Mortgage Provider : Security Controls Assessment and Roadmap
Our client, a mortgage platform provider requested Broadgate to assist with the review of their cyber security operations.
The organisation was growing rapidly in terms of clients and operations and needed a level of maturity that was appropriate for the increased business.
Having looked at the challenges, Broadgate carried out an operational review against the cyber security benchmark which in this case was Cyber Essentials. Any gaps in the processes or policies were identified, assessed, and reviewed with the client team.
A roadmap was defined to remediate the gaps.We also carried out a high-level review of the security stack supporting the business.
Having remediated any issues we assisted with completion of the Cyber Essentials security assessment.
Improved information security risk management and governance processes.
Established a risk framework and roadmap to further improve security posture.
Assisted with the assessment process to ensure the client achieved Cyber Essentials certification.
Asset Manager : Investment Accounting Platform Selection
Our client, an FTSE 250 Asset Manager, contacted Broadgate to assist with the identification and selection of an appropriate platform for their investment accounting.
They had two challenges, the first being the suitability of the previous platform and the second being that they wanted to have a new product that serviced all of their asset classes.
Having looked at the challenges, Broadgate ran an operating model assessment to understand the key requirements of their different asset types, together with the data requirements, both historical and future.
We identified a shortlist of potential candidates, including full outsourcing, and then reduced it to a smaller number which was included in a selection process.
We ran a light tender together with interactive demos with the business users of the potential new system.
A new platform was selected that met all of the requirements, was cloud-based, and also provided a rich set of data analytic capabilities to deliver future benefits.
From a business case perspective, the new system saved a c.£500k per annum in terms of license costs and other ancillary products and exchange connectivity.
Through robust transition planning, it was one of the smoothest implementations our client had ever experienced.
Investment Manager : Operating Model Review and Outsourcing of Technology Services
Our client, an Investment Manager with £1.7Bn AUM, engaged with Broadgate following the Covid-19 pandemic, to review the delivery of technology services.
They were concerned that with the new hybrid operating model they were inefficient in terms of the balance between internal-external service delivery.
Broadgate conducted a review of the current internal technology services including infrastructure, service management, security operations, and development.
We designed the optimal retained organisation and then identified suppliers for each of the service towers.
We conducted an RFP process to help determine which suppliers were the best fit, either for a specific scope or for the full-service model.
By following our standard methodology, we determined that the best model was to outsource the infrastructure, service, and security towers and to have a ‘core-flex’ model with a different supplier for application development and maintenance.
This delivered the most agile approach aligned with the demand pipeline of the client, resolved their skills shortage issues, and also drove efficiencies of £1.9m over the contract term.
Fund Administrator : Operating Model Review and Transformation
Our client, a Trust, Corporate Services, and Fund Administrator with £35Bn AUM, engaged with Broadgate to do a complete review of their technology services.
They were concerned that their existing operating model did not support their strategic drivers to provide a modern, digital platform to retain their current clients and attract new ones.
Broadgate conducted a review of the current state across four work streams; governance, platforms, applications, and security, through interviews, reviewing artefacts and assessing the technology stack.
We then mapped the output of this against the strategic drivers of the organisation. Using our standard methodology we then provided a future state roadmap and business case, from which the client could determine the appropriate transformation plan to achieve the objectives.
We delivered 22 operating model improvement initiatives from the key workstreams, to increase digital capability, deliver efficiencies, introduce automation and reduce cost.
The highest priority in the Applications workspace also required a new platform for their business, so a detailed requirements process and RFP were executed by Broadgate to select a new partner.
This will deliver c.£2m of efficiency savings over a 3-year period and provide a strong technology platform for growth.
Investment Manager : Selection of Portfolio and Order Management Tools
Our client, a global asset manager, was using out-of-date and under-performing technology to determine investment decisions.
The ability to change and add new functions to the applications was limited resulting in manual workarounds, errors, and the inability to launch new products quickly.
Broadgate gathered requirements from the business areas to build a tender.
We reviewed the market for products and ran an RFP process to assess the contenders.
We managed the contracting process and assisted the client with the migration and implementation of the new toolset.
The implementation of the new product set enabled our client to deliver and manage additional security asset classes on a single platform, reducing the time-to-launch of new products by an average of 3 months. Input errors were reduced by 98%.
In addition, over £450,000 was saved through the reduction in infrastructure required to operate the new platform.
Wealth Manager : Security and Risk Framework
Our client, an Investment Manager, was concerned about their current security posture in terms of technology controls, policies, and processes.
In addition, they wanted to implement a new security Risk Framework from which they could measure the effectiveness of their controls throughout the organisation.
Broadgate worked with the client to set out a risk appetite for cyber events with criteria, such as reputational damage, from which we then used the NIST framework to review the current policies, governance, and technology controls in place, producing a set of key recommendations.
We also reviewed the technology stack protecting their critical assets and data, identifying any gaps and recommendations to improve.
Measuring the client’s implementation and maturity against the agreed baseline, allowed us to set out a roadmap from which the client could focus resources toward the most important areas.
This was also enabled by setting out a set of Key Risk Indicators (KRIs) from which the current status and the future roadmap could be managed.
In addition, we set out a new governance model, with defined roles, inputs, and outputs.
Accountancy Firm : Programme Review and Remediation of Practice Management System
Our client, a national accountancy and professional services firm had a legacy, in-house practice management system. This was expensive to support and difficult to change.
They engaged a systems integrator to implement a Microsoft Dynamics solution. The project had significant cost and time overrun issues and the scope was drifting.
Broadgate was asked to perform an independent ‘drains-up’ review of the programme.
Broadgate interviewed vendors, project sponsors, and the project team to analyse issues and potential resolutions.
A detailed review of the plan against cost and deliverables identified a number of challenges.
The project governance was also analysed to identify gaps and weaknesses to improve overall processes and approach.
Project review with senior stakeholders confirmed findings that the project would not deliver the required outcomes, continuing the project would only cost more money and divert resources from alternative solutions.
The project was stopped with cost avoidance savings of approx. £1.4m. It was redefined and initiated with narrower scope utilising the COT solution.
The project was successfully implemented in 9 months under budget.
Top 5 Accounting Firm : IT Strategy
A previous client recently became CIO for a large UK-based accountancy firm. They valued the work we had carried out previously and asked us to review the current set-up and assist in building out a forward-looking technology strategy.
The client had not invested in technology and had built up significant levels of technical debt with the associated risks, inability to change swiftly, and rising costs to support.
We undertook an initial two-week deep dive within the IT division and identified a number of deficiencies and provided ‘quick-win’ solutions. These included implementing a design-authority and change governance process and holding to account/removing underperforming suppliers.
We then worked with the firm’s executive team and CIO to formulate the technology strategy mapped to the business goals and objectives.
The technology strategy (which involved a significant technology and application transformation programme, updating all end-user technology, networks, and communication systems) was approved by the Board.
We created and managed the roadmap of delivery whilst ensuring business-as-usual continued with minimal interruption.
The technology programme has now been delivered successfully.
Global Energy Company : Cyber Security Product Implementation
Our client, a large energy trader, was seeking to improve their cyber security controls. They had a complex environment, with multiple operating companies in several global locations representing over 10k users.
In addition, data privacy and regulatory considerations were of critical importance.
Broadgate worked with the client to select and onboard a number of additional cyber security products into their technology stack, including;
* Email and Malware threat protection
* AI and ML-driven messaging analysis
* Cloud Access Security Broker
* Endpoint mobile device management
We also negotiated product commercials and contracts.
We delivered the products, either through central services or within the various geographies as per the plan. This provided a significant improvement in the security posture of the client.
The savings through improved commercials following Broadgate’s engagement have been over £5m.
Start-Up Bank : Security Controls Assessment and Remediation
Our client, a finance provider, sought to expand their services by obtaining a banking license.
However, they lacked the experience and specialist knowledge needed to ensure they were able to meet the necessary security control requirements and satisfy the regulatory baseline.
Broadgate conducted a cyber and data security assessment of their current state using our methodology which identified both gaps and maturity levels against industry peers.
We reviewed the results with the client leadership team, identified risks in controls, and provided an FCA compliant remedial plan to address gaps.
Our assessment provided a clear risk-based representation of the security maturity level of the organisation and identified ‘quick wins’.
This helped to form a priority driven roadmap, which enabled the company to pass the security requirements of the banking application.
In addition, our methodology provided a baseline from which our client was able to implement a continuous improvement process.
Regulator : Company Registration and Renewal Portal
A regulator approached Broadgate to perform a high-level analysis of their Company Registration system. We were asked to review the current architecture (based on Microsoft Dynamics) and provide recommendations as to how an improved solution might look.
This included verifying against best practices, the ratio of configuration against code, and checking that the data model was aligned with the client’s design principles.
In addition, we were requested to recommend whether the solution should be migrated or redeveloped.
Broadgate provided a small team of Dynamics architects and developers to work with the client to understand goals and the current set-up.
We analysed the code, data structures and configuration against the existing solution and proposed improvements.
We followed Broadgate’s IVEAR (Identify, Verify, Review, Assess, Recommend) methodology to produce a weighted assessment and recommendations.
A report detailing findings and recommendations. We identified significant areas where configuration code be used instead of coding and customisation.
We recommended migration to cloud-based solution to reduce in-house maintenance and support requirements.
We produced a costed, risk assessed plan to deliver the required solution within the necessary deadlines.
We were engaged to execute the plan which was subsequently delivered on time and to budget.
Healthcare : Supplier Assurance and Risk Assessment
Our client was a healthcare organisation specialising in data analysis to enable hospitals to improve their services and patient outcomes.
They had recently undertaken a security review that highlighted the potential risks from a third party security breach and how this could affect their own operations.
We were engaged by the COO to design and build a robust third party assurance review process.
The Broadgate team of security assurance consultants identified all third party suppliers and conducted a review of all the contracts and the supplier’s security policies and processes to identify any risks in the client’s supply chain.
All suppliers were categorised in terms of criticality and any risks that would significantly affect the client’s operations were remediated.
The client now has a strong third party assessment and governance solution, which allows for onboarding, oversight and offboarding based on a supplier defined process dependent on tiered criticality.
This allows for our client to manage risks appropriately based on the respective supplier services.
Subsequently, our client has reduced the risks associated with their supply chain.
Government : Security Architecture and Delivery Programme
Our government client with significant pandemic related challenges required the ability to rapidly set-up a secure environment for a new critical infrastructure project.
The existing approach to delivery was not agile enough for the time sensitive requirements.
Broadgate, with a partner, was asked to provide a small team of highly skilled security specialists to advise and implement a secure environment at pace.
The Broadgate team of security architects were implanted into the client’s team to define, design, and build the security focused environment.
This involved working with and guiding multiple third parties, other government departments, and senior sponsors.
The time critical secure laboratory and infrastructure were built and delivered in a very short, highly pressurised time frame to successfully deliver the essential services.
A re-architecting and redesign exercise was then carried out to implement lessons learned and longer term objectives to provide a strategic UK government asset for continued use.
Large High Street Retailer : Operating Model Review and Outsourcing
Our client, a large high street retailer, was concerned that their technology operational model and associated costs were inefficient.
Specifically, whilst a large part of their payments platform was delivered as a service, the internal operations had become too large, inflexible, and not aligned to their overall business services.
Broadgate conducted a review of the current internal technology services including infrastructure operations, service management, end user computing, security, and cloud platforms.
Through this process, we determined that the delivery organisation was disconnected from the business products and with large service overlaps.
In addition, there was the immaturity of processes and proliferation of software and suppliers.
Broadgate worked with the internal HR team to create new roles and responsibilities with clear business alignment, resulting in staff being redeployed to accelerate projects.
We also ran a sourcing process for all the operational towers.
This process delivered a £1m a year saving on the store network connectivity and £12m+ five year savings through consolidation and transformation to an on-demand cloud-based platform.
High End Retailer : DevOps and Service Management Integration
As part of an operating model review, Broadgate identified a disconnect between the IT Service Management and DevOps functions.
Both were operating in their individual silos, with inconsistencies in processes and tooling. The outcome of this was both cost inefficiency and a lack of end-to-end view from a management perspective.
Broadgate worked with the Service Management and Development teams to identify which processes needed integration and the respective tooling.
We selected JIRA to replace the existing development ticketing platform and implemented code (automate.io) to provide a two way integration with ServiceNow.
We also trained all the users and provided a set of Key Performance Indicators (KPIs).
The new system provided automated robotic processes which allowed for the development and service procedures to be supplied, seamlessly to all parts of the organisation.
From a cost saving perspective, the previous system was decommissioned, saving 40% in annual costs.
In addition, the throughput of change from development to production was increased as was the quality of delivery to the end users.