Virtual CISO Case Study
Virtual CISO

Virtual CISO Case Study #4

Wealth Management Company with Poor MSSP Contract

Industry:  Wealth Management

Location: Toronto, Ontario, Canada

Size:  600 employees

Reason: Client required a Virtual CISO to provide Governance over existing MSSP

Effort:  3 days (roughly 24 hours) / week  for 18 months

 

The Story:

This client is a significant player in the Canadian Investment Management market, The Company provides portfolio management, capital appreciation, equities, fixed income, investment analysis, and financial advisory services globally.  As such, they had entered into a contract with one of Toronto's largest Managed Security Service Providers (MSSP) to ensure both regulatory compliance and an appropriate Cyber Security posture commensurate with their risk profile.

After more than a year in the contract, the MSSP had not fully completed all of it's Cyber Security initiatives, and had fallen months behind in reporting.

 

The First 30 days:

The first 30 days were truly about "drinking from the firehose".  This was a well established company, with over 500 employees, and several lines of business/subsiduaries.  Our Virtual CISO worked with tC-Suite, and the on staff IT shop to identify the main data and infrastructure assets, review and assess the existing documentation, and understand and document the deficiencies in their Cyber Security program.  The network team was a hybrid of on-staff and outsourced.  The systems administrators and application developers were on staff, but the Cyber Security management (firewall, IPS, Endpoint protection, SIEM) were all outsources to this MSSP.

As part of the drinking from the firehose, we had requested current reports from their various security infrastructure controls.  The first issue we came across was in the most recent SIEM report. Apparently there were roughly 400 systems assigned to forward logs to the SIEM.  The number one Event in the report was "137 Devices not reporting  logs".  A quarter of those enrolled.  So we requested the previous month.  Same story...  Back  almost a year.  Turns out that when the company refreshed a server, the old one was not removed from the SIEM, and the new one was not added...  *And nobody noticed!*

This was indicative of all the remaining Cyber Security services provided by this MSSP.

The Next 60 days:

The next steps were to scrutinize the details and deliverable requirements of each security service, identify and document the gaps, and develop a roadmap to remediation.   The companies own IT shop was very good at stepping up and assisting to get the various documentation together.  At the end of the day, we were able to convince the client that their MSSP was not appropriately providing the services listed in the contract, and to sever the service and select a new Security Service Provider.

Many of the IT management processes  were actually quite mature, and needed little in the way of remediation.  We set out eyes on developing the Security Awareness program, as well as integrating security controls into their existing Software Development Life Cycle.

Beyond the 90 days:

TeamCISO did not provide Managed Security Services at that time, but worked to help review and select, and ultimately integrate a new MSSP that had a long history of working in the Wealth Management Vertical.

The new MSSP provided regular weekly, monthly, and quarterly security metrics that were tangible and executive friendly.  They also conducted ongoing vulnerability scanning, both to validate the monthly patch process, as well as to assure themselves of their due diligence and identify any new devices on the network.

After more than a year and a half,  we were comfortable with the level of operational security in place, and had gone through several quarters of executive reporting. It was time to hand off to a longer term CISO.

Benefit to Client:  

  • Significant cost savings right off the top - the MSSP was charging a lot and providing nothing
  • Our staff are able to integrate as part of the clients team and provide security Guidance
  • We were able to provide assurance to their client that due diligence was in place
  • We project managed the entire program from assessment to handoff
  • We helped find a new MMS with experience in their market at a greatly reduced rate.
  • We worked with the new MSSP to provide weekly, monthly, and quarterly progress reports
  • One-stop-shop.   We brought resources to the table to ensure a holistic Cyber Security Programme
    • Review of Cyber Security Controls
    • Assessment of and recommendations for Security in the Software development life cycle
    • Oversight of Security Operations
    • Comfort and peace of mind

 

Previous Case Studies in this Series:

Case Study #1 - Cellular Communications Provider in Merger & Acquisition

Case Study #2 - Fintech Service Provider requires Interim CISO

Case Study #3 - Software Startup requires Governance on a Budget

Case Study #5 -Small Family Law Firm concerned about Privacy Breaches

 

 

 

Request a Free 30 minute consultation

Book a Consultation
, , , ,

Leave a comment