The Challenge
Our client, a global bank headquartered in London, is a longstanding client of Wavestone. The Chief Security Office (CSO) required help to steer the remediation of a large number of cybersecurity issues following a review from the Internal Audit and asked Wavestone for support, due to our ongoing relationship within the cybersecurity functions.
The primary objectives of the project were:
- To secure the Cybersecurity Remediation Program (and ensure compliance with the Issue Management Standard).
- To detect weak signals for issues at risk of not being closed on time.
The Approach
- Wavestone created a ‘Standard Adherence’ document outlining all the checks that need to be made at each stage in the Issue Management Process in line with the Issue Management Standard.
- To track and flag Issues at risk of breaching governance, Wavestone created an automated spreadsheet to give a proactive forward view on risk for each Issue within several control areas.
- Finally, leveraging workshops with the project team, Issue Coordinators, and other key remediation stakeholders, Wavestone put together a new proposed governance structure (Committees, Management Reporting, Roles/Responsibilities) and deployment timeline.
The Results
Wavestone’s ability to translate the standard’s requirements into tangible risk indicators has provided our client with the necessary tools to govern their Remediation Program.
- 7 Automated Risk Indicators (covering the three main phases of the Issues lifecycle – Identification, Risk Assessment, Closure)
- Automated spreadsheet flagging issues at risk across a range of different controls: anticipated complexity of the remediation actions, anticipated complexity of the closure process
- Step-by-step process that outlines which checks need to be made at each stage in the Issue Management Process, depending on the nature of the Issue.
- New governance to secure the Remediation progress, arbitrate priorities, and share escalation needs.
- Weekly reports to the team highlighting the issues at risk, the issue coordinators to contact, the issues approaching closure.
Once implemented, these tools allowed our client to achieve its objective of having 3 consecutive months without any issue not closing on time.
