Case Study Praga Siva - Head of Engineering, Student Edge
The Background
Student Edge is a member-based organisation for high school, TAFE, VET and university students. We started as a group of students in Western Australia in 2003 and quickly went national. In 2016, we entered the international market as well, and we now have a membership base of over 1.2 million students from Australia and overseas.
As a student-centered organisation, it’s our job to help members by delivering on three pillars:
- Save – we arrange deals with retail, online stores etc. that provide students with savings;
- Earn – we invite students to enter competitions and participate in surveys. The students win products and earn payments in the form of our own currency that can be redeemed for gift cards or spent via PayPal; and
- Learn – we source and upload articles on a variety of life-skills, pop culture, and study-related topics, as well as tools that help them calculate grades, prepare resumes and upskill to be job-ready.
In this capacity, we’re collecting and storing an enormous variety of data every day - from students’ courses of study, through to data on racial and demographic backgrounds that we use to develop support programs. We also have data on file related to our third-party partners, which we access regularly and share data when fulfilling survey and competition prizes and payments.
While all personal data is considered highly confidential, we are acutely aware of the need to provide extra protection for our many students under 18 years of age.
The Goal
In 2020, we decided to undertake a Security Control Review. The ultimate goal of this review was to ensure that the data we hold on each of our 1.2 million members is safe and secure. We wanted to ensure our security level aligned with industry best practice and that there are no loopholes in our system. We also needed to be able to assure our clients, members and the board that they can be confident in the level of protection we offer members.
The Selection Process
The Missing Link was recommended to our current executive chairman by professional colleagues, and so they were short-listed as potential vendors, along with a few other companies.
I consider myself to be tech-savvy; however, I don’t have adequate knowledge about security. As soon as we met, Jeremy and Pete from The Missing Link, they were happy to explain everything we needed to know without using jargon. Of all the companies that presented, they were the most comprehensive when explaining the process, the pillars they would address, and the recommended security model.
Although they’re a relatively small company compared to other vendors, they didn’t come across as such. They clearly demonstrated that they know what they’re doing and they shared previous projects which convinced me of their capability. I could see that security was an area in which they excelled.
The Relationship
The project went smoothly from beginning to end with the team giving me a clear brief on the information required in our planning meetings. They presented a work scope, went through it in detail, answered my questions, and they weren’t phased when I requested a few minor changes. Unfortunately, we had a few delays at our end, but they were happy to wait and flexible to meet our needs. Once we started, the project went on time, and we were presented with a comprehensive report at its conclusion.
One of the things that really impressed me about the final report was that it was cognisant of our resources and budgetary constraints. Rather than giving me a ‘panic list’ of immediate remediation issues and a big budget attached, they provided a two-year plan to upgrade our security, which was split into phase one and two priorities. We discussed next steps, and as a result, we’re now calmly working through each of the items on the report.
Upon completing the project and just before the Christmas break, we received a final invoice from The Missing Link. By that time our accountant had gone on leave, so I called to let them know there would be a delay in payment. As with every delay, they took this in their stride and were happy to wait.
The Difference
From Student Edge’s perspective, having completed a comprehensive security review, we now know where we stand and that we’re aligned with the industry. When it comes to negotiating deals with clients, we have all the information to answer their security-related inquiries. We now have a board that has a better understanding of the importance of cyber security and is confident that we’re doing everything possible to protect our members.
Personally, our partnership with The Missing Link gives me peace of mind. I’ve now got a lot of items to work through, and I feel comfortable knowing that I can call them at any time to ask a question. As expected, The Missing Link has been a great organisation to work with and their people are professional yet good fun, and most importantly, they get the job done.
I know I’ll work with them again - in fact, I’m already meeting with them to plan the next job.