Highlights
- By following a human centred design approach and first understanding the requirements of the individual personas enabled us to build a reusable platform which covered a number of different requirements.
- The 2×2 process as an investment from Mantel Group significantly reduced the cost and effort of future client initiatives.
- The platform has now been showcased to multiple ASX-100 organisations with acknowledgement that Continuous Assurance is a necessary requirement moving forward.
The Problem
A major challenge organisations are facing today is providing transparency into their current security posture. Security assessments are time consuming to perform, typically taking between 9-12 months per application and point in time in nature, typically performed on a scheduled basis. As a part of performing these assessments, organisations must adhere to a particular compliance framework.
While they may wish to measure themselves against frameworks such as Essential 8, PCI and ISO; data has to be collected and tested separately against each one. There’s no way to test once and measure against many different compliance standards.
The Opportunity
Continuous Assurance (CA) is the act of continuously measuring security controls to determine their effectiveness in real time. It allows businesses to quickly identify and address issues or deviations from established standards, reducing the risk of security breaches and non-compliance.
Mantel Group’s Security domain identified the opportunity to build a CA platform that can measure compliance across multiple security frameworks, giving all levels of management visibility over their security posture in a single place.
The opportunity extends beyond just compliance, giving business units the ability to measure other areas, such as quality control, financial auditing, or performance management. The tool can also be used to track how internal projects, such as cloud migration are progressing.
The Solution
A Continuous Compliance dashboard was developed to validate that progress against Essential 8, PCI and cloud migration can be measured using the same data.
The benefits of this solution are as follows:
- Efficiency: The platform significantly reduces the time required for security assessments by allowing continuous monitoring. Instead of waiting for periodic assessments, organisations can now assess their security posture in real-time, swiftly identifying and addressing issues or deviations.
- Centralised Visibility: It offers a consolidated view of the security posture across multiple frameworks in a single dashboard. This centralised visibility empowers all levels of management to gain insights into compliance status, enhancing the decision-making processes.
- Adaptability and Scalability: The solution’s flexibility allows for the integration of new compliance frameworks or the adaptation to evolving standards. This adaptability ensures that the platform remains relevant and effective in addressing emerging security challenges and regulatory changes.
- Enhanced Decision-Making: Real-time insights empower stakeholders to make informed decisions promptly. Having accurate and updated data drives better judgement.
Our Approach
We undertook a series of rapid, high-value workshops with key stakeholders in the Security domain to gain an in-depth understanding of the existing technical and compliance environment. These workshops included the following activities:
Discovery interviews: Interviews with operational personnel and senior leaders uncovered what insights are needed at each level of the dashboard.
Co-design: As a cross-functional team, we rapidly co-designed different variations of the dashboard visualisations until we converged on a solution.
Data mapping: Metrics and controls used in different security frameworks were mapped to a standard set of domains to display on the dashboard.
Dashboard development: The dashboard was developed in Microsoft Power BI, with the intention that it could be extended to other interactive data visualisation tools, such as Tableau, based on a client’s requirements.