Case Study:  HQ Security


Situation

A global software company wanted to assess how other leading companies secured their headquarters. Following 9/11 they had taken a number of steps to increase security and wanted to compare these to other similar companies. This would allow them to measure their relative positioning, identify areas for improvement and present solutions to their leadership team with a data-driven rationale. Five corporations participated in a comprehensive sharing of techniques, methodologies and resource data. 

 
Approach

The study analyzed the company's current practices and sought to identify alternatives used at other large companies and evaluate whether they would be appropriate at the client headquarters. An internal analytic module was developed to determine the client’s own needs and priorities in advance of engaging external benchmark participants. Each participant company completed a comprehensive questionnaire focused around the data, priorities and resourcing established from the internal client module, and hosted a group meeting and tour of its premises. Threat environments at each company were profiled and relative threat and vulnerability indices created. These were then use to determine each company’s risk positioning.

Analysis & Results

Important differences between the companies were identified. Each had a threat environment that varied considerably from each other and this required the creation and use of threat and vulnerability indices for normalization to enable meaningful comparison. A number of areas of relative weakness together with potential remedies for mitigation were identified through third-party comparison. While the client led the group in certain key security practices, it lagged in several others. A major internal obstacle to improvement within the client organization was also uncovered and addressed in the final recommendation. The study provided the data and external comparison to engage the senior leadership team and solicit their support to close important gaps.

Benefits to Client

Assurance was provided that internal customer needs and security provision were in alignment. Several best practices were identified that had the potential to cost effectively improve security for the client. Most importantly, the client was able to quantify how their mitigation strategies compared to those of their peers and compare them in the context of greatly different threat environments.  This methodology allowed the company to get around “apples to oranges” comparability and quantify the investment required to adjust their risk posture to one more appropriate given the threat environment in which they found themselves.