Note: In Security Program Accelerator projects, we review an organization’s current-state from the perspective of security, develop a plan for next steps, and prioritize and categorize those steps in relationship to the NIST Cybersecurity Framework. Security Program Accelerator engagements provide highly practical results:
- Tangible scores in each of the five CSF categories
- Recommended strategies
- Tactical actions to take immediately
This specific engagement was with a Midwest-based construction industry holding company with multiple billions of dollars of revenue and a national footprint.
The engagement focused on a two-day session at our client’s headquarters. Conversations were between Concurrency representatives—a security expert and a business analyst—and a wide range of participants on the client side. The focus wasn’t just on technology. It was on how different areas of the business process and exchange information—what tools, what services, what handoffs—so we could help our client determine its security maturity across the business and define practical next steps.
These planning conversations covered a lot of ground. They brought out areas where our client already recognized specific vulnerabilities and areas where they hadn’t yet identified problems. Our holistic approach—which included perspectives gained from C-level leaders as well as the IT, finance, accounting and marketing departments—enabled us to construct a frame of reference appropriate for this specific organization.
That frame of reference, in turn, enables us to identify and recommend specific near-term strategies to make the largest impacts on certain types of risks.
After the series of interviews, we compiled our notes and developed maturity scores and recommendations, using the NIST CSF as categorical guide. We identified the areas where our client is already doing well and the areas for improvement—both right away and over a longer period of time. We created a presentation based around our client’s current practices across the NIST categories and a risk-prioritized set of recommendations.
The result was an actionable plan with the potential for ready buy-in from stakeholders across the company, given the purposeful wide participation in the intensive interviews.