Global Retailer Gets Clear CRM Risk Picture After Four-Week Threat Model

About the customer

A global retail group with £3B in gross sales runs a centralised CRM that sits at the core of its customer operations. The system manages five million customer records and powers loyalty programmes, gift card processing, and point-of-sale integrations across multiple markets. Third-party developers, internal DevOps teams, and global brand partners all interact with it. The CISO had inherited responsibility for this system without documentation of its dependencies, third-party integrations, or data flows.

The situation

When the CISO took the role, there was no comprehensive record of what connected to the CRM, who maintained it, or which external parties had access. Multiple teams were modifying the system independently. He was accountable for it but had no single source of truth to work from.

Every security investment needed a board-level business case. Without knowing which risks were most significant, prioritising spend was guesswork. Generic compliance frameworks did not map to the specific architecture in place. And the consequence of getting it wrong was not an abstract IT problem. A CRM outage or breach meant gift card failures, loyalty scheme disruption, and customer data exposure across multiple markets.

The CISO had a rough sense of what was at stake. What he did not have was evidence. He needed a clear picture of the risk he knew about, and a way to surface what he did not.

How we worked

We ran the engagement over 20 days with minimal demands on the client team. The full exercise required four workshops totalling around 3.5 hours of the CISO's time. We conducted targeted interviews with team leads and developers to build an accurate picture of system dependencies before any threat analysis began.

Findings were mapped using the RROC framework — Revenue, Reputation, Operations, and Compliance — giving each risk a direct business context. The CISO could see which API integrations posed a revenue risk through point-of-sale dependency, and which compliance gaps were relevant to data sovereignty obligations across different markets. That framing produced outputs he could use in board conversations without translation.

During architecture mapping, we uncovered two integrated systems that were entirely unknown to the CISO. An active development environment with a CI/CD pipeline and a third-party backup platform had both been connected to the CRM outside the security procurement process. Neither had been reviewed. Identifying them materially changed the risk picture and produced an additional set of controls for each.

The result

The CISO came out of the engagement with a full documented architecture of the CRM and its dependencies — something that had not existed before. The two shadow systems were identified, documented, and incorporated into a prioritised risk register with business-justified controls for each. Every finding was mapped to RROC categories, giving him a ready-made language for the board conversation he needed to have.

The entire engagement took 20 days and required 3.5 hours of his time. He arrived at the end of it with a clear view of his actual risk position, a defensible investment case, and a security programme he could stand behind.