Holistic plan builds trust in university’s IT
Snapshot
Too often, organizations manage their cybersecurity and IT programs without properly aligning the vision and priorities of each domain. This can create a lack of clarity and simplicity across mission and programs.
Kalles Group has a unique ability to lead engagements that span both domains, creating a consolidated vision and plan and keeping functions within each domain fully synthesized. When a local university sought assistance with technology operations issues, Kalles Group’s holistic approach helped the university improve its IT service offering, develop and implement a security program roadmap, and regain the trust of users.
Challenge
Financial constraints cause challenges for the university’s IT department as users’ confidence plummets
The university was underinvested in the areas of maintaining and expanding IT infrastructure, and the range of IT services offered was consistently contracting. This created technology operations issues for departments across the organization. As service constituents began to lose confidence in IT, departments started setting up their own shadow IT capabilities — a practice that will get users’ needs met faster but can also increase cyber risk.
Meanwhile, the IT staff themselves were struggling to keep an aging technology inventory and infrastructure stack afloat. Many devices and components were either at (or nearing) end-of-life and ready to lose vendor support. Financial constraints had significant impact on the team’s ability to manage inventory updates and make sure that assets could sufficiently meet availability and performance requirements.
Further, staffing limitations were causing IT services to be managed to an increasingly narrow scope. As a result, departments were often working to manage to their own technology needs with less skilled and experienced staff. The collective IT operation was increasingly decentralized and managed with a decreasing strategic focus, and IT service constituents were frustrated and wanting to see the IT department executing to a higher level of service.
Despite the IT team’s best efforts, cybersecurity inventory was faltering too
The IT team was covering all cybersecurity functions with an impressive level of competency considering that they had to balance the workload across the IT and security portfolios with limited staff. That said, the cybersecurity inventory — comprising systems, applications, and tools — was limited due to the same financial and staffing constraints.
To regain users’ confidence and improve both IT and security capabilities, the university sought the help of experts to fully assess both domains and develop a consolidated vision and plan for moving forward. Essentially, they needed someone to step in and act as interim CIO/CISO — which is exactly what Kalles Group did.
Approach
Assessing the university’s IT inventory and developing a process for MSP vendor selection
Kalles Group’s approach was very much along the lines of a fractional CIO/CISO engagement. The KG team provided the university with a clear analysis suggesting that the current staffing model made it unrealistic to truly elevate the level of provided services and recover the trust of IT service constituents. For this reason, they recommended that the university explore the option of outsourcing some or all of IT services.
Kalles Group assessment of the current state involved the following activities:
- Reviewing IT inventory
- Reviewing processes, policies, and procedures
- Interviewing key members of IT team
- Interviewing key executives
- Interviewing IT service constituents
The KG team then initiated a second phase of engagement to do the following:
- Capture requirements in a manner that could be developed into a Request for Information (RFI) artifact
- Perform market research on local IT Managed Service Provider (MSP) vendors
- Define a process for evaluating responses from IT MSP vendors
- Define a process for IT MSP vendor selection
- Lead a vendor selection process
- Support contract negotiations with selected vendor
Reviewing cybersecurity inventory and processes, identifying gaps, and developing a roadmap
To deliver guidance within the cybersecurity domain, the KG team provided a thorough assessment and identified gaps. Kalles Group assessed the current state via the following activities:
- Reviewing cybersecurity inventory
- Reviewing cybersecurity processes, policies, and procedures
- Interviewing key members of IT team
- Interviewing key executives
- Interviewing IT service constituents
- Providing an assessment against the ISO 27001:2013 standards framework
The assessment identified gaps in the following areas:
- Vulnerability management
- Endpoint management
- Security logging and monitoring
- Identity and Access Management (IAM)
- Remote management
Kalles Group then crafted a prioritized set of recommendations in the form of a security program roadmap. The roadmap items were folded into the IT services RFI that allowed bidding IT MSP vendors to also convey their cybersecurity capabilities.
Results
Restored confidence in IT upon outsourcing functions to a carefully selected MSP vendor
Thanks to Kalles Group’s guidance, the university selected an IT MSP vendor and outsourced nearly all IT functions to the third-party provider. Services are now being provided at a high level, and constituent feedback consistently reflects increased confidence in their partnership with IT.
In the words of the university’s CFO, “Kalles Group expertly guided us through the RFP process for selecting an IT managed service provider, and their team was instrumental in crafting the RFP document, establishing evaluation criteria, and translating technical information into layman’s terms. We are grateful for their expertise and advocacy throughout the process.”
The highest-priority cybersecurity requirements were centralized within the IT services RFI for vendor evaluation and selection. The selected partner incorporated requirements into proposal iterations, which flowed through the process and into contract execution. Kalles Group then transitioned the remaining cybersecurity roadmap to the vendor.
“Our relationship with Kalles Group is built on trust that they have earned throughout the consulting engagement, and I trust them completely and would not hesitate to engage with them again for any future projects,” says the CFO. “Kalles Group is truly a valuable asset to our organization.”