Summary

Following a rigorous and detailed RFQ process, Nottingham City Council chose Chess as their partner to deliver a programme of penetration testing. Chess was selected on a range of criteria including competitive pricing, technical expertise, experience and supplier fit. Of particular note for the Council’s IT team was Chess’s willingness to engage closely during both the scoping and delivery phases, and their professional and seamless approach. What particularly impressed them was how easy the Chess team was to work with from start to finish.

Background

As a member of the Government’s Public Services Network (PSN), Nottingham City Council is required to subject its network security infrastructure to a thorough annual health check. The person responsible for identifying the supplier to carry out the penetration testing is Mark Smith, Server Support Manager. The council has a policy of regularly rotating suppliers, and all new projects are put out to tendering or RFQ process by a minimum of three potential providers.

Introduction

As an existing supplier of security solutions to the council, Chess was invited to submit a proposal, along with two other potential penetration testing service providers. A key factor used to evaluate bids is the final price of the solution – in common with all public sector organisations – but others include the supplier’s technical expertise, industry accreditations, track record, supplier fit and general approach to working with the council

Why Chess Was Selected

Chess won the bid on a combination of factors including its CREST accreditation, consultative approach, flexibility, track record and price competitiveness.

After an exhaustive review of the competitive responses to the RFQ, which involved a second round of bids and a consultative negotiation, Mark Smith selected Chess to carry out an intensive two-week programme of penetration testing.

Mark was impressed with Chess’s approach during the bidding process, in particular with responses to questions concerning the submitted proposal.

Speaking of Chess’s willingness to engage, Mark says:

We needed to find a way to meet very tight budget constraints. Of the suppliers we spoke to, only Chess demonstrated what we felt was a genuine desire to engage with us to reach a workable solution for both parties.”

The overall quality of response from Chess, the price point (which was competitively priced and 2-3 times less expensive than rival bids) and the professionalism of the team involved all led Mark Smith to conclude that Chess should be entrusted with the penetration testing work.

Project Delivery

Mark Smith is happy to point out that working with Chess has been extremely easy right from the onset.

Throughout the process, he describes the experience with Chess as “highly positive”. From the initial engagement on scoping and pricing to prepping the council team and delivery of the testing, Chess showed a willingness to fit in the testing work around the Nottingham City Council IT team’s existing commitments.

While the technical work was being carried – both on site at the council offices and remotely – Chess showed complete thoroughness and professionalism in its work.

Around the time that Chess started the penetration test work, two new members of staff had started in the council IT security team. Chess’s security engineer was happy to bring them in on the project and explain the testing process, the types of vulnerability being searched for and procedures for logging discrepancies and mitigating issues.

Mark Smith sums up Chess’s approach:

The whole pen testing process was seamless. It was like you didn’t know they were there. Beyond the initial briefing and daily updates, they just got on with the job efficiently”.

Summary Outcomes

Once the testing phase was complete, Chess delivered the report quickly.

A team from Chess including a senior director presented the results to senior executives at Nottingham City Council, answered questions and provided interpretation and context for the scores.

Asked whether they would use Chess for cybersecurity services again, the response from Mark Smith is an unqualified “Yes”.

He goes further by saying:

I’d recommend Chess not just for their expertise in the whole cybersecurity area, but for their personalised and professional approach.

“From day one Chess showed themselves willing to work with us on a number of issues until we reached a solution that suited everyone. Throughout the penetration testing work and follow-up reporting, we had total confidence in their security expertise.”