Corporate Information Security strategy for global energy company

281

Sector: Energy
Area of expertise: Cyber Security
Service area: Cascading Strategy

THE SITUATION

A leading global energy company had over the past years intensified its focus on cyber security and thus established the building blocks for a solid cyber security foundation.

Kopenhagen Konsulting was engaged to formulate a strategy that enabled the company to embark on the next stage of the security journey to match the evolving threat landscape and the rapidly growing regulatory requirements, as well as make cyber security a business enabler.

WHAT WE DID

Kopenhagen Konsulting led the strategy formulation process in close collaboration with the Chief Information Security Officer (CISO) and direct management teams. The strategy formulation process was, based on the CISO’s request, conducted swiftly over a two-month period and split into three steps:

  1. Defining the current situation and future change drivers
  2. Formulating strategic themes and must-win battles
  3. Outlining a strategy execution model

The first step of the analysis covered an identification of the as-is status of security capabilities and maturity levels – both within the corporate security function, as well as in the related IT and OT functions. Based on this, three distinct change drivers for the future direction were defined to steer the focus, investment areas and risk-mitigation actions.

Secondly, the strategic themes were formulated to harvest the full potential of the already established capabilities, as well as expand capabilities were gaps existed. The overlaying vision of the strategy was to position security as a business enabler in the digital transformation journey of the company, while focusing on hardening the controls for the critical operational value streams to safeguard the continued growth journey of the company. Consequently, four strategic themes were defined, which were supported by clearly outlined must-win battles to drive the strategic aspirations.

Lastly, an execution model was developed that aimed to move the approach away from a historical program management mindset, and towards an agile execution model to foster a shift-left attitude in the approach to cyber security across the company.

The execution model was centered around a strategic backlog that was to be maintained, refined, and managed by the security department, while execution would happen both in the corporate cyber security department and across agile delivery teams in the organization. The model was designed to evolve on an on-going basis with input from various stakeholder groups and based on changes in the threat landscape, regulatory requirements, or business needs.

To guide investments and priorities, a cross-organizational governance body was established with senior level management representation from all business units and with executive management oversight.

THE OUTCOME

The new strategic direction was presented to and approved by executive management, whereafter the revised governance model and execution approach was operationalized with centralized tracking and oversight. The strategy enabled the CISO to position security as a key business risk, activate relevant stakeholder groups, as well as extend the coverage of controls to the central value streams of the company.