From Information Gaps to Measurable Insights: Standardizing Security with a Security Services Lifecycle Framework for a Major Bank

The Chief Information Security Officer (CISO) of a major bank’s regional subsidiaries needed to gain greater assurance and oversight of the security services they received from the headquarter’s security teams. Kroll’s Security Advisory team delivered a structured Security Services Lifecycle Framework (SSLF) that standardized how all security services should be onboarded, managed and governed into the bank’s regional branches, providing a formalized route map to advance security governance and regulatory compliance, and expedite integration efforts following regional acquisitions.

The Challenge

The CISO of one of a major bank’s regional subsidiaries was looking for a way to gain and demonstrate control and oversight throughout the lifecycle of the security services they received from the bank’s head office. The services, which include security monitoring, incident response, threat intelligence, offensive security  and centralized infrastructure services, are delivered through the centrally managed global security functions of the bank. These are then used by regional branches or subsidiaries to meet their security requirements but with little oversight of the services that are delivered.

While this approach aims to provide regions and subsidiaries with mature, pre-established security capabilities, it lacks clearly defined opportunities for local  oversight, governance or input into the direction of these services. This means that the governance framework for the bank’s regional service delivery is less formalized than it would be under a transition services agreement or vendor agreement. Regional CISOs lack a contract for the security services they receive from the main bank, with no expectation of what the service should be and who they should contact to make changes to it.

As a result, the CISO was looking for a way to structure security services in order to demonstrate accountability and oversight and to strengthen regulatory assurance. They also needed a framework for choosing and accessing additional security services when required, for the whole lifecycle of the service. Alongside the ability to assess the quality of new security services, the CISO also needed a formalized process for assessing whether an existing service was meeting its objectives, with mechanisms for change and escalation if it wasn’t.

Kroll’s Solution

Kroll’s established advisory services and expertise as a security services provider led to its selection as an advisory partner. Following a three-month period of working closely with the bank, the Kroll Security Advisory team delivered an SSLF that defined how all security services should be onboarded, managed and governed to the bank’s regional branches. This provides the bank’s security team and its regional security teams with:

• An established operating model for the security services utilized by the bank’s regional branches
• A consistent approach in delivering group-level security services across all regions
• A collaborative governance model ensuring expedited adoption of security services gained through acquisitions

The Kroll team achieved this through an intensive process that was completed in two workstreams. The first workstream assessed and documented the types of frameworks the bank already had. This involved working with the central bank to identify the nature of the services and who was providing them. The second workstream then focused on developing the operational framework itself.

A key challenge the Kroll team faced in the initial stages was gaining a complete understanding of the nature of the services, and the exact deliverables being offered. Because not all service owners were able to fully determine the scope of what they do, the Kroll team had to define the services at a detailed level. Another obstacle in the initial stage was that there was incomplete documentation for all of the services.

Uncovering and setting out the security services used and how best to formalize them demanded close collaborative working between Kroll, the bank’s main office and the regional banks. The Kroll team needed to demonstrate credibility to a wide range of stakeholders. Gaining their trust and support was a critical part of developing the structure of a comprehensive and practical framework that would establish clear service level agreements and enable the bank to integrate its security investments.

This complex process demanded Kroll’s deep expertise in security advisory and governance. Kroll’s long track record as a provider of security services also meant it was uniquely positioned to understand the bank’s complex security requirements and categorize them into specific business priorities.

Following this, the bank and its regions now have a clearly defined operational manual for onboarding, accessing and managing security services. This offers a structured, formalized and compliance-driven route-map for more effective, cost efficient and high-quality security services.

Key Elements of the SSLF include:

Categorization of Services

The categorization of each service delivered into the different bank regions. This ensures that governance and reporting are appropriate for each service by formalizing the level of reporting and governance needed.

Definition of Roles and Responsibilities

Key roles, responsibilities, champions and stakeholders within each security service, including the identification and definition of three personas. These include Business Champions, individuals who have an interest in the success and adoption of the services being provided.

Service Changes

A clearly defined process for how the service should be changed and extra services being added or removed when this is required, either by a service consumer or provider. 

Service Onboarding

How services are adopted and migrated into use by a specific banking region. As services are onboarded, their status is tracked according to agreed definitions and metrics that define the service being delivered.

Service Governance and Escalation

Covers governance processes of the service between security services and the bank region, covering typical governance and escalation themes the region may encounter and specific guidance on handling them through the framework.