I led a team assessing the cyber programme maturity of a multinational group of companies in the Electrical Components and Equipment sector, covering 13 operating companies in Europe, the US and China. This involved rating a number of security domains against a maturity model, identifying gaps between current state and desired state and proposing a roadmap to improve maturity to the desired level.
During a six-month engagement with a Mutual Insurance Company, I conducted an information assets audit. Interviewing stakeholders from the Life and General Insurance businesses, as well as core business functions such as HR and IT, I compiled a list of information assets and the systems that process them, and assessed the business impact of compromise of these. I then used the ISF’s IRAM2 risk assessment methodology to assess the potential threats and vulnerabilities that were applicable to each asset class.
Concurrently with this I provided subject matter expertise into an RFP process to source a Governance Risk and Compliance tool that would be capable of ingesting the IRAM2 worksheets and producing a holistic view of information risk across the organisation.
The Cyber Essentials Scheme, and Cyber Essentials Plus, is a security certification introduced by the UK Government to encourage businesses to protect themselves against common Internet threats.
The scheme is based around the National Cyber Security Centre’s Ten Steps to Cybersecurity
Although it is predominantly aimed at Small and Medium sized enterprises, organisations are also required to be certified in order to bid for public sector contracts. Consequently it was a priority for EY to achieve certification and I managed an internal project to do so, achieving certification on the first attempt.
Subsequently I led a team to support a retail client in achieving Cyber Essentials.
While at GSK I developed a career development framework based on the BCS Skills For the Information Age (SFIA) model.
I interviewed people in Security, Governance, Risk and Compliance (SGRC) roles to understand their career paths to date and the skills and competencies from the SFIA framework that they felt were most applicable to their role. This enabled me to propose role specifications for different levels of seniority, and development pathways for SGRC professionals to progress to more senior roles.
The concept was adopted by several of the business unit SGRC teams and used as their basis for performance and development planning.