ENGAGEMENT
A major digital media company engaged DayBlink Consulting to revamp and revitalize its security maturity assessment methodology and improve the resultant outcomes. Prior years’ assessments used a proprietary scoring system that the client found difficult to interpret and to use as a roadmap for desired change.
PROBLEM
Our team was engaged with a client which had used audit-focused assessments for several prior calendar years, leading to audit fatigue and practitioner friction. The initial versions of a newly implemented maturity-based assessment had focused on setting the baseline, but had not resulted in actionable impact; therefore, the client sought to implement a framework that focused on measuring maturity with clearly defined improvement opportunities.
This confusion combined with the large effort required from security practitioners to complete the annual assessment resulted in security teams desiring a far lighter weight solution that did not require a large commitment of time for discovery. In order to highlight the outcomes of the hundreds of assessed capabilities, the GRC team required a robust reporting package enabling domain level discussions for multiple audiences.
SOLUTION
DayBlink’s cybersecurity and automation team built a lightweight solution that allowed for quick adoption and minimal required training, leveraging enterprise tools that everyone already had on their laptops. Additionally, the client wanted a robust BI layer to allow for quick turnaround of various domain-level reports, as well as the ability to highlight domains to improve and to showcase security’s maturity growth in a way that would appeal to executive business leaders.
The structure for the maturity assessment was based on an industry leading framework, allowing for work to be divided by security domains, and then further refined by objectives and practices. By leveraging past audits, existing notes and very targeted working sessions to set a baseline for maturity, our team was able to focus practitioner time on determining improvement opportunities, allowing for asynchronous self assessment across domains.
The primary output of the assessment was a fully configured browser-based BI tool that allowed for easy reporting of assessment results and subsequent observations to a variety of audiences. This tool was designed to empower study participants to dynamically explore findings and recommendations. This tool also included historical data from previous assessments to provide the cumulative impact of work over the past few calendar years, allowing strategic planning teams to visualize project impacts. As part of the assessment findings, respective improvement opportunities were mapped to each domain, with detailed user story requirements, maturity improvement potential and all associated metadata required for robust PMO tracking.
RESULT
These opportunities were a direct input to the following year’s strategic planning session to ensure that identified maturity gaps were given prioritization of project resources and funding. Our team provided detailed assessment results, including historical information in a report that highlighted the level of implementation and provided a key lens into maturity progressions / regressions across domains, objectives and practices. Leadership then quickly identified and agreed on areas of weakness and areas of improvement.
The full assessment was completed ~50% faster than previous audit-based assessments, with significantly reduced impact to practitioner schedules. The results and opportunities became the driving inputs into strategic and financial planning for the next year.