Skoda Group fills the skills and capacity gaps in its IT team with CISO as a Service
/ A highly competitive IT security employment market meant Skoda Group was struggling to fill its open IT security positions, including the role of Chief Information Security Officer (CISO).
/ EmbedIT’s CISO as a Service delivered a flexible alternative to in-house employment, fulfilling a wide range of security tasks for the Group using experienced EmbedIT cyber security consultants, billed on an FTE basis
/ Skoda Group was able to meet all of its cyber security needs, even as requirements changed, and gain access to the latest cyber security insights and best practices.
Location
Czech Republic
Expertise
Security management
Information classification
O365 security
Security governance and operations
Security user awareness
ISO 27001 compliancy
The challenge
The Skoda Group’s transportation arm designs and produces a full range of public transport solutions, including trains, trams and buses (many of which are electric and produce virtually no emissions) as well as providing maintenance and support services. Over the last few years, despite the trend to work from home, Skoda Group’s order books have continued to grow and the company has made significant investment in additional production capacity alongside this.
However, the group’s IT function was struggling to resource all of the services needed to support this business growth and maintain Skoda Group’s leadership position in its sector. The continuing global IT skills shortage was making it hard to find, recruit and keep people with the right skills and experience, particularly within cyber security – a fast-changing landscape that requires highly skilled and knowledge people in order to reduce an organisation’s exposure to risk.
With a significant number of cyber security roles open, the Skoda Group turned to Embedit for fill the recruitment gap, with EmbedIT supporting the Group to deliver a number of specific IT projects. This included a 6-month project to design and implement an information classification tool, identified as an upcoming regulatory requirement during an audit. The tool integrates directly into Microsoft 365 and enables the Group’s 5,000 users to classify (and in the future to also encrypt) more than 200,000 emails and 25,000 documents every month according to their importance and level of confidentiality.
However, it soon became clear that Skoda Group needed more regular support with day-to-day IT activities. This became critical when the group’s Chief Information Security Officer (CISO) was ready to move on – a role that can traditionally take between six and twelve months to fill.
The solution
Having recently worked with the EmbedIT cyber security team, the Skoda Group leadership team understood the capabilities and breadth of experience of the EmbedIT team, from infrastructure, enterprise transformation, data and analytics to cyber security and beyond. And with the highly successful implementation of the information classification solution, they knew they could rely on EmbedIT to deliver.
As a result, EmbedIT was asked to deliver its CISO as a Service solution, which enables organisations to resource their IT security gaps from EmbedIT’s pool of highly experienced and skilled cyber security experts.
With CISO as a Service, customers can choose to have experts allocated on a full-time basis, or instead leverage particular tasks and activities from more than 8 different cyber security specialist roles across the EmbedIT team as they are required. The work on these tasks is charged to the customer as a full-time equivalent (FTE) value on an ongoing basis, for costs that are easy to predict and manage.
Skoda Group started with a single FTE cyber security specialist role, accessed from the wide variety of skills available within the EmbedIT team. This included team members with experience in cyber security governance, planning and managing audits, application security, and more.
EmbedIT also provided a dedicated expert to undertake the role of Chief Information Security Officer (CISO) for the Skoda Group. This person works collaboratively with the Skoda IT team and EmbedIT’s cyber security team to deliver the same value as an internal CISO, from assuring the security of systems, to budget planning and spend, and team structure and motivation.
Over time the EmbedIT dedicated consultant helped to recruit the Group’s new permanent CISO and embed them in the role.
“Finding the right IT security people is very hard. It can take a significant amount of time and it’s a struggle to maintain all the skills you need with a small in-house team and large IT application and infrastructure landscape. EmbedIT’s CISO as a Service has given us access to all skills and knowledge that our group needs for such quite complex set up. We can now pull in the security specialists as requested, including C-level expertise. We know that we could rely on the EmbedIT team. We recently passed an important audit with very good results, thanks to them.”
Milan Urbášek
Group Chief Information Officer, Skoda Group
The benefits
Outsourcing its IT security resources has delivered a number of key benefits to the Skoda Group:
/ Access to a wider range of security functions and skills.
By fulfilling two full-time equivalents (FTEs) from EmbedIT’s pool of experts, Skoda Group was able to access a far wider variety of IT security skills than they could recruit in two full time cyber security specialists. From cyber security specialists operating infrastructure and reporting, to C-level information security executives, we provide all of the capabilities.
/ Flexibility to meet the biggest challenges.
With the ability to flex the amount of time available with particular experts, Skoda Group was able to prioritise its most important projects by allocating more of the appropriate resources.
/ Automatic access to the latest skills and knowledge.
By using EmbedIT experts, Skoda Group was able to effortlessly and cost-effectively access the latest cyber security knowledge, techniques and best practices, without the need to run its own training programmes – reducing costs, and time away from the business for trainees.
/ Focus on security, not people
By outsourcing cyber security, Skoda Group has reduced the team management workload (and associated people costs) for both IT and the wider business, including HR.
