What does getting started with RQ really look like? How long does it take to get fully implemented? This and many other questions may be circulating in your mind as you decide how to plan on moving forward with our tool if you just purchased it or what that engagement MIGHT look like if you are considering buying. In this blog, we want to walk you through an approximate timeline of what RQ implementation would take for a standard client.
Consideration: Every client engagement is different as there may be events that cannot be predicted that can interfere with the timeline. The volume of work will also depend on factors like company size, security team size, client POC availability, etc. Nehemiah Security allows its customers to be as independent as they would like to be. Our goal is to help the customer get started with RQ and see the value right away with the ultimate goal of using the tool independently down the road.
Phase 1 – Kickoff (1 week)
- Get to know the team and everyone’s roles in the project
- Review projected schedule / timeline
- Discuss client goals and success outcomes
Nehemiah Security and the client start with a kickoff to cover the following:
- Introduction to your Client Services team
- Review / confirmation of your objectives and successful outcomes
- Discussion about high-level inputs and their potential application to the client
- Key business applications / tools your organization relies on (ERPs, CRMs, etc.)
- Next steps and timing
Successful outcomes include:
- Timeline and roles are finalized
- Firm understanding of the business
Phase 2 – Input Confirmation (1-3 weeks)
- Understand client’s technical & business inputs and environment
- Meet with appropriate stakeholders to confirm all inputs
- Facilitate gathering key data inputs
Nehemiah Security will facilitate the gathering and understanding of the client’s inputs. The client can be as independent as possible here. The client also does not need to have everything figured out and all inputs presented in order to start. On the tech side, we will also facilitate the technical inputs assessment. These items will include finalizing business inputs, finalizing selection of business applications, finalizing evaluation of application-level controls, finalizing evaluation of enterprise-level controls and finally obtaining vulnerability scans from the client, if they choose to do so.
We will facilitate gathering the key data inputs to get to the first board report:
- Business input – start with research so it’s an ‘editing’ exercise instead of creating anything brand new
- Vulnerability scans – Nehemiah Security provides mock data that can be loaded if it takes a customer a while to get their own scans
- Enterprise controls – we facilitate a discussion on these and start with defaults
- Having data at the starting point:
- Allows a customer to see an output quickly, if that’s a goal
- Removes the ‘blank screen’ intimidation factor
- Removes the barrier of schedule alignment if a key stakeholder isn’t available for input
Potential Business Inputs
Business Processes / Lines of Business
What’s the best way to organize financial data so that there’s a meaningful (and trackable) way to reduce cyber risk? RQ considers annual revenue and the impact of a business application’s business impact / dependency.
What business applications are used to drive the business processes (or lines of business)? Here we aim to understand which are the business applications the client primarily relies on and uses on a daily / weekly basis.
RQ provides recommendations that take into consideration the controls already in place. RQ considers:
- Business Application Controls – the transactions and data relating to each computer-based business application system.
- Enterprise Controls – the intelligent processes, procedures, and safeguards that protect your company from uninformed or inappropriate decisions or actions by any team member.
- Vulnerability Data – data on potential flaws in the client’s systems that can leave them open to cyber attacks.
Phase 3 – Report Delivery (1 week)
- Report delivery, initial set of outputs
- Interpret results
- Go through report examples together, answer any questions the client might have
- Next steps + Q&A
- Training on the independent use of RQ
- Generate reports
- Report review
We realize that, for many customers, this will be their first time using a product such as RQ, so training for this phase will be provided by the Nehemiah Services team. As you get used to the tool and more info becomes available, you will be able to expand from there. If required data for generating RQ reports is not available to retrieve, we will use dummy vulnerability data that corresponds to the client’s industry, company size, location, etc. Clients also have the ability pull reports out of the systems as well.
Phase 4 – Success Check-in (quarterly)
- Answer any outstanding questions
- Discuss upcoming product updates
- Discuss feedback / obstacles
Finally, we will field follow up questions and provide additional information as requested. We will also encourage the client to continuously provide feedback and details about any obstacles they may be facing. Any product release updates will be communicated to the client on a quarterly basis as well.
This phase concludes the RQ implementation process. Stay tuned for an update once RQ 3.0 comes out this spring of 2019!