Simplified Old-School Dashboards
by Fools Gold.
A current dilemma of complexity that can be solved with an old-school approach of simplicity.
In this abbreviated case study, I summarise the challenge face by a very small organisation that led to bad decision making. The organisation allowed us to disclose their information, and so their real names are used herein but not that of their third-parties, they were happy to share their case and learnings for this publication.
The Context: Enterprise Strategise Portfolio van Zuid-Afrika Pty. Ltd. (ESPZA) was a stuggling Sole Proprietor business in the South African financial services sector. They recently were awarded service contracts with a large Banking institution, that we will call Africa's Top Bank (ATB). ATB, being listed on the stock-exchanges of several African countries has serious reporting requirements.
The Requirement: ATB required ESPZA to have audited financials per their standards, scheduled audits and cyber-insurance. ATB also required data privacy controls compliance as per the IBA Africa Forum. Further, ESPZA was required to follow and report on the minimum security standards of ATB. ESPZA must now assure safe handling and reporting even from their own suppliers. The ESPZA MD had to ensure accurate reporting to ATB was in place.
The Problem: ESPZA had an external accountant that covered the financial reporting requirements but no cyber security expert to optimise and translate for the ATB stringent cyber security reporting required. Further, ESPZA had no back-to- back agreements with its third parties to follow the cybersecurity requirements. There was not enough time and money for ESPZA to implement the ATB requirements and simplify the reporting and risked losing the service contracts with ATB.
The Root-Cause Analysis: ESPZA underestimated the ATB compliance requirements and did not have the capability to implement and report as required.
The controls expected to have been implemented by service start time, were not practically implementable;
A. Control requirements for cyber security could not be translated into operational business processes.
B. Control requirements could not be enforced with third parties even after significant negotiations.
Additionally, if implemented the reporting could not be aligned, designed and submitted on time;
C. There were no reporting of controls on a regular basis nor governance/oversight thereof.
D. Current controls that could satisfy reporting requirements required advanced data transformations.
ESPZA had financial reporting covered but the cyber security controls needed to be implemented fully. This was not the case as only anti-malware, VPN, MFA, local disk encryption, firewalls, and annual pen-testing were implemented. There were no privacy and third-party controls implemented.
Internally, ESPZA did not actively enforce data classification and all data was handled the same way. Further, there was no sight or exercised control of the flow of confidential/private information in/out of the organisation.
There were disagreements with third party suppliers on one critical service were the supplier refused to follow the ATB required encryption controls on their local machines.
All existing reports were purely technical extracts available from software applications used in ESPZA and those could not in those forms be integrated into the summary reporting required for ATB.
The Consequences; Since the awarding of the ATB contract (six months prior), ESPZA could not give assurance to ATB that the ten critical baseline security controls were implemented nor could it be reported on in the required format by contract start date (three months later). ESPZA reported six out of ten controls in place and reported risk that the remaining four could not be implemented within the remaining three months to contract start date.
ATB has given legal notice as to the material breach of the agreement and to terminate the contract if assurance by the ATB auditors were not achieved within the three months due.
The Solution; The ATB control objectives needed to be satisfied to their auditors expectations. We used the C-xO Old-School Cybersecurity Technique. ESPZA compliance framework, data classification and security risk process were defined and implemented with immediate effect. Core data was identified, centralised and protected with additional access control and backups. All exchanges of data with the Supplier was limited to non-personal data, backed with further NDAs. Policies and processes were written and, training to the ESPZA MD and Supplier were given in the following month. Over the next two months, the supplier negotiation yielded positive results when we proposed the method for encryption that had the least impact to their operations but still met the ATB objectives indirectly. Governance meetings between MD and Supplier were set up and reporting was met using the C-xO dashboarding and executive reporting services. ESPZA technical cybersecurity reports were translated using only static KPI data into simplified monthly graphs without sending all the technical extracts to C-xO.
The Results: The four remaining controls (Compliance management, security risk management, privacy management and third-party control) were operationally implemented in theory and in practice within two months. The principles of core data privacy and least data disclosure were successfully implemented. ESPZA was able to then also eligible for cyber-insurance and engaged its own external audit to plan and schedule a financial and cybersecurity audit calendar. ESPZA then passed the ATB external assurance engagement and successfully started the ATB service contract on time.
This case study demonstrates how sometimes the people on the ground need ladders to get up above the canopy and look above the trees. Management sometimes need to understand that operational delivery, when working well, is like a finely tuned engine and is 100% driven towards leadership's goals and that their respective views must be supported by the right business intelligence. If one changes the environment to drastically without the right due diligence, the engine stops working optimally in the pursuit of misled goals....
Chasing goals unchecked leads one astray, sometimes we need to realise that we are off the path and ask for directions to get back on it.... Fools Gold.