Multi-national enterprise turns to Covestic for a security scorecard

BUSINESS CHALLENGE
This international company has many different business initiatives, products, and services, along with tens of thousands of computing devices (workstations, mobile, intermittently-connected laptops and servers) attached to their worldwide network. The equipment is often moved and/or modified, and is used by a continuously varying mix of internal, full-time staff, vendor-augmented staff, and outsourced suppliers in different countries. Because of this complexity, the overall level and sophistication of the firm's internal system security was substantially unknown to senior management.

Although the enterprise had defined standards for IT security practices and a suite of security mechanisms, they were unable to effectively assess conformance to standards and practices or usage of their standard security tools, and had no mechanism for assessing limitations and opportunities for improvements.

The organization wanted to implement a solution that would provide senior management with a robust but well-condensed view of the company's state of security compliance and behaviors potentially affecting security, in a format that permitted easy comparisons across various departments. The scorecard was chosen as the preferred delivery mechanism.

In addition to the main goal of centralized visibility into the company's security state, the company wanted to create a repeatable procedure for the periodic production of future security-oriented scorecards, and establish both general and highly-specific prescriptive guidance for various departments to assist them in achieving better security compliance quickly and cost-effectively.

COVESTIC'S SOLUTION
Recognizing our proven experience and subject matter expertise in both scorecards and security compliance, the company selected Covestic to provide a reliable, repeatable, and maintainable method of regularly producing an IT security scorecard that would report more than 25 significant, individual metrics associated with tens of thousands of systems and thousands of personnel, organized by both internal hierarchy (division, department, etc.) and geography. Covestic was also engaged to facilitate compliance improvement and remediation efforts, and to provide tutorial information that would enable the company to generate scorecards internally in the future.

Covestic guided the client through our distinctive five-step scorecard approach:

• Scorecard Championing
  Client project champions looked to us not only to produce the customary value, goals, and objective deliverables of this stage, but also to identify the ideal set of internal consumers of the scorecard, as these were not known to project sponsors.
• Reporting Infrastructure Assessment
  Special work in this area focused on data integrity, latency, and privacy issues in addition the typical activities.
• Data Gathering and Analysis
  A significant amount of process experimentation/standardization and custom software development was required to marshal, normalize, and correctly format data from more than a dozen sources.
• Metrics Generation
  This also required significant software development, in addition to customary tasks and deliverables.
• Scorecard Creation
  The client was uncertain as to their preferred scorecard data presentation format, and we engaged in internal survey work and the production of several different presentation prototypes to enable the ultimate selection.

At the client's request we added detailed tutorial activities and materials to enable them to assume responsibility internally for future scorecard generation and maintenance.

PROJECT RESULTS
The scorecard produced by Covestic exceeded all of the client's goals for the project. The enterprise obtained a sophisticated set of dynamic reports that enabled them to:

• Immediately visualize where every division and department through the entire enterprise currently stood in terms of absolute and relative compliance with security policies, standards, and technologies. This enabled senior management to reassess and adjust a wide variety of security initiative and reduce expenditures.
• Empower management in individual parts of the organization to use standard desktop tools to engage in security data analytics customized to their responsibilities and objectives. This enabled objective understanding of specific, best-possible return-on-investment decisions related to security improvements.
• Establish baseline data and a data trending foundation for future trending and tracking of security improvements, thus enabling much more rapid adjustments in policies, procedures, and outlays.
• Identify opportunities for the company to improve IT security awareness, security data quality, and timeliness and reduction of security-related costs.

The client was also supplied with the materials needed to assume scorecard production in-house at measurably lower on-going cost.

THE COVESTIC ADVANTAGE

The client's success in meeting all of their project goals validated the reasons Covestic had been engaged. Our extensive experience in producing a variety of scorecards, our well-proven scorecard methodology, and our relevant subject matter expertise were key factors in assuring that the project was on-time and on-budget, while still allowing for a significant degree of flexibility and customization during the project to accommodate modifications to the original project vision.