Richard Hunt is Managing Director for Turnkey Consulting, a consultancy firm focusing on risk management. Shortlisted for both the Risk Management Award and Security Innovation of the Year in the Security Excellence Awards, we caught up with Richard about the company's work and their plans for 2021.
Computing: What is Turnkey Consulting's background?
Richard Hunt: Turnkey's a company I founded in 2004, so we've been going for just over 16 years now. We focus on helping companies to tackle the challenges in the security control space that every company is facing; particularly those with sophisticated IT systems.
We have three business pillars: integrated risk management; cyber and application security; and identity and access management. Across those three pillars we're working with a large number of clients across a global group, operating in seven different countries.
C: What makes Turnkey different to other technology companies?
RH: One of the things we find as an organisation is that there are some very sophisticated IT systems in our clients' landscapes, and we are proud of the fact that we challenge some of the more challenging ones like SAP - alongside deploying some of the latest technology to help those clients manage things, like joiner-mover-leaver processes and some of their cyber challenges. But we don't shy away from helping them to tackle some of those big applications, which a lot of the niche and specialist vendors don't tend to be able to help with.
One of the other unique things about Turnkey is that we have a skillset amongst our consultants that brings to bear an understanding of the compliance drivers behind the challenges that our clients have in this space. So, you're looking at a very business-focused perspective on risk management and security controls. A lot of the other companies that work in this area tend to have quite a technical focus on these types of things, but we're constantly challenging ourselves to make sure that our team have an understanding of the compliance drivers, have an understanding of audit requirements, have an understanding of the business processes and where those controls that we help our clients with fit into those business processes - while still having the strong technical skills required to tackle some of these challenges.
That's a relatively unique perspective. A lot of our competitors have one or two of those skillsets amongst their team, but bringing all three of them together is very powerful in this space.
C: You entered the Information Security Risk Effectiveness Model for Security Innovation of the Year - what was the project's aim?
RH: The objective set to us by the CISO for the client we did this piece of work for was to help him to measure the effectiveness of the cybersecurity investments he was making. It's very difficult to quantify risk in the cybersecurity space - you're avoiding a negative outcome a lot of the time, and just trying to put a pound or dollar value on that negative outcome isn't really sufficient to justify the investment.
What we've tried to do, rather than using pounds or pence as the mechanism for evaluation, is try to use a number of KRIs [key risk indicators] and measurements against vulnerabilities, etc., to determine whether or not something is having a positive effect on an area. So, for example, if a company has invested money in reducing the number of phishing attacks, we're using the number of phishing events they're reporting as a measurement for whether or not they've improved that particular area.
Other metrics we might use are the number of advanced persistent threats that company is identifying; patching levels on some of their applications; and the number of security incidents on project go-lives. So there's a number of metrics that we've defined, and we've developed a mechanism for measuring those metrics. Then what we do is we roll them up using the NIST framework, to determine at the top level what the RAG status is across the NIST pillars of Identify, Detect, Protect, Respond and Recover.
So, we're helping the CISO to understand their RAG status across the NIST framework, but we're also helping them to understand whether or not - using those vulnerability metrics, etc - investments in particular areas are having a positive effect on that risk and the risks identified in that area, and whether they're reducing those risks. That's how we're helping them to quantify that.
C: What company achievement in the last 12 months are you most proud of?
RH: As a company we started out very much focused on SAP, and over the last three or four years we've had a real turnaround in our focus - helping clients who run SAP still, a lot of the time, but with a much broader portfolio of services. In particular, over the last year or two, we've really come a long way in terms of the diversity of the services we're offering our clients. We're really able to help them across a much broader range of services than we were previously, having been very much focused on SAP and the solutions that they offered in this area. That's really delivering value to our clients: to tackle not only their most challenging systems in SAP, but also being able to integrate solutions for that with other cybersecurity activities that they're doing: identity solutions, for example.
C: What is the future for Turnkey over the next 12 months?
RH: We've got exciting plans over the next 12 months. There's a lot of activity internally to consolidate some of our services, to ensure we're leveraging our wider teams: not just from the UK, but from the rest of our group. We have a number of very interesting client projects as well, it's an exciting time to be in this area. There's an outcome from the Brydon Report that we're expecting soon, in terms of potential risk management requirements for our clients, and the need to look at controls in a different way. We're well-positioned to help clients in that space, being independent of the auditors but also having a very strong understanding of what the auditors are looking for.
We've got a really good level of experience in our team around things like automation of controls, which is an important part of responding to those requirements in an efficient way.