Their story:

As a collection company, they shared information with multiple big banks. Their challenge was that the banks all had different security requirements, and they had to comply with them all or risk losing them as customers. Some of the banks wanted security questionnaires filled out, some wanted a SAS70 or other audit, others sent their own auditors.

In most cases, the customer requested they make changes to their security. The problem was that the changes being requested didn't always make sense, nor did they fit into the collection company's business operations. That left them in a position where they were constantly trying to skirt the requested changes, until they finally had enough and called us.

What they needed:

They needed and wanted help managing their security program. They wanted someone who could push back on their customers appropriately, so that any changes the banks requested were reasonable requests that fit their business.

What we did:

We started by assessing their security program. We did an External IT Vulnerability Assessment, Internal IT Vulnerability Assessment, Administrative Risk Assessment, and a Physical Security Assessment.

We then started improving their security strategically. With the help of the business, we prioritized the issues we found. We then drove the remediation project. Much of the issues were addressed internally, a few were done by us, but we drove the effort at the speed they wanted us to go.

The outcome:

Once we know where they stood, then we could help them fill the gaps and we knew how to respond to their bank customers. We then started engaging their customers on security requests and have been effective at those negotiations.

This company chose to take a "risk based" approach to information security rather than a "compliance based" approach. As we improve their program from a risk standpoint, they will be compliant with customer requests. The other alternative was to continue trying to comply with customer requests. The problem with this strategy is that customer requests change, making your solution a moving target.