Case Study by Denis Dumlao, General Manager Information Technology, The Royal Australasian College of Physicians
Background
The Royal Australasian College of Physicians (RACP) connects, trains, and represents over 25,000 medical and trainee specialists from 33 different specialties across Australia and Aotearoa, New Zealand. Like any organisation, the College has departments focussed on different business areas, from policy development to education, finance, human resources and information technology. Each has specific needs for IT infrastructure and data management.
Since being established in the 1930s, the RACP’s services have evolved and expanded. Technologies have been acquired on a ‘business needs’ basis to facilitate growth. Meanwhile, a small in-house IT team has been doing its best to manage increasingly complex infrastructure with patching and the critical issue of data security within a rapidly changing environment.
The Goal
In 2020, senior management recognised that the multitude of platforms being used across departments was reducing the efficiency and effectiveness of the workforce. An audit was needed to acquire a clear picture of the current environment before architecting a roadmap to see legacy technologies retired over time and the entire College moved to the cloud. Additionally, we needed to understand our IT risk profile and then, with a clear understanding of vulnerabilities, bolster our security to ensure compliance with the Privacy Act and the various privacy requirements of stakeholders in Australia and New Zealand.
The Selection Process
We undertook a competitive procurement process, inviting vendors known to the organisation from previous projects, recommendations and personal contacts to submit proposals. A total of four companies were shortlisted and asked to present to a panel of critical managers from across the organisation. The decision came down to two final contenders, and The Missing Link was the successful vendor.
The Missing Link won the competitive process for reasons including:
- They were thorough in responding to our brief and proactive in ascertaining our needs,
- Their comprehensive service offering meant they were able to assist with security as well as procurement,
- They presented a structured framework which gave us confidence in their ability to articulate strategies and requirements to the RACP executive and board,
- They were of a size which assured us we’d receive the benefit of a fast response to requests, along with in-depth knowledge, technical expertise, and personal service,
- Our finite budget or limited resources did not dampen their genuine interest in working for the benefit of our business,
- They were prepared to be flexible in their approach to engagement.
Most importantly, they had a complete vision of how we could go from our current state of maturity to a state that our leadership would be comfortable with. They demonstrated their capacity to provide guidance and expertise to get us there.
The Relationship
We engaged The Missing Link to complete two separate streams of work: An independent and thorough audit of our security through Penetration Testing and the development of an IT infrastructure roadmap.
Having never worked with The Missing Link, and because I was liaising with them from New Zealand, I have to admit that I had reservations about developing our relationship. I did not need to be concerned. The Missing Link has been great to work with. They have been extremely patient while waiting for internal processes that delayed project commencement, understanding board members’ requirements for independent audits, flexible in managing projects according to our budgets, and sensitive to any concerns staff might have had.
Specifically, I was impressed by The Missing Link’s thorough approach to Penetration Testing, which provided a clear picture of what a real-world malicious actor could do if they were to attack our system. Having completed the testing, they clearly articulated our security strengths and weaknesses, and the required remediation.
I was also impressed with how they worked with us to architect an infrastructure roadmap. They took the time to understand the processes and interactions of each department within the organisation and how IT fits into those processes. The final roadmap provides realistic priority steps to achieve our goal of maturity within our resource capacity and budget.
The Difference
While The Missing Link’s findings from Penetration Testing and their recommended infrastructure have not surprised me - they were pretty much as anticipated - what they have done is provide transparency and accuracy on where we are in terms of the good and bad. Additionally, the fact that their recommendations mirror those we’ve been putting to the board gives our team confidence in our work and gives our Board confidence in our expertise.
The Missing Link has been outstanding in guiding vendors and products - I have never felt that they’re trying to sell us something we don’t need; in fact, they’re always content to explore opportunities to work with our existing products and relationships. We have confidence in the vendors they’ve brought to the table and appreciate being introduced to them so we can discuss recommendations at a granular level.
Finally, The Missing Link has been a great help in communicating our recommendations to the executive and board. They recently developed a video that will be presented to the board to clearly articulate the rationale behind the agreed strategy and the priorities. This will make it easier to get the agreement and approval of the budgets we need.
