SRM Builds a Modern Third-Party Vendor Information Security Program, Raising the Bar for the UK Construction Industry
Case Study

SRM Builds a Modern Third-Party Vendor Information Security Program, Raising the Bar for the UK Construction Industry

Challenge

Improving the management of supply chain information security risk

Solution

Comprehensive, in-depth visibility into and control of third-party security risk

Added Value
  • Streamlined vendor collaboration and remediation 
  • Ensured vendor compliance with regulations
  • Optimized efficiency of time, resources and budget

The Challenge:
Improving the Management of Supply Chain Information Security Risk 

For more than 150 years, Sir Robert McAlpine (SRM) has designed, built and preserved some of Britain’s most iconic structures. While cybersecurity isn’t something usually associated with the construction industry, the threat has become more pervasive as the industry has embraced modern technology. And with cyber breaches making headlines with alarming regularity, SRM recognized the importance of modernizing its approach to information security. Andy Black, Head of Compliance & Information Security for SRM and a veteran CISO hailing from the financial world, was charged with this responsibility. 

Black felt that some significant improvements could be made to address the way the company vetted its supply chain partners. “What became apparent early on,” he said, “was that construction was a little way behind the curve in terms of adoption of more modern approaches to information security management.”  

Because SRM was in a hybrid environment, Black wanted to investigate how they were challenging the security practices of cloud partners that were becoming custodians of SRM’s data. During that review, he said, “We identified that there was a gap in third-party security risk and there was a need to look for tools that could help us solve that.”

The Solution:
Comprehensive, In-depth Visibility into and Control of Third-Party Security Risk

Panorays was selected as a cost-effective solution providing a combination of automated, security questionnaires with external attack surface assessments while considering SRM’s appetite for vendor security risk, based on business relationship context. “Panorays gave us an overall posture of the vendor security risk to the business,” said Black. With this information, he can decide whether SRM will do business with a vendor.

Panorays also facilitates easy collaboration between SRM and its vendors. “It allows us to start conversations with vendors that ordinarily we wouldn’t be having and as a consequence of that, we are actually maturing our processes at a much quicker rate,” explained Black. The ability to collaborate with suppliers within the platform helps ensure regulatory compliance and enables quick communication and remediation. 

Black receives notifications for existing vendors about changes in their security posture. Panorays’ dark web insights also provides information about potentially malicious hacker chatter and facilitates an opportunity to reach out to the supplier regarding possible threats they are unaware of. “Having real-time insights into vendor threats is invaluable,” he says. Moreover, SRM utilizes Panorays’ self-assessment capabilities to monitor their own digital external footprint and use the results to help mitigate their own risk.

“Everything I saw in the product just hit the sweet spot for what we needed,” said Black. “We had an immediate challenge and Panorays just ticked all the boxes to give us real value.”

The Results:
Business Enablement Through an Intuitive Third-Party Security Risk Program

Three months after adopting Panorays, SRM had uploaded more than 60 vendors to the platform, approving and rejecting some and continuing ongoing dialogue with others. Black praises the simplicity of working with Panorays, how intuitive the solution is and how helpful the Panorays team has been throughout the process. “Having just one place to go to that manages all third-party security risk in a supply chain is really efficient,”

Black posits that to mature an information security process, management must understand that failure to do so is a business risk — and not just an IT risk. So he started changing the language and method to engage stakeholders, as well as suppliers. Creating reports, he said, has been extremely helpful to that endeavor. “It’s a business snapshot of the risk of sharing data online and that’s a really powerful message. When these risks can negatively impact the business from achieving their greater strategic goals, businesses understand that. 

“I really believe that we are making a difference and that we are challenging everyone around us to step it up. And Panorays has been fundamental to that happening,”  Black concluded. “In IT security, we are here to be the enabler to the business. And Panorays is a tool that we have to assist the business in moving forward.”

We use cookies to ensure you get the best experience on our website. Visit our Cookie Policy for more information.