It is about ensuring that you manage the concept of security and a feeling of security in an organisation not just by technology but by training, process, awareness and best practice.
Ultimately our relationship with our clients is one that takes the mark of the capability and maturity model. Often our first engagement with an organisation is where they have had a breach or a compliance failure or they are getting ready for compliance. And through discussion and education with those organisations, what we find is as the relationship grows from "Help us with this particular point problem" to "How do we mature our organisation through that journey?"
Compliance is not just a tick box that happens once a year. It is about living and breathing what the compliance is and the scenarios that it will take you through.
Sidaway: We are also working with organisations in Asia on mobility. We are changing the work dynamic where rather than just technology enablement, they basically use us to take a step back to say, "What is the impact of this? What are the processes and procedures around this? What are our risks?" and then understand enable technology. We are having conversations around the front-end business that allows us to drive a proper risk approach with the client organisations.
3) So what happens in a client engagement?
Church: Typically it is to help them to prepare for an audit or compliance test, or look at a breach. They might want to do some penetration testing to ensure that their organisation is appropriately protected and from these small engagements, we tend to grow to a trusted advisor status where we find ourselves doing more and more activity. We're really very much around the business engagement and obtaining that trusted advisor status.
4) Can you elaborate on the activities that occur in the later stages of the relationship?
Church: It is all about helping clients mature. From our experiences, we have some very strong data where the clients can benchmark themselves against their peers in their industry, and work with them to improve going forward.
It's all about making them more mature and nimble because they are managing risk appropriately. As you progress along the capability and maturity scale, you are moving from a fire-fighting mode to a managed environment.
Ultimately, it is all about getting security and risk compliance out of the way from the users, allowing them to work.
Security is a people industry. There are lots of tools and processes, but once you get to a stage where you've got appropriate controls, measures, techniques and tools in place, it shouldn't get in the way you deploy business. In the early stages, it's probably seen as a barrier, in the later stages it becomes an enabler.
Sign up for CIO Asia eNewsletters.