Improving security maturity for critical infrastructure

One of our existing clients operates in a sector with so-called ‘national critical infrastructure’ – a term that refers to providers of essential services in key sectors such as health and safety, energy and public transport. Organisations that fit the description are obliged to adhere to the EU-mandated NIS directive. This legislative framework aims to enhance cybersecurity and resilience across these pivotal sectors.

Previously, our client had opted to comply with the directive by adopting ISO 27001, a leading international security standard. Companies seeking to meet the corresponding requirements must develop and implement specific policies and procedures covering a whole host of subjects, ranging from access management for staff to incident response.

In their pursuit of compliance, our client engaged a third party to draft their security policies. Designing good policies is one thing – in practice, a policy is only as good as its implementation. This requires consistent standards, actionable procedures and streamlined processes. That’s why the Chief Information Security Officer (CISO) of the company approached us. Recognising our prior working relationship and the reputation of our robust methodologies, they believed we’d be the perfect fit to shed light on the issues at hand.

Our initial assignment was two-fold. First, we needed to assess the adequacy of the existing policies in achieving compliance and determine the level of internal support and understanding regarding their implementation. Secondly, we were tasked with checking the implementation status of each policy and identifying potential communication and other issues between teams. In addition to facing technical challenges, the security team was regarded as being primarily an enforcer of standards. Since security teams typically serve as gatekeeping stakeholders in other teams’ projects, effective communication is key for obtaining security’s approval to ensure progress on new initiatives.

We assembled a task force consisting of two consultants who brought together a blend of security expertise, strategic business insight and prior experience working with the client. Rather than diving straight into the project, we took a step back to carefully analyse and deconstruct the client’s request. We structured the initial enquiry for assistance and examined potential challenges and pitfalls. For each of the security team’s policy, architecture and standards cornerstones, we assessed their current development state and level of maturity.

During our evaluation of the current situation, we quickly discovered that the externally drafted policies were too heavily focused on the IT security perspective. This siloed approach holds significant implications for their implementation and acceptance amongst the other teams in the workplace.

To address the root causes of this issue, we engaged in discussions with stakeholders from both the IT and business departments. Our aim was to understand their needs and identify potential areas of friction from a security standpoint. We enquired about their perceptions of the security teams and took suggestions on how to reduce friction and conflict between departments. Trust played a vital role in obtaining honest responses during these interviews. To foster an open and supportive environment that is conducive to constructive feedback, we made sure that our involvement extended beyond being solely an extension of the IT department. Our additional experience in how organisations operate and interact between teams, allowed us to empathise, delve deeper into the issues and explore alternative perspectives from across the organisation.

A further gap analysis aligned policy requirements with the practical needs and concerns raised by various teams. To accomplish this, we devised a matrix that assessed each relevant aspect, providing a clear overview of both importance and urgency for every item. This matrix served as a foundation for developing a practical roadmap for the short and medium term.

Next, we wrote new versions of some of the security policies and standards. In addition, we carried out an analysis of changes between the 2013 and 2022 versions of the ISO 27001 standard, and we set up a corresponding migration roadmap to ensure that the client would be able to meet the updated standards by the 2025 deadline and ensure full compliance.

By leveraging our proven methodologies, our consultants managed to successfully uncover the root causes of existing issues for the client. Through a series of iterative steps, we developed a comprehensive and actionable analysis that takes into account the client’s priorities.

Our assessment offers a clear overview of the current state of affairs and identifies areas that require further attention. Valuable insights surfaced during stakeholder interviews, revealing issues that had been flying under the radar previously. The migration roadmap proved to be a valuable tool for instilling a sense of urgency across teams, visually highlighting priorities. In the client’s own words, it provided them with “the leverage to motivate teams and demonstrate the most critical tasks that demand immediate attention.” They can use this roadmap to push forward internally and focus on the things that matter most.

Throughout the process, our Addestino consultants transitioned from a solely supporting role to a dual role, encompassing support and advice. This transition was driven by our consultants: rather than merely extinguishing fires, we also strive to understand why they occur and how to prevent them in the future. This exemplifies one of our key strengths and differentiators at Addestino.