With their current change programme coming to end, the client’s security function wanted to identify how best to assess the maturity of their security service going forward and how to use this to effectively steer their future security change programme and decision-making.

The client’s security function is responsible for the delivery of the Group’s Security strategy and services to all its entities across the globe.

What did Wavestone deliver?

Wavestone led the development of the security framework. This was built upon the industry-recognised NIST cybersecurity framework as a foundation and supplemented with elements from other frameworks where necessary. This was designed to be market-leading in terms of breadth and depth of controls.

In addition, we conceptualised the MI reporting and detailed the information flow to illustrate how their top threats linked to the framework, controls and ultimately individual change projects. This provided a platform for the client to design their future security strategy around risk-mitigation with the ability to directly see which change projects would be mitigating which top threats and how their maturity against that threat would change over time.


Stakeholder Engagement: there were 10+ critical teams, each with multiple stakeholders that we needed to engage for input and validation. As such, we engaged the core teams across the business at all levels and brought them on the journey, providing a consistent message and approach to realise the expected benefits.

Governance and Organisation: throughout the project it was necessary to hold various workshops, produce multiple deliverables, and track any risks and issues. To stay on top of this, Wavestone established a weekly governance forum with key client project sponsors and representatives from the business to communicate key messages, next steps, and importantly manage risks and issues.

Changing Mindset: the new security framework replaced the previous existing methodology that had been in place for multiple years. Anticipating some resistance to change, we scoped out a communications plan with the client in preparation for the transition e.g. identifying appropriate comms channels and having a single deliverable describing the framework for consistency.
NIST Cybersecurity Framework


  • Built a comprehensive security framework facilitating risk-management;
  • Conceptualised how the MI reporting may look once the framework is operationalised;
  • Socialised the new security framework concept with client stakeholders.

 Critical Success Factors

  • Obtaining stakeholder buy-in. Making sure that senior stakeholders understood exactly what the purpose of the framework was, how it was going to be implemented, and most importantly, why it mattered to them;
  • Wavestone’s expertise in developing and implementing cybersecurity frameworks; particularly taking a risk-pragmatic approach to help mitigate top threats specific to the client;
  • Wavestone’s previous experience of building security frameworks for other multinational banks.