Wealth Management Company with Poor MSSP Contract
Industry: Wealth Management
Location: Toronto, Ontario, Canada
Size: 600 employees
Reason: Client required a Virtual CISO to provide Governance over existing MSSP
Effort: 3 days (roughly 24 hours) / week for 18 months
This client is a significant player in the Canadian Investment Management market, The Company provides portfolio management, capital appreciation, equities, fixed income, investment analysis, and financial advisory services globally. As such, they had entered into a contract with one of Toronto's largest Managed Security Service Providers (MSSP) to ensure both regulatory compliance and an appropriate Cyber Security posture commensurate with their risk profile.
After more than a year in the contract, the MSSP had not fully completed all of it's Cyber Security initiatives, and had fallen months behind in reporting.
The First 30 days:
The first 30 days were truly about "drinking from the firehose". This was a well established company, with over 500 employees, and several lines of business/subsiduaries. Our Virtual CISO worked with tC-Suite, and the on staff IT shop to identify the main data and infrastructure assets, review and assess the existing documentation, and understand and document the deficiencies in their Cyber Security program. The network team was a hybrid of on-staff and outsourced. The systems administrators and application developers were on staff, but the Cyber Security management (firewall, IPS, Endpoint protection, SIEM) were all outsources to this MSSP.
As part of the drinking from the firehose, we had requested current reports from their various security infrastructure controls. The first issue we came across was in the most recent SIEM report. Apparently there were roughly 400 systems assigned to forward logs to the SIEM. The number one Event in the report was "137 Devices not reporting logs". A quarter of those enrolled. So we requested the previous month. Same story... Back almost a year. Turns out that when the company refreshed a server, the old one was not removed from the SIEM, and the new one was not added... *And nobody noticed!*
This was indicative of all the remaining Cyber Security services provided by this MSSP.
The Next 60 days:
The next steps were to scrutinize the details and deliverable requirements of each security service, identify and document the gaps, and develop a roadmap to remediation. The companies own IT shop was very good at stepping up and assisting to get the various documentation together. At the end of the day, we were able to convince the client that their MSSP was not appropriately providing the services listed in the contract, and to sever the service and select a new Security Service Provider.
Many of the IT management processes were actually quite mature, and needed little in the way of remediation. We set out eyes on developing the Security Awareness program, as well as integrating security controls into their existing Software Development Life Cycle.
Beyond the 90 days:
TeamCISO did not provide Managed Security Services at that time, but worked to help review and select, and ultimately integrate a new MSSP that had a long history of working in the Wealth Management Vertical.
The new MSSP provided regular weekly, monthly, and quarterly security metrics that were tangible and executive friendly. They also conducted ongoing vulnerability scanning, both to validate the monthly patch process, as well as to assure themselves of their due diligence and identify any new devices on the network.
After more than a year and a half, we were comfortable with the level of operational security in place, and had gone through several quarters of executive reporting. It was time to hand off to a longer term CISO.
Benefit to Client:
Previous Case Studies in this Series:
Case Study #1 - Cellular Communications Provider in Merger & Acquisition
Case Study #2 - Fintech Service Provider requires Interim CISO
Case Study #3 - Software Startup requires Governance on a Budget
Case Study #5 -Small Family Law Firm concerned about Privacy Breaches