the business while at the same time protecting it, and the project was moved forward with stakeholder approval.
In addition, the team continued developing information security standards so the organization could follow standard, repeatable processes. The team evaluated the wide range of regulatory compliance requirements and mapped these requirements to minimize duplication of effort. In particular, several key milestones were created that were driven by external compliance objectives.
Kalles group assisted in maturing the methodology for managing risk as a major part of the effort, with the goal of moving from an ad-hoc reactive mode to planned strategic management. Success would be measured through a reduction in risk, managing risk with lower cost, and minimizing the number of incidents related to information security risk. Implemented so far include:
- A central SharePoint site for document management.
- A streamlined workflow for document review and revision.
- A categorized and prioritized list of action items and business requirements to standardize state, national, and international security guidelines and regulations.
- A more proactive risk management strategy (e.g. implementing methods to prevent customer credit card number theft).
The client is now able to rely on information security as a service to the business, and as a tool. The client can now articulate its “risk appetite” as a function of the requirements of the business and its strategic needs, rather than reactively managing risk and incurring great cost.
Costs were minimized by:
- Listening and gathering requirements before acting prematurely.
- Mapping the wide range of security requirements and compliance regulations to minimize duplication of effort.
- Standardizing security guidelines and regulations for IT and security operations.
- Virtual meetings in lieu of travel.
The new Information security and compliance strategy now helps to provide assurance that the business and the customers will be protected.
Within the company, there may be a perception that having security competes with performance. With relationship building and careful planning, we overcame this to produce proactive security strategies.