Standardising Cybersecurity Risk Measurement Across a Multi-Company Private Equity Portfolio

We were engaged by a PE company who needed support defining their cyber security risk and change in risk over time across their investment portfolio of 3O plus very different organisations. Example companies ranged from cloud-based software development through to traditional manufacturing. Companies ranged in terms of scale, business function, business criticality and cyber risk.

1. Initial discovery and proposal: We identified and centralised available information. This included previous individual company assessments and information produced from cyber insurer audit.  We created and socialised the approach to building an assurance framework with the company’s Executive sponsors.
2. Create a tiered structure of organisations: Our organisational analysis helped determine the range of organisational profiles by criticality, size and / or complexity with perceived threat and cyber security risk. We tiered the organisations of higher initial perceived criticality, size and/or complexity into the first tier, with organisations less complex and/or with a lower level of criticality into lower tiers.
3. Select a suitable security framework(s): Frameworks already used by companies in the portfolio included ISO27001, NIST and Cyber Essentials.  No framework was being used for Operational Technology.  To create some commonality, we used the National Institute for Standards and Technology (NIST) Cyber Capability Maturity Matrix.  Within this, we additionally utilised elements of IEC62443.   
4. Create a security profile per tier: We created an initial appropriate and proportionate security profile per tier.  Security profiles were also designed to help tailor Policy and Standards per tier, going forward. We also considered additional frameworks such as the UK NCSC accredited IASME, Cyber Essentials scheme (or host country equivalent), for less critical and or smaller organisations likely assigned to a lower tier.
5. Conduct assurance: Our approach included conducting qualitative and quantitative assessment with each of the 30 plus companies:
   1. Interview of key stakeholders
   2. Review of selected policy, standards and process documents with evidence, and review of management reporting, measured against the security profile for each tier.
   3. Review of high-level network design and configuration documentation.
   4. We recommended a more granular approach that included read only access to selected technologies to review setup and configuration, but this was not initially agreed due to budget constraints.
   5. We also recommended conducting security profile aligned technical testing or tabletop cyber incident exercises.       This was pushed to a later piece of work.
6. Communicate progress to Executive: We produced weekly reporting on progress to the CIO.  Reporting was designed to also provide initial feedback on significant gaps or developing themes.  We conducted a more significant progress report to the Chief Risk Officer mid-way through the project.
7. Create management reporting: To enhance reporting, we produced interactive power bi dashboard visualisations with supporting management reports, with portfolio visualisations to enable overview and breakdown analysis. It was important to also verify findings with each company representatives to ensure there were no surprises before presenting to the executive.   

‍

We created and presented an Executive Summary to the CEO, Chief Information Officer and Chief Risk Officer, and the Management report to the key stakeholders led by the CIO. Observations, assessment results and recommendations were endorsed by the client.