Case Studies
Below you will find examples of successful engagements we have had with our clients
01
Public Concert Venue Cybersecurity Program
Entertainment Industry
Our client was an outdoor concert venue in the Midwest that has a stellar reputation for bringing in well-known musical artists and a beautiful and intimate outdoor concert park setting.
​
The Challenge: With a large donor pool and ticket sales funding operations and budget primarily dedicated to the main event (concerts), cybersecurity plans took a back seat to other operations like physical park improvements and existing IT technical debt.
The park had recently experienced a cyber incident near miss, and the Board of Directors wanted to bolster the IT group to include a more formal security program.
​
What we did: We started with a review of some previous security assessments, then took a deep dive into the organization and what the business risks were both on premise and in the cloud. We also took a hard look at their personnel, which was a broad cohort of full-time employees, strategic partners, volunteers, and seasonal contract workers.
Because of the substantial inbound money flow from donors and ticket sales, we worked on improving the safety of money movement throughout the organization.
Given everything mentioned above, plus the critical need to keep to the concert schedule no matter what,
​
​
we formulated a plan to address the highest priority and largest risk reduction items first.
We worked closely with the CIO to implement new policies and conduct other business analysis on items like their cyber security insurance as well as security reviews of existing and new products and services. We also conducted a tabletop exercise with the executive leadership group to strengthen this team’s ability to respond to a significant business disruption due to a cyber-attack. Finally, we focused on the development of security training materials appropriate for their staff and supporting teams.
What they gained: Along with the CIO we presented our improvements to the CEO and board, resulting in a high satisfaction level with our work and approval to proceed with additional security program improvements (and with a commensurate increase in security budget). Security Counsel continues to work with the client's CIO, executive leadership team, and Board to build out their program.
Unlocking Sales & Rapid Program Implementation
Clinical Trials Software Provider
Our client is an early-stage software company that leverages AWS to accelerate clinical trial recruitment and digitize clinical workflows. Their portfolio of products provides access to unified patient data to support and accelerate site recruiting, feasibility, and management. Given that the patient databases are housed in the cloud, the implications for intelligent cyber security management were numerous.
The Challenge: As a startup, our client needed to mature their security program, but of arguably equal importance needed to gain market share and build the company. Growth was paramount so they had to remove all barriers to bringing in new business. Medical and Pharma companies expressed extremely positive initial interest in our client’s product, but many of the opportunities had stalled given they had no formal security program in place for a platform that needed to protect patient confidentiality.
With these large medical and pharma companies “putting the brakes on” contract progress, the client knew they had to implement a formal security system, and fast! They had never had a Chief Information Security Officer or any other dedicated security staff.
To complicate matters, a non-sensitive development environment was accidentally exposed, and while no client data was impacted, our client was now in reputational damage control mode. They needed an answer for these numerous sales opportunities that were stalled before their clients began looking at competitors.
What we did: Security Counsel was brought into design and build a robust security plan and to prove to the client’s business opportunities that there was a plan in place. Given the urgency of the situation, we asked for direct meetings with their customers. In these meetings, we made professional promises to them that our
client would pass any customers security audit within an extremely aggressive six-month timeframe.
We began by first helping them hire and train an analyst and an engineer. We needed to teach these new employees the ins and outs of a security audit so that they could participate and support them in the near term and after we were gone.
We also designed and built out the new security program from the inside out. We used agile methods to progress as quickly as possible and built a culture of security utilizing numerous Security Operations Center toolsets. Security Counsel also performed extensive research on each customer to help tailor the responses to each.
Within the promised six months, the hybrid Security Counsel + internal teams were ready for the first audit. This extended team was so well prepared by Security Counsel that a typical four-day audit was passed in two and a half days, and with no major findings.
What they gained: With the security program firmly in place, Security Counsel was able to support all their customers’ audits. This in turn helped unblock the sales freeze and enabled them to win all the sales contracts that were in queue.
Our client is now in their sixth year and has met and exceeded all their sales targets and expectations, and we continue to support them on an ongoing basis.
02
03
Security Budget ROI
Higher Education
Our client was an institution of higher learning that is well-regarded and highly ranked in its secondary education offerings.
​
The Challenge: Like many other universities, they operate as non-profits which typically have more financial need than available funds. With tuition revenues primarily funding operations, cybersecurity plans took a back seat to other operations that were focused more on educational programs.
​
The university’s Chief Information Officer had been trying to get his budget requests funded by the board for at least 8 years with little to no success. He knew of the university’s long unmet need to support information security, where the potential vulnerabilities lay, and the consequences of inaction. His bottom line was that he needed help to rationalize an ROI on launching a cybersecurity program.
​
What we did: We started with a deep dive into understanding the ins and outs of the organization, how it operated, and what the risks were. We conducted business ethnography by immersing ourselves in the day to day by interviewing and observing department heads, faculty, provosts, and the student body. We then applied design thinking to solve for the unmet cybersecurity needs and challenges.
​
With the output of this immersion, we built an enterprise level assessment report, project management plan, and executive presentation designed to align all stakeholders on the mission to improve the university's security posture.
Among the opportunities that we found from our deep dive was in the area of research grants, funding awarded by government agencies and commercial
businesses to perform research in a number of fields and areas of academic expertise. Given so many of the available grants were government agency-based, they included strict information security requirements. We discovered that grants were often not being awarded based on inadequate information security structure and oversight within the university.
We presented all of the analysis and recommendations to the CIO and Provost for a three year strategy to win budget requests and get the information security program off the ground. We accomplished this by illustrating that an increase in grants could provide funding for the emergent security efforts.
​
What they gained: The CIO was able to rationalize future budgets based on increased grant revenues. This increase in capital funded the hiring of a security team and leader to execute on the proposed security roadmap. The individual departments and professors also benefited greatly as grants fund research and development, expansion of departments, and allow these professors to publish their work which is critical at the collegiate level.
​
Security Counsel continues to work with the client's security leader and team to build out their program under a multi-year contract.
04
Security Disaster Planning
Government Contracting Services
Our client was a technology consulting firm that creates caseworker software for managing government services at the local, state, and federal levels. Security Counsel was tasked with building out a comprehensive security program over multiple years that would both provide for their internal security and be compatible with the demanding security needs of their customer base.
​
The Challenge: One of our client’s customers was a US territory which needed a new medical eligibility portal for caseworkers and citizens. This portal was subject to government agency oversight from the Centers for Medicare and Medicaid (CMS).
CMS, being a federal government agency, makes it easy to assume that their guidance and requirements are ironclad. In this case, the customer was a US island in the Caribbean and the customer mandate was that our client build, secure, and maintain a primary and redundant site topology. Both of these site were required to be in mainland U.S. data centers running in Azure, and the backup site was to be available 24/7 ensuring no service interruption.
The planned construction of the second site was proving to be expensive, and securing it added even more cost to the project. The project was subject to MARS-E (a variant of NIST 800-53) so at first glance the redundant site was warranted and within the CMS/MARS-E regulations.
​
Once the plan was created, the client and customer came to us with the task of securing both sites.
​
What we did: Immediately we took a step back to evaluate the disaster planning assumptions that they had made. We performed a robust business analysis and then cross referenced it with a C-Level review and analysis. Through this deep analysis, we determined that they were planning for the wrong type of disaster and that the redundant site and related security were not warranted.
​
After evaluating various disaster scenarios and revisiting the MARS-E requirements, we were very confident that the threat from a hurricane severing the sub-nautical fiber was the most likely disaster scenario. The client's site in Azure would continue to run perfectly, but caseworkers and citizens of the island would not be able to reach these services. This rendered the requirement for the implementation of a secure backup site on the (same) mainland just as unreachable.
​
Once we were ready to make recommendations, we worked very closely with both the territory CISO and the CMS regional CISO, as well as the territory directorates and our client's leadership, and presented a sound argument to their customer and regulator. All agreed that the redundant site was unusable and therefore should be removed from the project entirely.
​
What they gained: Implementation of the reduced scoped plan was estimated to have saved the client's customer $1.2 million dollars in implementation and security costs. It also boosted the profitability of our client's engagement with their customer. Our client demonstrated good will with their customer, which was very much appreciated - along with the savings!
​
The results of this engagement also allowed us to pivot to other needed security programs for our client that may not have been able to be funded otherwise. Security Counsel continues to work with this client by helping them to build out other aspects of their program under a multi-year engagement.