Technical security sorted? Check. But who is responsible for what? Which risks are flying under the radar? What happens when an external supplier makes a mistake? These were the questions Xpo Group wanted clear, formally documented answers to. Cingulum helped them find those answers and laid the groundwork for an approach that goes well beyond tools and systems.
1. The Situation
Xpo Group is a mid-sized organisation of around 140 employees, active in the events sector. They organise trade fairs and exhibitions, both at their own venue in Kortrijk and internationally. Their IT environment is distinctly complex: during an event, every system must perform without fail. Before and after, the pressure eases considerably. That shifting dynamic makes the environment more intricate than it first appears.
The internal IT team is small. For day-to-day IT management, Xpo Group works with a managed service provider, and for new systems they increasingly rely on external suppliers or custom-built solutions, both within and outside their own cloud. That dependency is growing, and the organisation wanted to address it deliberately.
For that reason, they follow a consistent practice: every two to three years, they commission a full review of their environment, alternating between technical assessments and policy and process reviews. Three years prior, they tested their technical resilience through a penetration test. Now it was time to look at the other side of the picture.
For this engagement, Xpo Group made use of the VLAIO Cybersecurity Improvement Programme, a Flemish Government subsidy through which SMEs can receive up to 50% funding for cybersecurity projects. They opted for the MEDIUM package: a thorough analysis of the full security environment, followed by targeted advisory and implementation days tailored to their needs.
2. The Challenges
Initial conversations confirmed that technical security on critical systems was in good shape. Xpo Group was already aware that there was room to grow on the policy and process side; and that awareness was precisely what led them to engage Cingulum.
The main areas for improvement fell into three categories: internal structure, collaboration with external parties, and employee awareness. Who is accountable for what? How are agreements with suppliers recorded and monitored? And how do you ensure that security does not rest solely on the IT department’s shoulders?
Particular attention was given to the ongoing cloud migration. New systems were being built by external parties, each with their own approach. Xpo Group wanted a clear framework around this, so they could properly oversee and steer that process going forward.
3. Our Approach
Cingulum conducted a Security Maturity Assessment based on the ISO 27001 standard, followed by a comprehensive gap analysis. Over seven to eight sessions, all relevant stakeholders were brought to the table: the CEO, the managed service provider, the internal IT lead, the facility manager, the ERP administrator, and HR. The fact that all parties, including external ones, engaged constructively from the outset made a real difference. That broad perspective produced a complete and honest picture.
All sessions took place on-site at Xpo Group. The approach was tailored to their specific context, with particular focus on the cloud strategy and collaboration with external parties. It quickly became clear that several technical domains were in strong shape, including network segmentation, Active Directory configuration, and backup procedures. A site visit further confirmed a well-developed physical security setup.
Findings were shared in concrete terms throughout the process, as a basis for targeted action. Management was not surprised by the outcomes, but was satisfied with the level of detail and depth.
4. What Was Delivered
At the conclusion of the assessment, Xpo Group received more than a score for each section of the ISO standard. They received a complete action plan with concrete steps ordered by priority, deliberately aligned with their context:
- A security policy establishing the minimum baseline, including the risk management process and principles for continuous improvement
- An application inventory with all relevant fields completed: application owner, hosting location, internal and external responsibilities
- An evaluation framework for future cloud developments
- A supplier risk management framework, including an inventory and model security agreements
Every finding was linked to a concrete measure: what to address now, and how to prevent it from recurring.
5. The Result
Xpo Group now has a clear risk register with priorities, a security policy, and a well-defined starting point for managing risks. The foundation has been created, which was precisely the purpose of this engagement.
The smooth progress of this project is also a credit to Xpo Group itself. From the outset, management made clear they wanted to know where they stood, and that commitment carried through to the rest of the organisation. Everyone participated openly and constructively, which made a thorough approach possible.
The process also surfaced a number of quick wins; things picked up on the spot because the right people were in the room. That broad stakeholder involvement made the difference.
“We take security seriously. Thanks to Cingulum, we knew exactly where we stood and received a clear plan that helped us take the right steps.” — Vincent Windels, IT & Digital Innovation Manager, Xpo Group
Want to know where your organisation stands? Get in touch with Cingulum for a no-obligation conversation. www.cingulum.eu
