Cases II

Cases II

The situation: A Nordic Telecom Operator had over a period of two years ramped up their headcounts within the security organization. The tasks for the local security team mainly consisted of resolving daily issues that where urgent and hence the team did not have the long term and strategic perspective ensuring that our customer was moving in the right direction and focusing on what security risks mattered the most. LEVEL7 was hired to help drive the definition of a 3-year security strategy, beginning with mapping of the existing practices and helping with prioritizing the activities needed to be maintained in addition to activities needed to be replaced.

What LEVEL7 did: By applying the NIST framework, LEVEL7 developed a unique methodology to assess the maturity levels and practice capabilities within different departments of the operator to capture as-is and to help drive organizational change needed to increase the levels of maturity within select security domains needed to achieve the defined 3-year strategy.

Achievements through this case:

Conducting interviews with stakeholders ranging from CEO to technical specialist across 3 markets and 10 departments

  • Security capability mapping across the different departments
  • Assisting in developing the security mission and vision
  • Driving the definition of the overall security strategy and the strategic focus areas
  • Development of KPIs and KRIs needed to review the strategy

The situation: A global telecom operator had several audits pointing towards the levels of security not being adequate for protection of national critical infrastructure. LEVEL7 was asked to deliver leadership and project management  to help identify key gap closing activities in order mitigate the most critical vulnerabilities identified in addition to mobilize organizational units to help ensure that levels of compliance catered for both regulatory, industry and security requirements. 

What LEVEL7 did: With the ambition to deliver a sustainable way of working in addition to concrete mitigation activities, LEVEL7 provided a maturity assessment of the operator’s security organization and processes and practices to determine the most effective implementation approach.

Achievements through this case:

  • Defining project scope and key gap closing activities
  • Helping the operator identify the most systems supporting the critical infrastructure
  • Driving KPI based mitigation on 12 security controls
  • Security dashboards for continuously monitoring and evaluating the levels of compliance towards 12 critical security controls 

The situation: A local branch of a global Insurance company was subjected to an audit from their mother company. The audit showed that the level of security maturity that was lower than the target ambition. As a result of this, the local branch expressed a wish to migrate their cloud solution to a hosting provider, ascertain and improve their level of security maturity to an appropriate level, and, in parallel, mitigate the findings of the audit report.

What LEVEL7 did: The client had grouped their security needs and assigned each of these a target “Common Maturity Model Integration” CMMI score for security maturity. As the cloud solution of the Client was moved to their chosen hosting provider, we established metrics based on the (CMMI) model in order to be able to ascertain the “as-is” for the various groups. We then compared these to the wished-for “to-be” as expressed by the Client. To further help with the measuring by making it more fine-grained, we mapped the Clients wishes, expressed by a CMMI score, to the areas and controls of the CIS18 Framework. The improvement of the maturity level of the various groups were then scheduled according to the mitigation dates of the (related) audit findings, in order to run both things in parallel. 

Achievements through this case:

  • Mapped the grouping of demands as set by the client to the CIS18 areas
  • Further refined the above mapping to include CIS18 controls
  • Mapped the grouping of demands as set by the client to align with the mitigation of the audit findings
  • Scheduled the improvement of the security level for the various groups to best support the above

The situation: The client had invested heavily in buying a vulnerability scanner, and due to the lack of workforce and ability they were not able to launch their project and take advantage of their investment. Our first move was familiarization with the scanning tool and running test scans to assess the impact of the tool on the network and the connected assets. Secondly, a side project was started to discover and document all the IT assets, prioritize the important assets, and assign owners and responsible parties to each asset. Gradually as the project moved forward the client was recommended to adopt a serious approach toward IT asset management and helped with adaptation of a global ISMS framework.

What LEVEL7 did: Here, LEVEL7 helped with: technical knowledge, work force, project planning, installation and setup of the scanner, prioritizing the assets, initiating the scanning process, researching the solutions to the related problems, IT asset discovery and management issues, initial risk assessment and readjustment of the priorities, delegating tasks to involved parties, and communication with vendors and other contractors.

Achievements through this case:

  • By the end of our contract the vulnerability visibility level was rising, and the mitigation and remediation work had begun.
  • The most important aspect of this project was clarifying the risk appetite and identifying the most critical elements of the business continuity which needed the most attention and putting them in the context of an ISMS.

The situation: The client needed help scoping their product in the organization. Furthermore, they wanted to create buy-in from upper management by creating a story-line for facilitating successful discussion about the data lake project. It included understanding and breaking down technical terms into easy and applicable management discussions.

What LEVEL7 did: With the ambition to achieve management acceptance across a very complex political landscape, LEVEL7 brought the teams and the key stakeholders under the same root to create momentum and maintain unity of the projects. After that, we created a story-line that explained business benefits from utilizing these specific technological solutions. To gain validity and ensure effectiveness, we presented it to gain feedback and spread awareness.

Achievements through this case:

  • The materials received immense attention and LoB started seeing the need to engage in the project
  • Easy and smooth stand-alone materials for management to understand the value and solution that was being built
  • Supported on various data and business architectural designs to support data management including processes and governance to bring IT closer to the business
  • Designed a data access model that had well-defined processes to reduce excessive governance

The situation: A global pharmaceutical company needed an interim Scrum Master to drive two high preforming agile teams that was responsible to deliver across ARTs and hence, held very tight milestones from various stakeholders. They were experiencing that the team’s tasks and structure had become complex and larger than they had anticipated and needed help maintaining the ART’s momentum. LEVEL7 was tasked with helping the client lift the Scrum Master role and responsibilities of the team.

What LEVEL7 did: With the ambition to keep momentum and not putting any impediments into anyone’s way, we established great relationships with all team members and drove the team towards delivering valuable and efficient solutions. We simplified and aligned many ceremonies to meet teams’ need and maturity and introduced concrete actions towards establishing a scaled agile mindset, leadership and behavior and fostering a culture where everyone had fun at work. 

Achievements through this case:

  • Supported the team to work in a more agile fashion, and coached them in new ways of working
  • Increase the sense of fun at work, autonomous decision making and feeling of belonging among team members
  • Ensured the team was able to develop and deliver all functionalities to business on time
  • Supported the team in having well defined responsibilities
  • Created a safe environment for experimenting

The situation: The client had already created the case for change to initiate setup of a local LACE team. Since starting their agile journey they was experiencing a lack of knowledge and awareness across the organization. Moreover, the client wanted to ensure higher quality by changing the culture, behavior and mindsets of the organization, meanwhile encouraging smaller releases across the ARTs as well as a higher degree of the way they used agile as their standard way of delivering valuable and efficient IT solutions and provide high business value.

What LEVEL7 did: LEVEL7 started off by creating awareness about the LACE team in the organization. Then, we carried out various agile activities to drive the agile journey towards increasing adoption of agile as a way of working and fostering a culture, behavior and leadership that desired agile principles and tools to deliver valuable software to the client. 

Achievements through this case:

  • Developed transformation roadmap and established KPIs for tracking awareness, desire in new ways of working
  • Launched a communication strategy that utilised various communication channels to push and pull behaviour about the agile IT delivery model, including processes and governance to bring IT closer to the business
  • Developed and designed various activities to encourage and foster a stronger agile learning and fun work culture
  • Conducted cross ART change management activities to ensure the right behaviour and avoid anti-patterns and setbacks
  • Designed a playbook for agile events on both team level and ART level which is also used to onboard multiple agile teams