Context
The client is an international finance company offering financial outsourcing facilities such as pay-roll and tax management as well as accounting software. The Company was restructuring and this included reducing the number of its datacentres. Templar Executives were asked to conduct a Cyber Maturity assessment of the Company for the new CEO and carry out some board-level and specialist executive training. This included their subsidiary headquartered in Johannesburg.
The Challenge
The client has a large portfolio of client SMEs (many household names) for management of client finances and tax. An assessment of the Company’s business was required to evaluate its Cyber Security posture also encompassing its main subsidiaries in Africa. This was a critical business requirement as the Company has a substantial amount of client SME sensitive data and was concerned about cyber vulnerabilities, including the insider threat, at a time of major restructure and expansion.
Our Approach
Templar Executives was engaged to conduct the multiple risk assessments and benchmarking activities, evaluating the Company’s Cyber capability from the Board to all levels of the organisation – covering people, policies, processes, culture and Information Communications Technology (ICT). This included a gap analysis and producing a prioritised roadmap that would enable the Company to achieve a level of maturity that was ‘business enabling’. Our Cyber Maturity Assessment Diagnostic (CMAD) methodology assessed the Company’s ability to protect itself from Cyber-attacks and data breaches and whether it’s culture supported Company information and the ICT infrastructure (in terms of both security and business outcomes).
Outcomes and Benefits
The Company’s CEO and Board worked with Templar Executives in a trusted partnership to review risks and raise the Cyber maturity of the company. The strategy comprised a number of strategic Lines of Development and a Company-wide Information Assurance governance regime. The Board took collective responsibility, and under Templar’s advice, appointed a Senior Information Risk Owner (SIRO) responsible for promulgating best practice Cyber Security and Information Assurance. This leadership was very effective; the SIRO also participated in a tailored training and mentoring programme from Templar’s Cyber Academy to develop the knowledge, skills and capability for this challenging role. Information Asset owners were also identified, issued with Terms of Reference and trained in the role. An Information Risk Management approach was undertaken and critical and non-critical business information assets were identified. Templar produced and published the Risk Appetite Statement incorporating policies and processes.
Specialist technical advice on ICT vulnerabilities was also provided to enable a proactive approach; this included deploying Templar’s BLADE threat intelligence service to monitor open source and dark web activity.
Templar Executives also facilitated knowledge transfer to upskill staff including enabling the Company to develop its in-house audit capability and allowing for the self-monitoring of progress. This audit team went on to present regularly to the main Board supporting the sustainable development of Cyber maturity within the company.
