Chapter 8. Case Studies
There is a growing community of security practitioners and organizations who are both advocating SCE and developing experiments through open source and other community initiatives. The following chapter shares a handful of case studies from organizations that have successfully implemented SCE as a practice within their security programs.
Case Study: Applied Security—Cardinal Health
The need for SCE grew organically at Cardinal Health, a global Fortune 20 health-care products and services company based in Dublin, Ohio. With revenue of over $140 billion, Cardinal plays a critical role in the health-care ecosystem.
At the executive level, securing the company’s distribution centers, operations, products, and information was critical—not just for the company’s reputation but for the stability of the United States health-care system. In addition to investing in teams to advise on and implement security controls, they authorized purchases of security products and tools to protect the business, totaling millions of dollars. With such large investments, executives logically held high expectations for their effectiveness.
The SCE journey at Cardinal Health arose not only from the executive needs for security validation but from the Security Architecture team as well. That team, led by Robert Duhart, knew that theoretical security architecture would not protect an organization sprinting to the ...