Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

Lumen Case Study

Lumen Achieves Strategic Alignment Under One Assessor

In rebranding itself into Lumen Technologies, CenturyLink took new strides towards its new purpose of  furthering human progress in a technological world that already sees smart, connected devices everywhere.

Achieving Compliance with Limited Internal Resources

Using a combination of adaptive networking, IT agility, and connected security, Lumen supports a platform that provides customers the ability to respond efficiently to their data protection needs through high-performance access, powerful communication, and collaboration services. While providing those services, Lumen also fields a team of just eight personnel supported by four additional matrixed team members. They are solely responsible for all of the company’s compliance audits across the world. Given that Lumen now maintains over 110 data centers globally, it’s understandably a substantial load for such a small team that monitors all of the company’s myriad certifications by country as well.

Having been working together for eight years, it helps to have that familiarity between people. Especially since there have been no new additions to the team thus far, despite organizational evolution and personnel moving on. Regardless of the decline in manpower and resources, the Lumen compliance team proves that it is possible to still deliver and deliver well. They continue to do their part to help secure and maintain the company’s sterling reputation globally.

But it’s not without struggle. “It’s hard,” says Terry Holman, Manager of Information Security Compliance at Lumen. “As people have left the business or, for whatever reason, left the company, we are still waiting to backfill those resources. So there is not a lot of space for our people to take a breath.” Still, the team is passionate and loves what they do—that helps ensure that they take care of all critical compliance items and that no team member takes on too much. Lumen’s personnel also benefit from certain, specific measures taken by management to alleviate extra stress.

The Benefits of Leverage

To allocate enough people for audit purposes throughout the calendar year, similar programs are matched and then assigned. “If we’re doing a SOC 2 for a product, and there’s a PCI—those will go together to one resource since they leverage each other. If there’s an output of a HIPAA to that environment as well, we try to put all that under one person and get them done at the same time,” explains Holman. “And they get it done.”

Furthermore, Lumen steers away from unnecessary internal change so the process stays familiar and cyclical. With no surprises, program managers understand what’s coming at them and how to handle it. The team also doesn’t have to worry about completing work for additional business units, instead remaining strategically focused on compliance.

Cross-Training as a Priority

But perhaps most importantly, Lumen has invested in cross-training all of its compliance team across multiple assessments. Everyone is required to hold at least one certification and is rotated annually—one year, an assignment might be to a SOC assessment, the next to PCI. Holman acknowledges that some of her people may sometimes be put into uncomfortable positions and be more challenged, but the well-roundedness across the board is something that, as a third-party assessor coming in to collaborate, Schellman appreciates.

“Lumen has done a lot with a relatively small team of experienced, cross-trained people,” says Lauren Edmonds, Managing Director at Schellman. “The cross-training they’ve taken pains to complete has allowed for backup team members to exist between audit programs. If projects shift due to customer demand or other initiatives, the Lumen team can reallocate and reassign resources.”

When working together over the years, Schellman has also done their part to help the Lumen team deal with sudden change. Chiefly, the auditors have aligned the schedule so that they can leverage information across audits as best as possible. It’s one of the reasons why the professional relationship between the two companies has solidified and thrived—to such a point where even a pandemic could not throw off the synergy.

"The cross-training they’ve taken pains to complete has allowed for backup team members to exist between audit programs. If projects shift due to customer demand or other initiatives, the Lumen team can reallocate and reassign resources."

Lauren Edmonds | Schellman | Managing Director

Taking it Further and Trusting One Assessor

From a business perspective, the idea to consolidate audit activities under one assessor makes a lot of sense—for Lumen, the decision to do so actually came in 2019, and it benefited more than just the compliance team.

Like every organization trying to fit compliance into their budget and other limited resources, Lumen realized that various security assurances weren’t the only thing they stood to gain from this new direction. Now, they had the opportunity to drive audit efficiencies and even savings while also reducing their administrative burden.

Other than helping out the internal compliance team, folding all compliance activities under one umbrella minimizes contract actions, which was a primary goal of Lumen’s. They knew that different vendors would mean different legal teams, which would roll into separate costs and time spent.

Using just one assessor changed all that.

After the consolidation was complete, Lumen also found that it saved even more operational time regarding purchase orders. Rather than multiple invoices, going with just one third party meant there was only a single large invoice a month to process, saving administrative time.

Despite all the noted benefits, placing one assessor in charge of so much did not come without some administrative apprehension. Regardless of the strong relationship with Schellman, Lumen went into the process with an open mind to all assessors and made sure that their RFP drilled down to the minute details. Schellman’s team noticed.

“It was clear that this wasn’t an afterthought, it was very meticulous,” notes Edmonds. “Lumen was straightforward and made it obvious—‘here’s the scope, here’s what we need from a vendor.’ A lot of the time, we don’t get sufficient scoping information and we have to send follow-ups. But Lumen put their cards on the table, letting us more easily calculate the level of effort in putting together a proposal."

AdobeStock_306432800

Why Schellman?

In the end, Schellman won out, even though other firms boasted very advanced, very robust products and tools. As compliance manager, Terry Holman was an engaged stakeholder throughout the procurement process, and for her, several things put Schellman over the top. “It came down to Schellman’s leadership. It came down to the trust factor between our teams. I really feel a bond with them,” explains Holman. “It also came down to how much Schellman can continually offer—they’re in every market that we sell in, they’re in every discipline that we need. Whether it’s North America or globally, I can always pull Schellman out of my hat and ask, ‘can you help us here?’”

"It came down to Schellman’s leadership. It came down to the trust factor between our teams. I really feel a bond with them.It also came down to how much Schellman can continually offer—they’re in every market that we sell in, they’re in every discipline that we need. Whether it’s North America or globally, I can always pull Schellman out of my hat and ask, ‘can you help us here?'"

Terry Holman | Lumen | Manager of Information Security Compliance

It's that variance and the additional willingness to take on more that helped make Schellman the clear choice for everyone at Lumen. Throughout the relationship, there had been a point when Lumen needed an assessor with UKAS accreditation. Schellman didn’t have it, but they actually went out and acquired it just to be able to meet Lumen’s needs—an impressive outlier of effort within the industry, and something Lumen would remember when it came time to choose their sole provider.

“We’re a specialized security and privacy audit firm that’s continuing to grow our presence within the industry. But from the start, one of our tenets was that we would not be a one-sizefits-all kind of firm. Good isn’t good enough is still our mantra, and we try and tailor our approach to every client as much as we can,” says Edmonds. Along with the established foundation between the two organizations, Schellman’s readiness to help in any way would prove very helpful when it came to their newly expanded relationship. 

"We’re a specialized security and privacy audit firm that’s continuing to grow our presence within the industry. But from the start, one of our tenets was that we would not be a one-size-fits-all kind of firm. Good isn’t good enough is still our mantra, and we try and tailor our approach to every client as much as we can."

Lauren Edmonds | Schellman | Managing Director

“Working with multiple audit firms is like being in a swivel chair, constantly moving left and right—there’s a lot of extra diligence in that,” remarks Holman. “Managing different approaches takes a lot of effort, and for someone with constrained resources, strategically aligning internally helps a lot with that. But when you align under a single assessor, it takes the streamline to another level.”

It also helps when the single assessor is someone you already know and trust—from the beginning, the familiarity between the Schellman and Lumen teams, coupled with their shared and thorough knowledge base of the necessary systems, meant there was no further transfer of know-how needed and personnel could get right to work.

Finding New Efficiencies Together

With everything consolidated, Schellman took charge of 30 programs at Lumen across SOC, PCI, and HIPAA being evaluated at the same time. Given the breadth of services, the firm was eager to help restructure the process with Lumen so that samples could be leveraged across assessments as much as possible.

“We kicked off by looking at all of their enterprise-wide controls—things like their global policies, their onboarding procedures—things that had been previously tested by us multiple times a year, just to keep things fresh, and by the previous other vendors doing their separate assessments. Now that we are managing it all, we can use central dissemination of information and central collection in our testing,” says Edmonds. 

For each audit, Schellman doesn’t test a full sample every single time—rather, things are split out quarterly to keep documentation up-to-date, and samples are leveraged across all of the different programs the firm now manages. All of this requires constant and precise coordination so that both samples and personnel’s time are utilized as efficiently as possible, and so every year, both teams kick off their scheduling by asking where the commonalities are. If the same product offering is being audited across three or four different programs, the teams work out how best to use the sample. 

Communication is Key

Throughout the engagement, the communication is constant between those involved with weekly calls to provide a pulse into the working process, allowing adjustments to be made whenever necessary. With the workflow between the teams well established already, the further pivot to fully remote audits proved equally smooth.

In years past, Lumen’s global presence with a distributed workforce and large numbers of data centers meant there had usually been a remote opportunity to be found even before COVID-19 spread across the world. Moreover, conversations between Schellman personnel, the Lumen compliance team, and Lumen control owners were almost always over Zoom regardless. So in reality, there was already an element of remote work in place for every audit—expanding that was no big deal.

“Remote audits are just as comfortable for us, if not more comfortable for us internally,” says Holman, who credits Schellman for their proficiency in executing audits remotely as well. “Working remotely with Schellman, it just clicked. It always just works. Doing it this way doesn’t deliver anything differently because we’re still working together live. Even if the connection went out at one point during a virtual tour, we never really lost a step.”

"Remote audits are just as comfortable for us, if not more comfortable for us internally. Working remotely with Schellman, it just clicked. It always just works. Doing it this way doesn’t deliver anything differently because we’re still working together live. Even if the connection went out at one point during a virtual tour, we never really lost a step."

Terry Holman | Lumen | Manager of Information Security Compliance

Positive Results Speak for Themselves

It helps that, in anticipation of any difficult service issues, the Schellman team puts together runbooks to assist Lumen’s internal team in preparing those sites so that even if the live feed is lost, the necessary evidence can still be collected. “Ahead of time, we would say, ‘these are the things we need you to capture for us, we need demonstrations of these items when you’re in those areas.’ That way, Lumen knew the things we needed to cover and we were still able to proceed with the audit fully, even if it was more challenging from a service perspective," explains Edmonds.

Both sides agree that, if anything, remote work saved money and even more time was saved for everyone. Without the need to set aside time for travel, personnel could get started earlier on the job at hand, and with the contingencies and methods in place, no one felt a dip in efficiency.

Having now completed a full year of assessments under one assessor, Lumen confirms it was the right choice for them, as was their choice of Schellman as their preferred auditor. The impact of dealing with just one firm was felt immediately on the administrative side—there was only one contract to review for the legal team. That it was for a three-year engagement also meant that the procurement office would not have to go back to market for an extended period.

Aside from operational time saved, the real impact was made once the audits themselves were underway. Lumen project managers felt an ease in their workload in only having to coordinate with Schellman’s team, rather than with several other firms as well. Moreover, Schellman actually elevated the strategic alignment for resources already in place for Lumen by sharing information—not just across programs, but across different review periods as well.

“If there’s an audit that starts in January, and then another kicks off in September, and they both require an annual policy-based control, we already have the current policy from the work in January. We don’t have to go back over and over, asking for the same thing,” remarks Edmonds. “Hopefully, we’re not just reducing the time spent for Lumen’s compliance team, because ultimately, we want to help the business as well.”

All that effort being saved in coordination has yielded a more motivated team overall. “My employees are happy,” declares Holman. “Happy employees make great workers, and that matters. They feel good now about what’s going on.” 

A New Level of Compliance

Not only that, working more extensively with Schellman in particular has meant not only more efficient examinations but more thorough ones as well. “Obviously, being able to strategically focus on one auditor is beneficial. But Schellman’s intelligence regarding the architecture, the critical products and services for our revenue sets them apart. Because my project managers and I don’t have to spend the ramp-up time getting them up to speed, it allows us to be more comprehensive within the actual audit,” says Holman.

That’s important since those within the company can recall a different experience with a different auditor—one described as having “gotten complacent.” Always yielding clean compliance reports is the desired result for any organization, but it can also mean that assessments are not digging deep enough. In that regard, Lumen appreciates that Schellman mixes up the due diligence by taking steps like asking for evidence in a different way. 

Such a thorough methodology that takes the time to explore more angles is crucial when evaluating programs over time, especially if it’s the same personnel managing a program as infrastructure changes and updates are being made. “You have to fluff the laundry, if you will, to maybe discover some things you didn’t notice before. You can’t just fold it and put it away every time because things might get lost. Similarly, you have to approach things from a different audit perspective annually so that things don’t become ‘just a checkbox,’” explains Holman. “I do appreciate the extra effort that Schellman puts in to keep us on our toes.”

An Experimental Success

All in all, the endeavor has proven a success in every way for both organizations. “It was a huge value-add. There’s the saying you hear, ‘work smarter, not harder,’ and I believe this may be the smartest thing we’ve done,” declares Holman. Shifting to an "umbrella program" under one auditor was a big win for Lumen in terms of both financial and resource efficiencies as well as stronger compliance results. But it was even more so because they entrusted Schellman to handle their new normal.

“At the end of the day, there was so much overwhelming justification in the choice of Schellman. They are homegrown and stick to their values. They could help us, not only in revenue but with their knowledge across the business. There was immense trust there that our established partnership would translate well on this and we all benefit,” Holman goes on to say. “The challenge was realized and we all stepped up to it.”