Creating a Single Pane of Glass View in International Banking

Task

The client engaged NCC Group to conduct Cyber Security Reviews (CSR) of all their regions leveraging the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF). NCC Group stood up a global but local team that was centrally managed byt staffed locally to align regional culture and language requirements. Planning and client communications were handled centrally to ensure NCC Group consultants functioned as a cohesive team with one voice.

Action

NCC Group worked with the client technology and security leadership to conduct a collaborative CSR. The assessment was performed through the dual lens of transportation and SaaS while strategizing a roadmap that could deliver measurable improvements in the year before the client went public.

• Established business context of regional and global vision, culture, risk appetite, and resource constraints
• Performed business-focused threat modeling to identify relevant threat actors and attack vectors targeting critical business applications
• Performed NIST CSF-driven maturity-based controls assessment
• Defined current state of security measures and identified gaps
• Presented a detailed report with recommendations to the Board of Directors

Results

• Globally, the clinet was assessed at a 2.50 (Risk Informed) level of cyber security maturity as per NIST Implementation Tiers
• Assessed maturity was lower than the client's desire to have a robust and repeatable program that translated to a target rating of 3.50 (Repeatable)
• Assessment findings drove localization and prioritization of initiatives as part of the global security improvement plan
• Significant regional variances were found across all five NIST functions, such as:
  • North and South America scored well on Recovery controls, with Europe and Asia around the middle and Australia scoring the worst
  • On Detect controls, European and Asian operations trounced the Americas