Compass Case Study summary goes here. It should state a brief overview of what problem was resolved as a result of partnership with Trava.
Founded in 2010, Compass is a general contractor and construction manager. Ask anyone at Compass, and they will tell you their greatest asset is relationships. Compass prides itself on finding the right cultural fit—and that includes both staff hires and partner relationships with clients, subs, and vendors.
Based in Indianapolis, IN
Eighth-fastest growing company in Indiana
181% revenue growth FY 2018 to FY 2020
11 million square feet ofconstruction since 2017
$245 million in revenue in 2020
For several years, Compass has relied on a managed services provider (MSP) to handle responsibilities like overseeing licensing, antivirus tools, and infrastructure. But it had yet to establish a cyber risk management program to protect its data—and that of its customers and vendors.
In 2019, however, Compass’s leadership decided it was time to act. “We realized we had a great relationship with our IT company,” Dugger says, “but we wondered what we could do above and beyond to make sure we were prepared. The same vulnerabilities exist no matter what size the company. Moving into the future, why not be ahead of the cyber security curve as a small business?”
As always, relationships were a chief concern. “We wanted to keep our IT company while finding a partner we trusted and could rely on as an additional security measure,” Dugger explains. Beyond that, the goals were simple: Understanding Compass’s risk as a general contractor and mitigating those risks—for themselves and the clients the company serves. (Another goal would emerge once Trava came on board: Establish an ongoing procedure for continuingly monitoring and mitigating cyber risk.)
Its IT company would continue to handle day-to-day IT concerns, but Compass hoped to create a team approach uniting the three companies as a cyber crime-fighting team.
Collaboration. Accountability. Results. Enthusiasm. Stewardship. Trava’s cyber risk management approach delivered on all five:
Conducting an initial risk assessment is always the place to start. But an integrated approach to addressing it brings the ongoing assessment and mitigation process to life. Buy-in matters, especially when addressing the result of a risk assessment, which always discovers some vulnerabilities.
Trava built a structure of collaboration with quarterly Security Council meetings and regular risk assessment meetings that involved staff members, the IT provider, and a Trava virtual Chief Internet Security Officer (vCISO) who happened to be one of the world’s foremost experts on cyber security. “It was really helpful as a small company who's never done this process before to have somebody with his level of expertise to break things down to a level of better understanding for us,” Dugger says.
Having IT members on that team made a difference. “Since they manage the lion’s share of our infrastructure, it's important for them to not have secondhand exposure to what we talk about with Trava,” Dugger explains. “It just makes a lot more sense for them to sit alongside us as a partner.”
A blended cyber security team not only promoted collaboration. It also created a level of accountability, with members from across the organization agreeing on and monitoring the success of its prioritized efforts. Trava established a cadence of assessments and resulting discussion kept everyone on track.
Knowing which vulnerabilities to prioritize gave Compass a cyber risk management roadmap it could measure itself against and cite when enterprise clients inquired as part of their due diligence. Smaller companies might not know to ask about Compass’s cyber risk profile, but the company had evidence that it was doing all it could to mitigate risks for all.
Receiving a one-off assessment without guidance toward a lower-risk future would do nothing to galvanize a cyber security team. But Trava’s can-do spirit—and its demonstrated success with small- to medium-size clients—kept Compass from dwelling on the “red” areas indicating the most significant vulnerabilities. “Trava helped us break off the pieces that are most important for our particular company and address those first,” Dugger says.
Protecting its own data was a chief motivator for Compass. But the stewardship piece is an indelible part of company culture, so its clients and vendors were always top of mind. “Being good stewards not only of our own resources but also of our clients’ resources, whether they’re an enterprise type client or a small client, is critical,” Dugger explains. (This level of personal commitment is not surprising, coming from a firm that makes a point of doing 11-month walk-throughs for clients so trouble spots are addressed before their one-year warranties expire.)