Remediating security and privacy risks in a complex and regulated environment
Case Study
About Our Client
Overview
Our client is a leading global real estate professional services and investment management company. They operate in over 50 countries, with over 15 thousand staff and have an annual revenue of $5 billion with institutional, corporate, and government clients.
The Challenge
Our client is the advisor of choice for their global and domestic client base. It is their utmost priority to maintain their reputation, client trust, confidentiality of intellectual property, and to ensure the continuity of their exceptional services.
Our client’s organisation has a range of commercial property services, including:
- Valuation and strategic advisory.
- Retail, residential, hospitality and retirement real estate sales.
- Commercial real estate leasing and management.
- Project management.
Knowing their cyber security and privacy risk profile across all asset classes and clients plays a significant role in supporting their strategy and their ongoing compliance for regulated clients.
This requires identification and understanding of their key risks across diverse asset classes so they can prioritise the monitoring of key risks and their largest reputational and financial threats. This builds the foundation for an actionable roadmap for remediation activities.
Avocado Services provided
- IT security threat and risk (TRA) assessments across all key systems for the previous three years as highlighted in this case study.
- Vendor risk assessment
- Development of the remediation roadmap
- ISO 27001 Gap Assessment and Certification
Sector
Real Estate (professional services and investment management)
”Our client operates in a highly complex and regulated environment. Knowing their cyber security and privacy risk profile across all asset classes and clients plays a significant role in supporting their strategy and ongoing compliance. Avocado has helped them understand and remediate their greatest financial and reputational risks.
The Approach
In light of the intricate organisational landscape spanning various business services, Avocado undertook a thorough threat and risk assessment. The objective was to define a robust approach and attain a deeper comprehension of the organisation’s threat and risk profile, and potential consequences. This facilitated a prioritised approach that took into account cyber controls with the highest impact on the organisation’s key asset classes. It ensured that risk exposure was evaluated in relation to the probable cyber threat vectors confronting the organization, and a comprehensive strategy was devised to address this exposure.
Significantly, our cyber consultants:
- Drawing upon our extensive domain expertise and specialised comprehension of their current cyber security controls, we maximised our ability to provide valuable insights and guidance.
- Utilised the FAIR model – an internationally recognised industry standard model. This allowed us to calculate tangible financial losses that could occur if potential cyber threats against the company were to occur, enabling a more robust discussion with the board in their understanding and impact of their information management risks.
- Avocado identified the crucial controls that exhibited the highest efficacy in mitigating potential losses while aligning with the organisation’s risk appetite.
Avocado successfully developed a risk-buydown matrix to showcase effective risk remediation strategies. This included:
- Identifying potential cyber risk scenarios that could pose threats to the organsation’s asset classes, originating from both internal and external threat actors.
- Utilising Threat, Risk, and Control (TRC) modelling to evaluate the inherent risk exposure associated with each scenario – identifying those with medium, high, or extremely severe risk severity impacts.
- Illuminating the existing risk exposure for each scenario based on the organisation’s cyber security control environment.
Avocado provided comprehensive assistance to the client by efficiently targeting remediation activities for risk buy-down. Our tailored support emphasised the identification of key threats to specific business asset classes and the determination of critical controls that necessitated mitigation. This was achieved through a strategy and roadmap that seamlessly integrated with the existing IT strategy, with the desired uplift in cyber maturity.
The Outcome
Through our meticulous threat and risk assessment (TRA), we delivered a focused and objective approach to cybersecurity planning. This assessment aligned with the organisation’s unique risks, control environment, and risk appetite.
By providing our client with an actionable roadmap that demonstrated financial justification, we facilitated the harmonisation of their IT and cyber roadmaps, enabling a more efficient allocation of resources.
By translating our clients’ risks into financial terms, we empowered them to make informed business decisions. This fostered improved communication among stakeholders and leadership, allowing the Board to fully grasp how risk decisions directly impact the organisation’s future.
As a result, our client now possesses a deeper understanding of their threat and control landscape. Avocado has played a pivotal role in minimising potential damage to client trust, preserving the confidentiality of intellectual property, and ensuring the uninterrupted delivery of exceptional services.
Presently, we continue to address their cybersecurity gaps effectively through a comprehensive strategy that encompasses managing the process of ISO certification, providing ongoing security assessments, and conducting third-party due diligence.
