Building cyber security and operational resilience
Our client – a global supply chain logistics company – works with many well-known consumer goods brands, making them an attractive target for potential cyber criminals. In the wake of several well-publicised major supply chain cyber-attacks on other companies, the executive leadership team and board recognised they faced a significant risk – which could result in substantial damage to financial performance, business continuity and reputation.
The company embarked upon a three-year scope of work to realise their strategy of increasing their cyber maturity and mitigating their most immediate risks. They needed to be able to identify and manage cyber risks; protect themselves from attacks; efficiently detect and respond to incidents when they did occur; and have the capability to recover quickly. Having historically under-invested in their cyber security defences, they correspondingly raised their cyber security spend from the previous 2-3% of the total IT budget to the industry standard of 6-8%.
Berkeley helped mobilise and then deliver the global programme of work required over a three-year period to achieve the agreed improvements and successfully meet the risk reduction and security maturity targets (as measured against the NIST cyber security maturity framework).
The main benefits of Berkeley’s involvement were strong programme oversight, significant contributions to the strategy evolution, and excellent support for executive leadership team and board briefings. They brought really strong oversight on the many moving parts and engagement across the teams.”
VP, GLOBAL IT INFRASTRUCTURE
Good programme mobilisation is the essential bridge between a cyber security strategy and the required delivery projects so we had to lay a firm foundation at this vital stage before we could hope to build anything more. Over the three-month mobilisation phase, we ensured the security programme had a clearly defined scope, delivery roadmap and the right governance to manage and control the delivery.
We also recognised and addressed the fact that people can be a significant vulnerability in an organisation’s cyber security defences. Leading an organisation-wide communication campaign, we raised awareness of cyber threats and the security programme. Just raising investment and implementing state-of-the-art technology won’t lead to your desired outcomes unless human behaviour is changed too. Analysis of historic data from the UK Information Commissioner’s Office has shown that human error causes 90% of cyber data breaches in the UK.
One of our consultants filled the Security Programme Manager role, working within the client team rather than as an external advisor, supported by one of our partners. When we moved into the programme delivery phase, the client asked us to continue to provide overall global programme management for the next two and a half years.
Berkeley had overall delivery responsibility, comprising a total portfolio of 10 projects. Some of our key achievements included implementing a range of new technology capabilities, selecting and transitioning to new service partners, and delivering a range of company-wide training and change management. Berkeley is fully independent, so we were trusted to lead vendor selection and management activities.
We also continued our work on addressing the human factor by publishing and communicating a new data classification and handling policy, which included deploying training to all users. We further reduced risk by leading a project to review and redesign user access and permissions to platforms and applications.
The table at the end of this case study details more of the work we delivered.
Throughout delivery, our consultants worked embedded within the client organisation, working hand-in-hand with their team. One highly-experienced consultant took the full-time role of overall Programme Manager, with a partner providing support, advice and guidance at the senior executive level.
Standardisation of the infrastructure base and a global approach were significant additional success factors. While the security programme was not responsible for delivering hardware refresh projects, under our leadership, the security programme became a key driver for these initiatives. A standardised technology base is key to providing a consistent level of security and a more easily defendable footprint.
Over two and a half years, we successfully delivered the maturity targets set out in the cyber security strategy and achieved 92% of milestones on time and on budget. We were successful despite COVID-19 disruption to the second half of the programme.
Due to our achievements in the first half of the programme, such as implementing multi-factor authentication, we were able to support the move of more than 6,000 staff to remote working without incurring any related security incidents.
Overall, we achieved an independently validated, measurable increase in cyber security maturity for our client. We also significantly reduced the net risk position from ‘critical’ to ‘medium’ against the top cyber security-related corporate-level risks.
But cyber threat is an ever-evolving landscape. While the security programme was a significant step forward for our client, they knew they couldn’t afford to stand still – or risk falling behind again. The client went on to ask for our support to help shape their security strategy and roadmap for the subsequent three years, ensuring they would continue to protect themselves.
|What was delivered
Identity and access management
User endpoint security (laptops, servers and mobile devices)