Digital Security Transformation: From Vulnerable to Secure in 4 Months
The Business Challenge:
When a financial technology company approached us, they were in need of a comprehensive data security plan to guide them in managing present and future data-related risks. As the company had undergone rapid growth both in its number of monthly active users and the scope of its service offering, it had become clear that properly handling the personal data of its users was not just a priority but a fundamental responsibility. With increasing visibility and success came higher and higher chances of customers or malicious entities reporting instances of noncompliance with data protection regulations – and each noncompliance violation could cost the company up to $12 million USD. Additionally, the company needed a set of processes designed and deployed to discover, assess, and pre-empt security vulnerabilities before they were exploited as well as respond to breach incidents in a compliant fashion while mitigating downside risk to the business. Ultimately, the company needed to build and maintain the trust of the millions of users who depend on them for their mobile payment needs.
The Komodo Solution:
Our client could have easily just bought a one-size-fits-all security package from a well-established vendor, but Komodo was chosen because we understood that what the company really needed was a balance between tools, techniques, and skills tailored to the business and ongoing support to teach the employees how to use this new toolkit. Komodo worked directly with C-suite and department leads to identify the key initiatives that would set the company up for data regulation compliance and efficient ongoing management of data-related risks.
The best place for us to start was with a series of fundamental designs and analyses that would direct the entire effort. We updated documentation of the company's data architecture and system maintenance schedule, built a map of all sensitive data, searched for and documented existing data security gaps – and with all this input, ultimately designed a 12-month data security improvement plan. This comprehensive plan involved the design and implementation of a wide variety of policies, protocols, and processes that would ensure compliance and support risk management. Komodo developed official company policies that governed the use of virtually all systems where data security was identified to be a key concern. With Komodo's direction, the company would have a clear policy on user authentication and authorization, an exhaustive categorical description of the types of sensitive data it should be concerned with and how to handle each properly, and tight specifications for how to react to a number of critical scenarios including data breaches, policy violations, employee off-boarding, and the discovery of new security vulnerabilities.
Ultimately security starts with people who use data – and every employee uses data. With an understanding that when it comes to security a company's defenses are only as strong as its weakest point, Komodo also set out to train all company employees on the data security policies, protocols, and processes it developed. Komodo prides itself on helping make companies better by first making their people better and more capable. Another critical component of this focus on people was bringing together employees from departments who previously did not interact on product design and development. Collaboration between departments would be vital in maintaining a consistent level of security across all features of the company's product.
The Results:
As a result of Komodo's leadership in designing, developing, and implementing a high-resolution data security plan, the company was able to move quickly and make a significant upfront investment of resources to improve its security. Several of the company's key internal operations, such as fraud detection and mitigation, were simplified and standardized, as enabled by an improved set of data security practices. In 4 short months, Komodo was able set the client up for success in both pre-empting and reacting to data security incidents, as well in the regulation-compliant documentation of all ongoing data-processing operations. Komodo helped instill a culture of collaboration focused on holding all aspects of the company and its product to a strict standard of security. Solution design activities began to bring together not only the product and engineering teams, but also the legal and security teams. This shift in mindset empowered the client to protect not only its product but also itself.