A public, $400 million revenue parent holding company with three operating entities was under a crucial external auditing schedule to maintain Sarbanes-Oxley compliance. Mid-year, the company’s security manager and controls analyst departed, leaving the parent company to meet SOX compliance, improve cyber-risk and response capabilities across all three entities and complete the acquisition of a fourth entity with inadequate staff.
The parent company called on E78 for immediate talent to help manage multiple transitions. E78 recommended and deployed one general controls analyst with a strong background and certifications in audit and forensics, as well as a finance leader with powerful expertise in business transformation, technology, risk management and compliance across multiple industries.
E78 first assessed compliance readiness across all three entities, taking into account past audit performance and senior leadership concerns. After identifying those compliance activities essential for success, plans to build a more consolidated and governed approach inclusive of cyber-risk were undertaken. Underpinning all activities were the twin needs of increased transparency and improved understanding of actual risk.
E78 also included deep exchange of information in how to govern change during acquisitions and divestitures, key talent identification for the initiatives, further consolidation plans around common services such as HR, finance and technology, and the first real-world test of the cyber-risk effort’s combined Incident Response Plan (IRP). The IRP centered the organization’s response and significantly reduced the potential brand damage and response to closure times. As a result of the compliance engagement, the team also received a clean opinion from the external auditing firm, with fewer noted findings than in prior years.
- Plans for consolidating shared services are underway in the parent company
- Key talent acquisition is being planned by aligning business strategies and strategic workforce planning
- The resilience of the cyber risk approach has been further tested by increased regulatory and non-regulatory scrutiny mandated late in 2016
- Corporate risk is better understood, and maturing
- Key product improvements have been delivered within the overall context of risk and cyber security for the first time in the organization’s history
Overall, the organization is moving from a critical response to a deliberate planning footprint which will ensure the organization’s response will appropriately balance the needs to protect and to grow.