When lapses in information security threaten critical data

New executive leadership at a large payment-services company had real concerns about the company’s information security: The company had no protocol for managing security incidents. It was not clear whether the right people were in the right security jobs or even whether there were enough security staff in the first place. What’s more, management said it was uncertain that the company fully met the Payment Card Industry Data Security Standard—the widely accepted set of policies created jointly by major credit card companies to secure credit, debit, and cash card transactions and protect cardholders against misuse of their personal information. And then there was the question of how to justify to the board any continued investments in cybersecurity. To help resolve those issues, the new management team turned to AlixPartners.

A structured review finds exactly where cyberrisks are high—and low

Our assignment was to assess the company’s level of information security risk. Specifically, we had to analyze the maturity of the organization’s approach to information security, propose the framework and elements of a security function, and, as a quick win, build an incident-response process. We had four months to complete everything. First, we reviewed what the potential business impact would be if the company lost access to information vital to all of its lines of business or if the integrity or confidentiality of the information became severely compromised. Next, in order to gauge the likelihood of an information security incident, we assessed and catalogued potential threats by looking at the maturity of the technical, process, and people aspects of the company’s security function. Last, our team got to work weighing, for each of the company’s business and technical assets, the actual business risk that cyber vulnerabilities exposed.

When it really matters

Our work successfully allayed management’s information security concerns. We tailored our risk assessment reports with appropriate levels of detail for the chief technology officer, the chief information security officer, and the general manager. We designed a detailed process for managing security incidents, tying it into the existing ticketing system and crisis management process. We determined the company’s information security maturity by applying the US Department of Commerce’s National Institute for Science and Technology standards so as to compare the company’s information security maturity level with the levels of its peers in the same market. We created a three-year set of guidelines for security activities, showing the investments needed to keep cyberrisks below what the company would find tolerable. We also outlined a new information security organization, complete with detail on all key roles and responsibilities. Based on the quality of our work, the company’s leadership team has asked us to continue helping by implementing the security guidelines we built.