Deloitte Digital case study: Secure Cyber
Reviewing and strengthening of a current cyber security posture
Before starting a large IT Infrastructure program, the client, a Major Financial Institution in Luxembourg, wanted to review and strengthen its cyber security posture. This project required to conduct an assessment covering people, process and technology dimensions of the client’s current cyber security posture, and define a tailored cyber security target state as well as an actionable plan for improvement and remediation to reach this target.
The following activities have been performed:
- Cyber threat landscape: A preliminary step of this project consisted in defining the cyber threat landscape specific to the client (what is the Internet exposure, what are the sensitive digital assets, who might attack and tactics they might use, etc.) as well as the organizational risk appetite;
- Definition of the “TO-BE” target state: We defined a target state tailored to the client’s cyber threat landscape and market leading practices, notably based on Information Security standards (such as ISO27001) and results of global and local benchmarks. This target state consisted in a detailed cyber security framework identifying required cyber security capabilities;
- Analysis of the gaps between “AS-IS” and “TO-BE : We assisted the client in measuring its current cyber security maturity (three levels: People, Processes & Technology) through technical assessments and review of organization and processes. Then, we performed a detailed gap analysis between desired “Target State” and “Current State”;
Definition of corrective actions: We provided the client with a sequenced, structured, clear, and actionable set of correctives actions;
- Development of a cyber roadmap: We provided a strategic roadmap for improvement where corrective actions were instantiated into detailed and prioritized security projects (including cost benefit-analysis), adjustment to the organization and operating model, etc.
Through the outcome of this project, the client gained a clear view of its Cyber security posture and was provided with an actionable roadmap to improve this posture. This project supported the transition to an executive-led cyber risk program that balances requirements to be secure, vigilant and resilient in line with the risk appetite of the client.
More specifically, the client benefited from:
- a sustainable cyber control framework to tackle current and emerging threats;
- an effective and short-term risk reduction program, e.g. the implementation of effective vulnerability management practices aligned with patch management activities, targeted security hardening, etc.
- Clear guidelines to rationalize security technologies.