Both the name of the company in this case study and the name of the client for whom it was written are redacted for privacy.
For a large utility company like COMPANY NAME REDACTED, security risks bring threats on multiple levels. A breach could endanger diverse assets, from customer privacy to public safety. The consequences could be as small as a minor financial loss or as severe as a regional power outage lasting for weeks.
With so many different sectors at risk, it might seem logical to segregate security management as well. But this approach made it impossible for COMPANY to prioritize or evaluate risk consistently. Multiple databases tracked different types of threats, and it was difficult to identify where the worst vulnerabilities lay. And despite investing millions in security technology, COMPANY had no consistent way to measure whether policies were effective in reducing actual risk.
We were invited to help the company re-think their approach to risk management and create a solution that could ensure the assets most critical to the enterprise were protected.
Consistent controls eliminate redundancies
The first step was to develop a consistent set of controls. After a comprehensive analysis of their existing policies, CLIENT helped COMPANY use a unified compliance tool to create a harmonized set of controls for deployment throughout the enterprise. By integrating segregated control systems into a single framework, security was enhanced, policies simplified and redundancies eliminated.
Single platform ensures compliance
Next, a single assessment platform was built to measure compliance. Once controls were unified across the enterprise, assessments that had previously been tailored to individual sectors or projects could be standardized. Many assessments became automated, and expert assessors were shifted away from hands-on measurement into higher-level advisory roles. COMPANY could then deploy these assessment experts as consultants on new projects, where they could integrate security controls into new projects at a foundational level.
Automated systems expose vulnerabilities
While consistent security frameworks were built across the enterprise, they were also integrated with an “enterprise-first” method of automated data capture. Standardizing and automating data reduced inaccuracies, but it did more than that. It improved COMPANY’s ability to evaluate capabilities and vulnerabilities.
Through its integrated, comprehensive system that shares information across the enterprise, COMPANY now has a wider view of data over time, instead of measuring threats in isolated periods. The result is a more accurate risk index. Rather than adjusting the index in response to every denial of service attack, the system generates a risk index that measures new threats and changes in capabilities of known threats. This number is a more accurate measurement of risk in relation to capability and its change over time.
Automating security systems also made it simple for COMPANY to respond fluidly to changing regulations and threat capabilities. When a new control is needed, the CLIENT platform enables its quick deployment across the enterprise. As new threats develop, COMPANY can react quickly, ensuring that no sector is left unsecured.
Intelligent investment, confident protection
Today, COMPANY’s systems are more effective and secure. Not least among the benefits for COMPANY is the ability to prioritize risk and budget accordingly. CLIENT has made it possible for COMPANY to clearly evaluate which threats are most dangerous to the enterprise and what investments will most effectively reduce risk. COMPANY can now assign specific numbers to both budgets and risk reduction, enabling confident investment in security controls and clear measurement of investment return. Instead of reactively throwing money into new security technologies, COMPANY can know, for example, that a $2 million investment in data loss prevention will reduce risk by 2/10 over a two-year period.
For a utility like COMPANY, managing risk is non-negotiable, but without the right systems in place, the process can be haphazard and ineffective. An integrated, “enterprise-first” system allows the utility to clearly prioritize risks, achievements and benefits. At any time, COMPANY can confidently answer the question, “How secure is the enterprise?”