Helping a global retailer address immediate security risks
Our client, a global high-end luxury retailer with a brand based on reliability and trust, was challenged with a security team that was overstretched, and an abundance of in-house and 3rd party applications that needed security assessments. The threat and assessment (TA) team had been operating under legacy metrics and measurements. Combined with the challenge of communicating business priority in relation to security risks, the client was left with numerous exposed security weaknesses as well as an overall lack of good security visibility.
To get the team caught up on the workload, the client needed a partner to supply additional capability to the TA team. Once they’d worked through the backlog, the company needed an external security review of their process, procedures, and methods of evaluating and reporting security risks to the business.
The main tasks of the TA team included assessing the feasibility and security of internal systems, processing tickets, interviewing technical teams, and researching the product application systems that internal clients wanted to begin applying to the business. The TA team was the gateway for ensuring these tools would protect system data, safely interact with data, and ensure any connections were safe and secure. Our client needed to establish best practices to bring increased efficiency and effectiveness to the program. Our client chose Kalles Group to immediately fortify the company's security efforts, and to build a new, modern, enterprise-scale TA discipline within the company.
The Kalles Group team integrated with the TA team to process the work backlog so the team could transition to focusing ahead. Kalles Group led the team through re-imagining their security function and expected outcomes. This included a top-down assessment of the client’s security interaction with the enterprise, identifying opportunities to improve process requests, evaluate threats, discover blind spots, and build strategy, process, and measurement.
Kalles Group would need to work with leadership within the security team and within the business in order to help leadership on all sides establish security priorities and agree on hierarchies and processes.
The business needed to come to consensus on security policy to eliminate the risk of taking actions and making decisions that would put the business in jeopardy of a security risk.
This leadership team was composed of very tenured employees whose experience had been limited to the security challenges experienced within one company over the last decade. An expert team with more extensive experience would teach the TA team new security practices. This would be essential for the company to maintain a robust modern security approach.
The Kalles Group team performed a current state review, interviews, collected questionnaires, analyzed how the client’s security team processed tickets, performed maintenance, and monitored for risks. The Kalles Group team’s security audit would provide a singular perspective on how the client’s organization protected data, allowing leaders to see for the first time, a view of the business from a security-first perspective. When walking through the audit, exploring all areas of concern and discussing how security concerns competed with the priorities of the business, client leaders were able to make deliberate, knowledgeable decisions about the security choices they made.
After helping the TA team develop a consistent request intake process, they developed and implemented a quantitative risk assessment method that would provide a standard way to measure business impact and security risk across different types of technologies. The team established a pipeline of assessment life-cycle by setting internal SLAs. Security control checks were standardized using NIST 800-53 control families.
- The Kalles Group team drove the effort to define information classification categories across the entire organization to create a standardized, repeatable assessment framework.
- The team worked directly with the privacy team to align security needs with privacy requirements and led the effort to develop a service catalog of all the security functions that the internal information security team could provide to technology and application teams.
- A repeatable cloud security checklist was created for the cloud security team to accelerate the moving of workloads to the cloud while reducing potential security issues.
- New security assessment guidelines and recommendations would reduce confusion for technology and business application teams.
- Finally, the team established consistent practices for 3rd party and vendor risk assessments, and for enterprise-level architectural solutions to organization-wide secure technology challenges.
The client now had a framework for addressing security issues reliably and consistently based on educated decisions.
With the infrastructure in place to assess, prioritize, and manage risk, the client was able to set clear and strong policies around security that could be shared so employees applied them consistently, effectively, and efficiently across the organization.
This provided employees an understanding of the company’s security concerns, and a framework for how security should be prioritized. With clear expectation-setting the client's TA team was able to increase the volume and speed for processing requests and provide their clients a clear understanding of what could be expected.
Within the client’s security team, security protocols, intake processes and delivery metrics were standardized making it possible to establish consistent SLAs. This not only set expectations for the team’s customers, it helped those customers plan ahead to include the security team in their processes, thus eliminating unanticipated project delays. This boosted the reputation of the security team and helped business operations run more smoothly.
The client now had a framework for addressing security issues reliably and consistently based on educated decisions. There was a balance between security leadership and business leadership, a shared understanding of what security practices are paramount, and way to ensure security practices do not have to impede the speed of business.
In the future, to ensure security standards were standing up to the client’s strong culture and keeping up with changes in the business, the security team could perform the audit process on a regular basis. At the end of the Kalles Group engagement, senior leaders felt confident about how the company addressed security with respect to the needs of the business now, and how they would stay ahead of new security issues in the future.