A global leader in digital transformation and industrial automation set out to establish a new cybersecurity governance program to align with current industry benchmarks and proactively guard against a new wave of cyber threats. The company partnered with Christine Dunbar and the consultants at ROCIMG to design the structure of the new program, as well as create the new policy documents that would establish procedures and guide behaviour for 25,000 employees across the globe.
ROC Implementation & Management Group (ROCIMG), Inc. is a business strategy, cybersecurity, and information technology (IT) consulting company committed to helping its clients and its people achieve new levels of performance excellence. Founded in 2013 and based in Gaithersburg, Md., ROCIMG serves organizations in the federal, state, public, and private sectors.
In 2022, a Fortune 500 company providing industrial automation and digital transformation technologies hired a new Chief Information Security Officer (CISO) to defend the company against worldwide cybercrime. In this new role, the CISO began the critical process of transforming the core structure of the company’s cyber governance program. It had been at least five years since the company had last been through this process, and both it and the cybersecurity landscape had evolved dramatically in that time. Changes in geopolitical forces, the rise of remote work and emerging technologies like artificial intelligence were just a few of the new cyber risk factors the new program would need to address. Meanwhile, the company itself was evolving its product line from predominantly hardware to software, which impacted cybersecurity around its own products.
The CISO determined the first step in establishing a new cyber governance program would be to create new company-wide cybersecurity policies and procedures. This would not be a simple task, as the new policies would impact all aspects of the organization and establish new guardrails and guidance to minimize the risk of cyber threats for 25,000 employees around the world. Historically, the company had taken a largely compliance-based approach to cybersecurity but recognized it was now time to transition to become more risk-focused, which would require looking at its policies differently.
Given the transformative nature of this project, the company recognized the benefit of bringing in a third party to assess its current cybersecurity program and advise on what needed to be done to meet current industry benchmarks. They turned to Christine Dunbar and her team at ROC Implementation & Management Group Inc. (ROCIMG).
Under the guidance of ROCIMG, the company created a policy council, comprised of representatives from each facet of the organization. ROCIMG then evaluated the company’s existing cybersecurity policies while conducting interviews with the council members to determine how the organization’s needs had changed. They brought in additional subject matter experts to help flesh out the details of the new policies, which included building and designing new processes and defining new roles and responsibilities to ensure each employee would operate in a safe and secure way.
“There was a lot to think through to make sure we were giving our employees the guidance they needed,” said the company’s CISO. “Do our policies reflect the right amount of security controls, or do we need to put more guardrails in place to determine how a developer will create new software? How do we expect our employees to act every day to ensure they are doing their part to defend the organization from a cybersecurity perspective? What are those new norms, and how do we communicate them in a policy and how do we train our employees on these new behaviours?”
With all perspectives, standards, and risks considered, ROCIMG led the effort to draft the company’s new cybersecurity policies. The team first established new standards for each policy document and used this template to draft new procedures and create structure around the company’s new cybersecurity governance program. Each round of revisions was reviewed with the policy council to make sure the policies were reflective of the company’s current operations, as well as its vision for the future.
In addition to the new cybersecurity policy documents, ROCIMG also created a lifecycle management plan to ensure there was a procedure in place to review and revise these policies on a regular basis, and a communication and training strategy to roll out the new policies to staff around the world.
The company has completed the first phase of transforming its cybersecurity governance program, having formalized 11 new cybersecurity policies. One year after beginning this effort, the company is now beginning to implement training sessions to communicate the new policies to its employees around the world and put them into effect.
The CISO credits ROCIMG with helping to complete the first phase of this massive undertaking efficiently and effectively.
“Christine and her team were instrumental in helping us think through how we move toward being less compliance-based and more risk-based, and how we can reflect that in our policies moving forward,” they said. “ROCIMG delivers with excellence every time. They are just able to get down to the crux of what the issue is and how to solve it. They have great execution skills and will bring in the right resources and subject matter experts to help us move the needle.”