Case Study—Cyber Risk Managed Program

 

Introduction

Our customer is a $60 million company based in Washington state with offices throughout the U.S. They needed to better manage their cyber risks, but could not create a dedicated, internal team. So, for a fraction of the cost of establishing an internal security department, they became members of our Cyber Risk Managed Program. The Managed Program consists of three phases conducted over 12 months and is renewed annually. Phases 1 and 2 together constitute a Cyber Risk Assessment, which can be purchased separately.

Phase 1—Measure & Score Cyber Risk

On March 21st, we conducted the kick-off meeting in our customer’s office. Over the next four weeks, we interviewed 21 of their subject-matter experts to collect risk scores. Each 90-minute interview consisted of a customized subset of 145 standard questions, all scored using a standard score key. We interviewed the customer’s employees either in-person or by phone. Note that interviewee availability determines the duration of Phase 1. We finished all 21 interviews on April 18th. Using the scores generated from those 21 interviews, we calculated gaps and performed a statistical analysis to better understand the data. On May 4th, we delivered a prioritized list of cyber risks— with supporting details—to our customer for review and comment.

Phase 2—Create Cyber Risk Mitigation Plan with Business Value Analysis

We devised and delivered a preliminary Mitigation Plan on May 18th, where we collected customer feedback on the proposed risk mitigation steps. Each action in the Mitigation Plan was rank-ordered by both 3-year total cost of ownership as well as expected Business Value. We evaluated each major step of the Plan against the four dimensions of our Business Value Model:

Risk Reduction Return on Investment Increased Reliability of Operations Indemnity We incorporated the customer’s feedback and delivered the final report, the Scorecard, and supporting details on May 31st.

Phase 3—Perform Ongoing Maintenance & Updates

Our customer then created a year-long implementation plan. We assisted with organizing and sequencing the work and we helped identify qualified vendors. At our customer’s request, Cyber Risk Opportunities provided sample policies, tutorials on encryption key management, and specifications for recurring cyber risk management reports. In Phase 3, our customer has and will participate in two recurring meetings with Cyber Risk Opportunities over the remaining ten months of their Managed Program membership: Monthly Check-ins and Quarterly Executive Sponsor Updates.

Monthly Check-In

The Monthly Check-In is a 1-hour meeting designed to support implementation of the customer’s Cyber Risk Mitigation Plan. During this time, we focus on removing blockers, celebrating successes, and exploring how recent and expected changes in the cyber risk landscape affect their scores.

As an example, a project to activate whole disk encryption stalled due to lack of hardware support among the majority of the customers’ laptop fleet. To remove this blocker, we facilitated an analysis of several options and assisted the customer in making a good decision that pushed the project forward despite the delay and additional cost.

We also alert our customer to new and relevant developments involving cyber risks. Examples include: (a) explanation of standard-setting FTC consent decrees and/or court rulings involving cybersecurity and cyber insurance; (b) trends in cyber-criminal behavior and tactics; (c) news events, such as the spread of NotPetya and Wanna Cry, that directly impact customer cyber risk management; and (d) noteworthy geo-political events that may impact customer cyber risk, such as cyberwar in eastern Europe.

Quarterly Executive Sponsor Update

This is a 2-hour meeting for the executive sponsor. We work with our customer to revise their Scorecard to reflect progress made over the last 90- days. We also review a list of actions planned for the next 90-day period.