Enhancing Cyber Security with a Centralised Service Catalogue 

Summary

Cyber security is a multifaceted discipline requiring seamless coordination between leadership, governance, and technical teams. For organisations to manage their cyber security effectively, it’s essential to establish clear service ownership, defined responsibilities, and a roadmap for continuous improvement. To support these goals, we partnered with a customer to design and implement a centralised cyber security service catalogue, leveraging Change Management principles to ensure buy-in, clarity, and sustainable adoption.

Key Challenges

Our customer recently implemented a new cyber security strategy aligned with the NIST Framework, aiming to uplift their maturity and reduce risk. A key component of this program was developing a centralised service catalogue that would:

• Define the scope of services required to support staff and students
• Document technical solutions and operational requirements
• Assign clear ownership services
• Establish governance processes for maturing each service

However, several challenges arose, including:

• Dispersed ownership: Responsibilities were often allocated to individuals rather than structured teams.
• Fragmented documentation: Information was stored across Word, Excel, Wikis, and email, making it difficult to centralise.
• Shifting responsibilities: A recent restructure had resulted in evolving roles and priorities.

The solution needed to balance accessibility and confidentiality, ensuring stakeholders could easily navigate the catalogue while maintaining the security of sensitive information.

Solution

We collaborated closely with the customer to overcome these challenges, delivering a solution that leveraged their existing technology stack and aligned with their strategic objectives.

Phase 1: Defining Ownership

We conducted a review of cyber security services against the NIST Framework controls to establish a baseline for ownership. Through workshops with Associate Directors and Team Leads, we clarified roles and responsibilities, resolving any contention by breaking down services into manageable tasks. Handover sessions ensured smooth transitions and accounted for team capacity and priorities to prevent change fatigue.

Phase 2: Developing a Proof of Concept (PoC)

Using SharePoint as the platform, we created a centralised service catalogue that provided both open access for general use and restricted access for sensitive information. Stakeholders were involved throughout the process to drive engagement and co-design principles, ensuring the catalogue met their needs. Feedback during this phase was incorporated to enhance usability ahead of the official launch.

Phase 3: Establishing Governance

We introduced governance strategies to monitor service maturity, including regular review cycles and ongoing engagement to maintain stakeholder focus and commitment to the catalogue.

Phase 4: Training, Education, and Support

We delivered tailored training sessions and materials, equipping stakeholders with the skills and knowledge to manage the catalogue effectively. A two-week support period provided additional assistance before responsibility transitioned fully to the customer.

Business Benefits

The centralised service catalogue immediately uplifted the organisation’s cyber security maturity, directly impacting 14 NIST controls. It also provided a clear pathway for further improvements over time.

Key benefits included:

• A fit-for-purpose solution leveraging existing tools and technologies.
• Defined ownership and responsibilities for all services.
• Stronger relationships between key stakeholders, built on collaboration and trust.

This project was recognised internally with the organisation’s annual IT award for Continuous Improvement and Working Together, further validating its success.