One of the largest public school districts in the United States, comprised of roughly 250 schools and over 200,000 students, teachers, and staff members, engaged Focal Point for a strategic cybersecurity assessment. The District’s recently appointed Chief Information Officer (CIO) was seeking the help of an outside firm in order to gain a better understanding of the existing IT security systems, processes, and risks. More specifically, the CIO was interested in gaining an independent evaluation of the team, the current security strategy, the budget allocation for IT and security resources, and the systems and applications supporting the District.
After reviewing proposals from a number of consulting firms, including some of the nation’s top strategy experts, the District selected Focal Point because the CIO felt that Focal Point had the best understanding of their objectives and could provide the most actionable guidance. The assessment spanned 14 weeks and resulted in a 200+ page report that provided the District with a practical roadmap to improving their cybersecurity strategy.
Project Summary
Challenge 1: Lack of Insight into Cybersecurity Program
For this engagement, Focal Point conducted initial discovery sessions with key IT and business process owners to gain insight into the business, key data flows, and the technology environment. In addition, the team reviewed policy process documentation and inspected select operating systems, networks, and applications.
Over the course of the project, Focal Point identified a number of areas that lacked sufficient strategic planning, which had created a reactive governance posture and led to overspending. In addition, vulnerabilities were found within their networks and systems that could have exposed thousands of students’ private information.
Based on the issues found during this assessment, the Focal Point team developed a multi-year strategic roadmap to help the District build a mature cyber strategy and IT governance structure, creating a phased approach to addressing high, medium, and low risk issues. This enabled the District to effectively budget and plan for future IT and security initiatives, taking into account their limited financial resources. This roadmap now serves as the foundation of their IT security program.
Challenge 2: Team Organization
As part of this assessment, Focal Point evaluated the current IT and cyber organization. This assessment covered personnel structure and team salaries, skillsets, and needs. Focal Point found several opportunities to restructure the current team so it could better support the needs of the District. Focal Point delivered a report documenting the recommended personnel structure (including a short-term and long-term plan), cyber skills gaps and opportunities for improvement, and justification for salary changes.
Challenge 3: Application Portfolio Alignment
Like many large organizations, the District had a host of tools and applications running, many of which had not been evaluated in a number of years. During the assessment, Focal Point analyzed the District’s full application portfolio to ensure every tool was meeting the needs of the business. This analysis uncovered a number of opportunities to optimize the tools in place and sunset outdated applications. In particular, the Focal Point was able to save the District $250,000 in licensing costs by establishing a formal end-of-life plan for outdated tools.
Success and Continued Support
Following this assessment, the District was able to build a comprehensive security strategy, based on the report and roadmap. Focal Point helped the District carry out a number of new IT security initiatives based on the recommendations the team provided, helping them establish a robust IT governance structure, clean up their application portfolio, and better organize their team.
In addition, the District has continued to partner with Focal Point over the years on various additional services, including quarterly internal and external vulnerability assessments, network infrastructure stabilization and implementation, and incident response planning.