Business Need
As a thoroughly tech-enabled and highly transactional business, CitySprint relies on its IT team to ensure its applications and services are available 24/7/365 in line with customer expectations. With an operation supporting thousands of UK customers across a range of industry sectors, cyber security sits high on the company agenda.
CitySprint deploys multiple security solutions and carries out regular penetration testing. On a monthly basis, they discuss the IT Risk Register at Board level to agree the necessary resources to address and remediate issues. CitySprint’s Director of IT, Simon Parsons, wanted a third-party opinion of their security posture in order to be able to expertly articulate the security risks of doing business online, along with the potential impact on brand reputation. With no CISO available in-house, Simon worked with Autodata’s Virtual CISO, Edward (Eddy) Donald CISSP CCSK MCSE, to achieve this objective.
Autodata’s Cyber Security Maturity Assessment (CSMA) provides a holistic view of an organisation’s cyber security posture by assessing it against recognised frameworks, standards and controls. The findings are consolidated into a detailed report with
recommendations on how to improve cyber maturity over time, then distilled into an Executive Summary (which is not overly security-focussed) for onward C-Level presentation.
“The CIS framework is very useful for identifying and benchmarking cyber
security risk. It has been invaluable to reinforce that we are allocating our IT budget correctly in terms of addressing our key priorities. The scoping element is an essential part of the exercise requiring time dedicated to it to ensure it can be completed properly. The report is well laid out and set against each CIS control for good, clear measure. Autodata’s CSMA has enabled me to achieve Board-level buy-in thanks to its structured approach and has undoubtedly helped us to better understand our overall risk profile.”
Solution
Eddy and Simon commenced the CSMA with a discovery call and detailed scoping exercise to generate a clear picture of the current security posture, the time required to complete the engagement and the key stakeholders who would need to be engaged in the process.
Eddy then enacted a range of independent, non-intrusive reconnaissance activities against publicly-available information, mirroring the initial research commonly performed by attackers. These include: Shodan exposure checks; Talos, Barracuda and Mxtoolbox reputational checks; website and social media phishable-data searches; Haveibeenpwned password exposure checks and Cookiepedia cookie exposure checks.
Eddy proceeded to conduct stakeholder reviews over a period of two days to enable a full assessment against the Center for Internet Security (CIS) controls. The CIS provides a series of best-practice, prioritised, defence-in-depth controls which are mature and well-respected in the cyber security industry. As of May 2021, these are made up of 18 controls comprising a maximum of 153 safeguards. Once completed, Eddy compiled the final output report with benchmarking data, findings and his own expert recommendations.
Result
The CSMA engagement took a month from initial discussions to receipt of the final report. The content of the CSMA report enabled CitySprint to assess and re-prioritise their current objectives to further enhance their existing security posture.
Thanks to the CSMA engagement, CitySprint now has a long-term cyber security roadmap with the ability to implement ongoing improvements via the CIS Implementation Group tiers. Additionally Simon has been able to get elements approved in his IT budget to
mitigate individual risks without needing to submit separate business cases for each.
