Davidson Group Takes a Risk-Driven Approach to Secure Their Data Assets
SUMMARY
Davidson has partnered with Sekuro on their journey to uplift their security posture.
DAVIDSON GROUP NEED:
Sekuro was engaged in 2023 to implement a Data Loss Prevention (DLP) upgrade leveraging Netskope technology, as a strategic step to improving their security framework.
SOLUTION:
Sekuro subsequently prepared the Davidson team for their ISO27001:2022 certification. This ISMS establishment project provided Davidson with a pragmatic list of remediation actions and recommendations stemming from an internal preparation audit report, enabling them to comfortably pass their external audits and obtain their ISO certification.
OUTCOMES:
Key outcomes of the two projects include:
- reduced risk exposure through better visibility and near real-time detection of data usage and vulnerabilities;
- a ‘ticket to play’ in servicing critical infrastructure clients; and,
- via the ISO framework, strategic guardrails for continuous risk management uplift.
Risk Mitigation: The Impetus for Change
The Davidson Group, founded in 1991, is a prominent Australian company focused on enhancing workplace performance. With a national presence and local expertise, they offer specialist services in Business Advisory, Search and Recruitment, and Technology Consulting.
A catalyst for the projects stemmed from Davidson’s clients, two of which are Australia’s major banking institutions. As Financial Services Institutions are under stringent legislative mandates and additional industry scrutiny, all their vendors and service providers are required to have ISO27001:2022 accreditation. It was significant to Davidson to obtain the accreditation, due to their ongoing and strategic partnership providing advisory and CX consulting services to these banking clients.
Davidson invested in an upgraded Data Loss Prevention (DLP) solution to protect their client, candidate and proprietary data, and in the process, significantly reduce business risks and address the ISO 27001 controls. This was precipitated by the immutable shift to the Work-From-Anywhere culture post-COVID and the necessary growth and strengthening of SaaS, SASE and Zero Trust architectures.
The program goal not only included gaining greater visibility and control of their data, but also a technology uplift encompassing CASB, Network, Web, Malware Threats and Credentials. These uplifts would enable Davidson to better manage the use of business endorsed applications and mitigate shadow IT, thus supporting data storage and exchange to meet business objectives in a risk-reduced way.
The Governance, Risk and Compliance engagement with Sekuro allowed Davidson to gain an independent view of the state of their ISO 27001:2022 program implementation, identify gaps and opportunities for improvement, and to meet the necessary external review requirements of ISO 27001.
The independent audit gave the Davidson team safe real-world experience responding to the questions prior to the external certification audit.
Prioritising Data Loss Prevention
David Sneddon, Senior Manager Technology and IT Risk, joined Davidson with the sole remit of overseeing the group’s cyber security uplift. Davidson already had an enterprise risk management framework based on ISO 31000. Sneddon had subsequently identified strategic areas and priorities for risk mitigation and associated technical requirements.
Sneddon’s first priority was to modernise their Data Loss Prevention (DLP) capabilities – therefore more optimally ringfence their candidate and corporate data – as a strategic stepping-stone toward the ISO27001 uplift. The Netskope deployment was required to establish a centralised identity database across their workstations and endpoints to establish data policies and controls.
Davidson had previously consulted with Sekuro’s Strategy and Architecture team, on Sekuro’s Virtual CISO cyber enablement program, on more optimally utilising their existing cloud-based SaaS architecture and building on their Zero Trust initiatives.
“Jamie (Sekuro’s Chief Revenue Officer) had a really good understanding of our business and our needs, we leaned on his experience and linked it to our own framework and criteria to achieve a level of best practice for the protection of Davidson data and assets,” explains Marks about the appointing Sekuro for the two projects.
Building DLP Capabilities – Getting It Right the First Time
Jeremy Araullo, Security Engineering Manager and Lead Architect for the project at Sekuro, who is also a Netskope Certified Cloud Security Architect, recalls “We wanted to implement Netskope’s cloud DLP solution properly right from the beginning. This involved making sure all of Davidson’s workstations and endpoint controls were integrated to a central identity and access management system, and that end-users and groups were controlled within a single repository. Then we started having visibility of their data movement across cloud environments. The Sekuro team installed the Netskope agent, configuring best practice controls and policies within the DLP platform, to obtain full visibility into what data was being uploaded on to the cloud and what data was being downloaded. It was a significant digital transformation for Davidson.”
Continues Araullo, “Davidson was able to block numerous threats and malicious web and cloud traffic out-of-the-box, however, it is always a journey we go on with our clients in terms of optimising and fine tuning the DLP rules to manage false positives.”
Additionally, Sekuro created an acceptable usage policy to educate and coach Davidson users on correct and cyber safe behaviour. For example, a user alert will pop up if an employee attempts to upload confidential information on to a third-party site that is not company sanctioned.
Upon project completion, Sekuro conducts knowledge transfer and enablement sessions, as well as maintain contact with the client at 3-6 month check-ins. This ongoing partnering model uncovered the opportunity to deploy email-based DLP, which is a relatively new Netskope feature. As an early adopter of the feature, Davidson can now monitor email traffic for unauthorised data transfers. For instance, the Netskope-O365 integration enables the detection of PCI / PII and other sensitive data being sent via email, which will trigger an alert.
Sneddon explains, “With our email DLP, integrated with Microsoft Active Directory, we now have immediate visibility into data being shared via email. This enables us to tighten our rules around sender-based policies and data classification.”
Enhanced Data Visibility and Control for Pre-emptive Protection
“DLP is always a journey, not an end state, due to the shifting nature of data sets and data sources. Our DLP uplift has influenced around 20 controls. We now have more control over data being transferred across our full SASE and CASB network suite, and better enforcement of our acceptable use of information and assets policies,” says Sneddon.
“Straight off the bat, we were seeing the difference in enhanced visibility across cloud-based incidents and malware and credential exposures. With the Sekuro team’s orchestration, we had policies in place to detect and block these threats before they hit the end point.”
Araullo, expands, “We have created DLP rules, profiles and policies that scan for confidential information either being uploaded or downloaded. The DLP uplift was a precursor to more refined data classification at Davidson, as Netskope can integrate with their Microsoft information labelling (pulling metadata from Office 365), allowing user actions within sanctioned activities only.”
“Straight off the bat, we were seeing the difference in enhanced visibility across cloud-based incidents and malware and credential exposures. With the Sekuro team’s orchestration, we had policies in place to detect and block these threats before they hit the end point."
The main benefits of Davidson’s DLP uplift:
Enhanced Data Visibility:
Create reports on usage across SASE-based and collaboration tools, to investigate and analyse internal user activity
Reduced Risk Exposure:
Create controls for restricting and monitoring cloud traffic, including blocking attempts to upload confidential information to unsanctioned third-party sites, as well as protection against data loss and malware-related threats
Near real-time alerts on attempts to share PII, PCI and other confidential or password protected data over unsanctioned apps / sites
Enhanced Data Visibility:
Create reports on usage across SASE-based and collaboration tools, to investigate and analyse internal user activity
Reduced Risk Exposure:
Create controls for restricting and monitoring cloud traffic, including blocking attempts to upload confidential information to unsanctioned third-party sites, as well as protection against data loss and malware-related threats
Better Vulnerability Detection:
Near real-time alerts on attempts to share PII, PCI and other confidential or password protected data over unsanctioned apps / sites
ISO27001:2022 Is Not Just a Box-Check, It’s Good Governance
Marks shares his perspective on financial risk management and cyber security investment, “In our ever-changing world, cyber security is more critical, and more onerous. The compliance rulebook is increasingly stringent to ensure good governance and protection around data.
“Davidson has a proactive stance to building cyber resilience. It helps that our leadership team, with the diverse views of the CFO, CEO and COO, are cognisant of the broad impact of cyber threats, which can debilitate a business. We have good conversations, involving the Board, about risk management and compliance. Our team knows that certain frameworks and compliance will be required by our clients, especially those from public sector and financial services. We also know that this is simply good governance. Davidson was already ISO 9001 compliant, so we know what’s required to take the leap and go fully down the path of ISO 27001.
“For Davidson, it’s our point of difference, it is the basis for how we will compete and evolve. Achieving ISO accreditation isn’t a quick flick of the switch – it’s a whole-of-organisation process. We leaned into it, with full resource investment, and were able to achieve our ISO 27001:2022 certification within our self-imposed, quite aggressive timeframe.”
Delivering Value Beyond the Certification
Balram Krishnan, Sekuro Senior GRC Consultant, headed up the ISMS establishment project. Krishnan was not only armed with Sekuro’s battle-tested GRC playbooks and processes – he was an external auditor himself. With a PCI DSS certification under his belt and having worked for the Kiwa certification body prior to joining Sekuro, Balram had the expertise and proven industry experience to guide the internal audit process in preparation for Davidson’s full ISO 27001:2022 certification.
Krishnan engaged the Davidson team to identify remediation opportunities within their existing policies and procedures, to shift and align with the ISO 27001:2022 framework. Says Krishnan, “Davidson were an ideal client to work with, they are very co-operative and welcoming with regards to our recommendations on the project, there was trust in Sekuro’s opinions. I believe we were able to quickly establish credibility. It was easy to build a really great working rapport with David (Sneddon). Coupled with Davidson’s already mature cyber security posture, this resulted in a rapid project completion in a matter of weeks.”
Integral to the ongoing success of the clients is enablement. Explains Krishnan, “Sekuro has developed a centralised action register, which is, in effect, living documentation of our brains trust. There are many ways to implement the ISO standard, it must be fit-for-purpose, we are driven by how our clients will manage the system when we’re not there.”
Continues Krishnan, “We strive to deliver value to our clients beyond the certification. Sekuro has innovative ways to make the daily operations of the system easy to manage. We deliver a system that is flexible, practical, and doesn’t tie our clients down to specific tooling. Control is not a functional issue, it’s a governance solution, it’s about managing security risk. I’d like to think of the IT or security architecture and vendor tooling as the car, and our GRC expertise is the mechanic that knows how to fine tune and maintain that car’s performance.”
“We strive to deliver value to our clients beyond the certification. Sekuro has innovative ways to make the daily operations of the system easy to manage. We deliver a system that is flexible, practical, and doesn’t tie our clients down to specific tooling."
Achieving ISO 27001:2022 Is a Clear Competitive Advantage
The key recommendations stemming from the Internal Preparation Audit Report were around policy improvements, employee awareness and enforcement, and the completion of uplift projects that were already underway.
The recommendations identified by Sekuro supported the desired state for Davidson’s Statement of Applicability (SOA) and strategic uplift programs. With Sekuro’s assistance, Davidson was able to confidently approach the certification audit with robust risk management and SOA.
Marks emphasises, “During the initial assessment, Sekuro gave us the confidence that the Davidson Group are in a good place. It was brilliant to have that internal audit report from Sekuro and leverage it as a checklist to focus on before the actual audit, which we successfully achieved.
“Self-assessment also plays a big part in the process – the Davidson team assesses the recommendations against our risk management and business operations criteria and make our own prioritisations. Risk mitigation and compliance is an evolution, we are tackling improvement actions constantly, to ensure we’re moving forward and continuously improving, even after we have obtained the certification.”
"Risk mitigation and compliance is an evolution, we are tackling improvement actions constantly, to ensure we’re moving forward and continuously improving, even after we have obtained the certification."
PARTNERING ON THE ZERO TRUST JOURNEY
“Sekuro really brings the perfect game – they have the right attitude, services skills and strong vendor alliances and were a good fit for what Davidson needed,” says Sneddon.
“The work that the GRC and the audit team completed under Balram’s leadership was fantastic. There was a massive amount of workstreams going on in the background – a lot of talent and skill goes into that. The Technology, Platforms and Engineering team led by Jeremy also did a fantastic job with the DLP solution, they were truly remarkable.
“What’s different about Sekuro’s approach is, they don’t just put the product in, they take their client stakeholders on the journey. So, there’s a shared learning experience, and a bilateral, collaborative partnership which is immensely valuable.”
Marks adds, “Cyberspace is an ever-changing beast, you can’t be stagnant and compete or survive. You need to be constantly evolving. Our challenge, having a relatively small IT team inhouse, is allocating the resources and time to uplift initiatives. Hence, it is crucial to us to have a partner like Sekuro, to travel with us on this journey of continuous improvement. They provide the knowledge to guide us on what other vulnerabilities we can assess, address and evolve.”
“What’s different about Sekuro’s approach is, they don’t just put the product in, they take their client stakeholders on the journey. So, there’s a shared learning experience, and a bilateral, collaborative partnership which is immensely valuable.”
What’s on the Horizon for the Davidson Group?
The Davidson and Sekuro teams continue to partner on strategic initiatives ranging from Offensive Security, Technology and Platforms Engineering through the lens of Zero Trust principles.
Sneddon confirms the Davidson Group will galvanise their ISO 27001:2022 certification through proactive risk management and continual uplift of their technology framework. There is a large body of work associated with maintaining ISO compliance, such as evolving their data classification system at pace with business operations.