Showing posts with label Bitdefender. Show all posts
Showing posts with label Bitdefender. Show all posts

Thursday, January 18, 2024

How IT Security Teams Do More With Less When Economies Rapidly Change

Transcript of a discussion on how a large, distributed workforce can be best supported by IT -- even as conditions change and budget requirements lead to consolidation.

Listen to the podcast. Find it on iTunesDownload the transcript. Sponsor: Bitdefender.

Dana Gardner: Welcome to the next edition of the BriefingsDirect podcast series. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator.



Today’s BriefingsDirect IT security best practices discussion examines how a leading German home builder has adjusted to a major economic market disruption. While not long ago surging, Germany’s home building demand has recently reversed, putting pressure on builders to reduce IT costs while remaining secure.


Stay with us now as we learn how a large, distributed workforce can be best supported by IT even as conditions change, and budget requirements lead to consolidation.


Here to share his story of how an efficient security team rapidly shifts from managing surging growth to optimizing around necessary contraction is our guest, Johannes Hammen, Information Security Officer at DFH Gruppe in Simmern, Rheinland-Pfalz, Germany. Welcome Johannes.


Johannes Hammen: Hello, thanks for having me here.


Gardner: DFH Gruppe is a major maker of prefab homes. How has the market contraction in the real estate construction business there changed your business?

Hammen: DFH Gruppe is the largest maker of prefab houses in Germany. In 2021, we created more than 3,200 houses. We have more than 1,300 employees in Germany and the Czech Republic who help us build houses.

We had quite a high level of throughput. But as you may have learned from the news, there were changes in the past months that triggered changes inside our company. From our customers’ perspective, to get a mortgage for a house, there’s an increase in the requirements, such as higher equity, higher interest rates, and fewer subsidies by the state. On the other hand, material costs were rising, and the politics were shifting toward multi-family housing.

So, this changed a lot for us. We had to react. We had many years of with very high growth, up to a rate of 3,200 houses per year. But we needed to consolidate and adapt to the new situation. Of course, this also affects IT and security spending.


Gardner: How has your business and IT adjusted to the need for doing more with less?


Take advantage of downturns to adjust


Hammen: During a period of very high growth, there were other priorities than security and structuring processes in such a way that they are very efficient and very stable. You have to keep pace with the throughput in the company and you have to implement systems and fix issues so that new houses can be constructed.


Now, we have an opportunity to do consolidation, to breathe again, and take a step back. We can look at our processes, increase the efficiency, and implement new tools, which we did not have time to do before.


Gardner: Many times, in the past when we’ve had disruptions either from growth or rapid changes or interaction, we try to work smart and use some technology to its best advantage.


How have you been able to do that, given you have a large, distributed workforce in the field. You work with many partners, and you have a large supply chain?


Hammen: As you said, we have quite a distributed workforce. We are focused on the German market, but that doesn’t mean that we are doing everything in-house. You can imagine that to design and construct a house is quite a large process that needs to involve a lot of experts.


For example, we have more than 650 sales contractors spread across Germany, who are working independently. They guide our customers in the process of buying and building a home.

We need to coordinate and manage all of these contract partners across the whole process. Every external partner has different rules, policies, mindsets, and backgrounds. It's really hard to keep everyone on the same page.

We also have many different types of skilled handymen who construct houses. We have more than 260 partners of all sizes, from small companies, with two or three handymen and someone in the back office, to very large companies with 500 to 1,000 employees who support us on different steps in the house-building process -- such as heating, electricity, and so on.


We need to coordinate and manage all of these contract partners across the whole process. Every external partner has different rules, different policies, a different mindset, and a different background. So, it’s really hard to keep everyone on the same page, especially with respect to security.


Gardner: It sounds as though there’s a great diversity, particularly among the types of IT, as well as the workforce style and culture. That means that you’re the hub on a multi-spoked wheel. How can you impose security without alienating or slowing people down? That must be a difficult balance.


Hammen: It is. We try to consider everyone’s needs and requirements in the whole process. Also, we see it more as an opportunity for everyone, not as a slow-down mechanism as some people view it.


Security is a door opener for so much process optimization and so many innovative ideas. If, for example, you try to implement security in part of a process, you have the chance to remodel the process to be more efficient in general -- or to create a new business model out of it.


This is the story that we want to tell everyone. We try to not spend too much time on the complicated things, and to hide those things from our users and our partners. We want to build a platform, a solution that everyone can use.

Why should a sales expert, for example, have to think about IT security topics? We in IT just implement a solution and provide it as a service to our internal customers and to our employees. It’s a good tradeoff between having a high level of security and also not slowing down the business.


Gardner: You are re-engineering processes by taking advantage of technology. What was it about the technology you were using before that made it difficult to achieve your goals?


Hammen: Everyone knows that there have been lot of huge technology advancements in the past months and years regarding artificial intelligence (AI) and all that. But even before that, our focus during our high-growth phase was not on security; not on getting the latest, most innovative technology. We had just enough security and IT infrastructure that was working fine and was fulfilling the needs of the business.


But in the last one to two years, we looked to the IT and security vendors for new concepts. There were a lot of transformations, especially with respect to security, such as getting to zero trust, for example. This is quite a new concept and we needed to rethink a lot of our past decisions.


Gardner: Part of the ability to control security means getting more data about systems, which you can also use to then be more productive. Is your IT organization using security improvements as an accelerator to better productivity overall?


Collecting security data is good business


Hammen: We are currently working on this and on getting transparency for this larger aspect of security. What we have achieved already is that security is a good vehicle to transport the key performance indicator (KPI) approach into other departments and areas of the company.


In security, and also in IT, we try to measure everything. We try to measure up-time, we try to measure incidents, and so on. You can transform or adapt these concepts to more business-related processes.


I think this is a huge advantage that we are currently trying to transport and market to our colleagues. We have seen this in software development, but in IT in general, some concepts such as how to do projects, how to achieve high quality in very complex environments -- these are very good concepts in IT that we can adapt to business.


Gardner: Yes. The productivity isn’t just about technology and IT productivity, but overall business productivity, which is so important when you’re trying to do more with less.


By being more data-driven and KPI-oriented, by measuring, testing, and verifying the results, what do you need to put in place to do that? How do you get the information and also protect it?


Hammen: It’s very important. We are implementing an information security management system (ISMS). The main concept of this system is that everything should be risk-oriented. And to measure for risk accurately, you need the data.


You need the performance indicators so that you can determine whether one risk is higher than another, or to know the trends and direction of risks. Let’s say 1,000 incidents happened, but in the other one, only 20 have happened. This is why we need the data.

We have used a lot of tools that were doing the job, but they came from an earlier age of IT. The KPI-driven approach had not yet been implemented. It was hard to get the data.

We have used a lot of tools that were doing the job quite well, but they came from an earlier age of IT. This performance indicator or KPI-driven approach had not been implemented. So, it was very hard to get any data out of it in an aggregated way.


Currently, for all new solutions and concepts that we are implementing, we are also considering what data can we get out of it and how can we use this data to drive further decisions.


Gardner: To make those prioritizations, you also need to become more predictive and be able to get out in front of these trends.


Have you been able to, in a sense, reduce the amount of time that it takes to react so that you’re not doing a backward-looking analysis, but doing forward-looking implementation of fixes and improvements?


Hammen: Yes. It is part of ISMS to also consolidate and streamline these processes. For example, in the past we were spending a lot of time on day-to-day activities, such as rolling out an endpoint security solution or rolling out an update of an endpoint security solution to a client.


This was using up a lot of our time in IT. After streamlining all of these very basic tasks, it shouldn’t require an investment of more than a few minutes, in my opinion. Streamlining all of these tasks creates a lot of new time in the budget that we can implement in looking for new solutions, looking for optimizations for already-existing products, looking for integrations between products that we already have, and between processes that we already have. Currently, this is our main focus.


Gardner: When you have a limited budget for new hiring -- and skills are hard to come by in the best of times -- you want to look to the technology to take the repetitive tasks away from the people so that they can focus more on the analytics, on the innovation, on the business-level productivity.


Do you see in the use of security technology now that capability to offload some tasks and free up human capital to do what it does best?


Hammen: Yes. Based on AI, there are a lot of tasks that we can shift toward automation or to automate in some way.  Another example is if you take an average endpoint security solution from today, every solution has a cloud sandbox or something like it, with automatic execution and analysis of a suspicious file.


In the past, one expert from our company or from a contractor had to invest the time to analyze this suspicious file to be sure that it is not harmful. Now it’s just happening in the background. At some time you get the feedback on how it’s malicious or not and that’s all.

But you save a lot of time and money by automating this stuff now and even more in the future. There are a lot of other topics, such as network detection response and so on, which is just building. It’s only the start of what we can do with security automation. Also, it’s not only that we do not have the personnel anymore, but also, we want to have high quality results at the end.


Gardner: Going back to the fact that you have a large, distributed workforce, they’re out at these sites putting these homes together. They’re organizing with many contractors from many different destinations. If you can make their jobs easier, they’re of course going to be happy to work with you and adopt your approaches. Security can be seen not as, “Oh, we have to go through these arduous tasks in order to be secure,” but that in fact you’re helping them.


Do you find that the user buy-in is shifting? Are you getting a sense that when you do this well, when security becomes an accelerator to productivity, and that you get people’s cooperation and even eagerness to adopt your tools and processes?


Security is much more than passwords


Hammen: Yes. We have one advantage now that we didn’t have, maybe three or five years ago, because a lot of people are used to some security measures, such as multifactor authentication. Everyone knows this from their personal accounts at online shops, at different vendors and so on.


So, there is some base work that has already been done in the consumer market. I think a lot of companies were affected by cyber attacks that caused business disruptions. A lot of people were also feeling the result of not investing in security, not collaborating with security.

A lot of companies were affected by cyber attacks that caused business disruptions. A lot of people were feeling the result of not investing in security, of not collaborating with security. 

That’s a good starting point. Also, we have to get this distributed workforce, with very different levels of understanding and backgrounds regarding IT and security, invested in this topic and also have them participate. But on the other hand, my colleagues and I also have to make sure that we take their opinions and their special needs into consideration in all of our decisions.


We cannot consider every requirement, of course. Some people just want to make it easy, easy, so no password, nothing. We still have to try to consider that different people use different mechanics or have different working habits.


Gardner: We’ve been putting this just through the lens of security, but there’s also requirements for compliance, privacy, documentation, auditing, etc. General Data Protection Regulation (GDPR), of course, comes to mind.


We all have to do things that we might think are difficult or put more of a burden on people. Have you able to bring this sense of productivity, automation, and intelligence to your requirements around compliance as well?


Hammen: On the one hand, it’s easier to show others that you are being compliant if you get all the metrics out of the software. If you have transparency in the technical and business processes, then you can easily show everyone who is interested.


We can show what we are doing. With respect to this documentation, every worker understands what we are doing and whether it’s compliant or not. I think in the past, it was more like a black box. So, I think this is a very good thing in the end.


Gardner: It sounds like there’s a multiplier effect. If you do the due diligence for security, then you get the means to adhere to the compliance requirements, which then leads you to be able to further automate and take the load off of the humans, which then leads back to more technology.


Is there an adoption virtuous cycle? Is that something you’re already seeing?


Hammen: Yes, and this is also what we try to enforce. If this positive cycle is started, it’s easy to keep it alive and keep it running. This is what we try to achieve.


Gardner: In order to get that cycle ramped up, you want to have proof points and metrics. So, are there any ways that you measure how you’re improving security and therefore also improving business productivity that will cut costs and improve and optimize the business results? Any measurements or examples that you can provide how this is helping your organization?


The proof is in the productivity


Hammen: We do not have absolute numbers that we can share. But there are a lot of what I call soft metrics, gathered from different conversations with colleagues.


For example, we are doing the total risk management process being part of an ISMS and, in this whole process, there are a lot of results coming out that at least have the possibility to help the business to run more efficiently, the chance to do more with less.


Currently, we are trying to measure it and also build up a KPI framework for measuring all of these things. But it’s very, very complex, especially when you have a distributed company and workforce.


Gardner: Are there any what we would call low-lying fruit indicators, perhaps a number of calls to your help desk, trouble tickets, less time on security administration, anything like that that you can point to and say, “Aha, we are getting payback on our investments, and we are achieving higher productivity while remaining secure”?


Hammen: Yes, there’s two KPIs I can share. One is our endpoint security solution that we switched to at the beginning of last year. With the new solution, we estimated that about 40 percent less time was spent on the security administration tasks such as this roll out, the patch management of this solution and so on.

Two, there’s been around 90 percent fewer security-related trouble inquiries since we have implemented this solution, because now we have one dashboard. It’s very easy for us to react to false positives if there are any and drag them down and do the follow-up steps to clean them up and not trigger them again in the future.


Gardner: Johannes, how in the future do you expect to be able to further this analysis, this positive feedback improvement cycle?


Do you think that having more analytics in the cloud, and using outside suppliers as a security operations center (SOC), is in the works? What do you foresee in the next three to five years regarding how security can continue to be an accelerant to productivity?


Hammen: One thing that we need to consider is it’s still quite hard to get skilled IT and security personnel.


If you are a security expert, you probably want to work for the very large companies with large SOCs, and maybe not for a construction company. There is very high level of competition in the job market.


In the next years, in order to achieve a higher-level of security while also maintaining this current level of security, we need to focus on what we can do with the workforce that we have, with our partner network, and with our internal colleagues. We need to get the best out of what we can do from the inside and also from well-thought-through outsourcing.

Using a managed detection and response (MDR) service or a managed SOC ... This is something a lot of companies still need to adapt to. ... You need to open up to these new concepts.  

As you mentioned, for example, using a managed detection and response (MDR) service or a managed SOC. So, everything that you can’t do perfectly in-house because you don’t have the resources, or the workforce, you can outsource, but control it well and have good visibility into it.


This is something a lot of companies still need to adapt to. Yet some of the companies we work with have been very, let’s say, on-premises and very protective. But they have to open up.


A lot of vendors are driving toward cloud and cloud-only, of course. As a company, you need to open up to these new concepts, for new collaboration between your internal workforce or internal experts, and also to the external experts for specific topics, such as the SOC.


Gardner: That changes the nature of your supplier from vendor to services partner, right?


Hammen: Correct, long-term partner.


Gardner: I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored BriefingsDirect discussion on how a leading German homebuilder has adjusted to a major economic market disruption.


And we’ve learned how an efficient IT security team can rapidly shift for managing surging growth to optimizing around necessary contraction, but at higher productivity.


So, please join me now in thanking our guest, Johannes Hammen, Information Security Officer at DFH Gruppe in Simmern, Rheinland-Pfalz, Germany. Thank you so much.


Hammen: Thank you.


Gardner: I’m Dana Gardner, Principal Analyst at Interarbor Solutions. Your host and moderator for this ongoing series of BriefingsDirect discussions. A big thank you to our sponsor, Bitdefender, for supporting these presentations.


And a big thank you as well to our audience for joining. Pass this on to your IT and security communities, and do come back next time.


Listen to the podcast. Find it on iTunesDownload the transcript. Sponsor: Bitdefender.


Transcript of a discussion on how a large, distributed workforce can be best supported by IT -- even as conditions change, and budget requirements lead to consolidation. Copyright Interarbor Solutions, LLC, 2005-2024. All rights reserved.


You may also be interested in:

Thursday, September 28, 2023

How Dashboard Analytics Bolster Security and Risk Management Insights Across IT Supply Chains

Transcript of a discussion on how Bruce Auto Group gains deep insights into their systems, apps, and data to manage and reduce risks across their entire IT and services supply chain.

Listen to the podcast. Find it on iTunesRead a full transcript or Download a copy. Sponsor: Bitdefender.


Dana Gardner: Welcome to the next edition of the BriefingsDirect podcast series. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator.



This security enhancement discussion examines how innovative managers are increasingly benefiting from interactive dashboard analytics. The resulting actionable knowledge elevates security situation awareness to the higher order value of overall business risk assessment and mitigation.


Stay with us to learn how Bruce Auto Group has gained such deep insights -- not only into how its distributed apps, systems, and data are secured, but also into the hidden risks that can develop across entire IT and data services supply chains.


Here to share his story on how to elevate IT security to a mission-critical value of comprehensive risk mitigation and overall business resiliency is our guest, Paul Jobson, Director of Marketing and IT Strategy at Bruce Auto Group in Wolfville, Nova Scotia, Canada. Welcome, Paul.


Paul Jobson: Good morning, Dana. It’s very nice to be here.


Gardner: We’re delighted to have you with us. Tell us about Bruce Auto Group and your role there.


Jobson: Like many auto dealerships, Bruce Auto Group started off as a family-owned business. I bring that up because when it’s a dealership of one store, IT security tends to be an afterthought. But if we roll back the tapes to 15 years ago, we were lucky to have had someone related to the family who took an interest in the IT and secured us before it was in vogue. It was probably overkill at that time.


Like most automotive retailers, everyone has been going through consolidation. We began from humble roots in 1927. Until the last decade or so, we were one or two stores. Now, we’ve expanded to 10 dealerships, spread across close to 200 miles, with head office consolidation, and, of course, a lot of remote workers. So, the IT security part has really gained prominence in the past couple of years.


Gardner: Like most expanding organizations, it’s not only what goes on inside your business, you need to also keep track of the many tendrils that extend out to your service providers. That includes online interactions, as well as emails and communications. We’re all now part of a complex, rich ecosystem, and risks sometimes pop up between the cracks among these organizations.


Security as diverse as each buyer


Jobson: Yes, and car dealerships are unique in the sense that although our businesses may appear similar, each of the original equipment manufacturers (OEMs) – such as HyundaiFordGM -- they all have their own niches. They all have their own way of doing business. Of course, our integrations with them are critical to the way we do business.


As a result, we don’t get to scale as easily as some other businesses do. It’s as if with each IT solution, we start with customization and then find a way to make it more standardized across  the group.


Gardner: And, of course, the car business is really the transportation services business. So, the way you communicate and gather financial data from your customers, not just your suppliers, is essential. Therefore, you need to be especially secure and resilient. No one in the ecosystem wants to think that communicating with their automotive transportation provider is a risk.


Jobson: That’s right. What we’ve learned is that security is synonymous with privacy. When people apply for a car loan, they’re providing us critical information. There’s an ongoing relationship because we continue to service these people. We want to do everything we can to protect their information.

There's a lot of hard work to do in the IT world, but by focusing on making us secure, we actually help to make the client secure as well.

There’s a lot of hard work to do in the IT world, but one of the nice synergies is that by focusing on making us secure, we actually help to make the client secure as well. So, we really appreciate the importance of that part.


Gardner: You are the digital man in the middle, right? You’re in between all of those suppliers for parts, for OEM cars, and for financial services. You have a panoply of financial organizations – from credit to insurance to government agencies -- and that all leads back to the customer and their data.


By being in the digital middle, you’ve had to move beyond mere IT security and into risk management.


Jobson: Well, that’s right. Keep in mind, too, that a lot of times your biggest risk is people. You have a new employee, and it takes time to onboard and orient them. You must build systems that consider where people are, and not put them at risk. We’re the first line of defense to make sure we’re protecting both our security and the private information of our customers.


Gardner: That requires both education and awareness, which brings us back to the need for visibility -- not just inside your own systems, but as far and wide as possible. How have you developed such extended enterprise risk management (ERM)?


Risk management at root of protection


Jobson: That’s a great question, and it’s been really interesting. My background is in digital marketing and enterprise software. Security has always been an aspect of that, so I’m comfortable working with cloud applications and setting up service integrations. It’s second nature. So, it became logical as we expanded that this would fall under my domain.


The challenge was, coming from a marketing background, we have a lot of people to help us with security, but it’s more about putting together an operational plan. How do you put the day-to-day activities all together? That was a challenge. We needed a way to communicate that to the executive team.


To adopt such a risk management strategy, we worked with Bitdefender because we really liked their people. On a quarterly basis, we’d get together, and they’d give us a rundown of what they had been seeing in the field and across our businesses.


That’s how we came across their dashboard with the executive summary. The second I saw that, I knew I had my tool to manage our day-to-day progress on securing the enterprise.


It’s funny, when you come from the outside, your first perception is it’s the people and the passwords that are going to be the highest risks. And when you know your risks, you can manage them. For us, the first ground zero for IT security was making sure we understood these risks.


So, we put in endpoint security across the organization. We run about 300 desktops. Installing that on every single one of them was a logistical feat. But everyone understood why, and we did it. Once we did, we started to get all these signals back to our Bitdefender GravityZone executive summary dashboard.


For the very first time we got a score. I wish I could say differently, but when we first got our score, the risk was high. It indicated a high level of risk, and that made all of us very uncomfortable. We immediately began to determine what our risks were. We found some real surprises.


Our top category was misconfigurations, and those misconfigurations could be anything from a printer that has not been updated to a traditional user of computer services. The first reflex is to think about your laptops and desktops. You don’t always think about the printers, but it’s a computer in the same sense as your desktop endpoint is.


Once we began to understand the true risks, we looked at security very differently. We realized that every connected device was potentially a risk that we needed to pay attention to. We liked the Bitdefender dashboard because it told us where we were on a score of 100, and it broke that down into three categories: misconfigurations, app vulnerabilities, and human risk.


We were quickly able to target the high-risk areas in each one of those categories. We put weekly plans into place for the IT team to say, “Okay, this week we need to address this.” And it was much more fun and so there was more engagement from the IT team because we were proactively setting the agenda.

Once we began to understand the true risks, we looked at security very differently. We  realized that every connected device was potentially a risk that we needed to pay attention to.

It wasn’t just the typical, general red flag alert: There’s something wrong with a computer. It moved us from firefighting to fire prevention. And I have to tell you, we got hooked. That’s the way my team wants to work. They can collaborate together. They’re excited to come back and say, “We worked on 40 endpoints and got the risk from high to medium.” That’s instant reward and you get gratitude for protecting the whole organization.


There wasn’t a measurable way to go back to the team and say, “You did well,” until we had this dashboard. We all saw the risk score coming down in real-time, in front of our eyes, and it just transformed the way that we work as a team.


Gardner: It gives you a whole new sense of knowledge about your situation, and to what degree you can be in control over your destiny. But also having those scores gives you some ammunition you can take to other people in terms of, “Here’s what we’re accomplishing. Here’s why we can get cyber insurance if we want to. Here’s how we can increase the knowledge across our workforce about how to be better prepared or to modify behaviors.”


It certainly sounds like you’ve crossed the Rubicon, if you will, of not being a deer the headlights, unaware of what’s coming next, and instead being in charge of your destiny and having the tools to further reduce risk.


Deal with risk consciously, confidently


Jobson: That’s right. There’s a matrix where you’re unconsciously unaware, and then you get conscious on risks. I’d say we’re now consciously competent. Although some days we roll back, we’re more and more in the consciously competent part. The IT team is more comfortable approaching big tasks because, again, we can be proactive. We’re ahead of the curve. We’re not waiting until there is a situation. We’re dealing with it before it’s a problem.


For example, in just six months we have effectively accomplished an agenda that had hovered around for three to four years. I attribute that to having a score. Anyone out there who’s wondering what the first step is: First, I would say, is read the Cybersecurity Framework by NIST. It’s an overwhelming document at first, but it’s an unbelievable document because it gives you context. Once you’ve read through it, and then you match it up with a scorecard – such as we’re getting right now with the Bitdfender executive summary -- you’re able to put a game plan in place for everything you need to do.


Gardner: Let’s drill into the executive dashboard. While you’re getting a top-level view, because  there are agents and technologies to bring you all the information you need, you are able to drill in and find out more information. But it doesn’t flood you like a fire hose with too much information.


How confident are you that you’re attaining a comprehensive view when you drill into the level of detail that’s possible?


Jobson: The dashboard and the sensors -- you could think of your whole network as sensors – are giving us information much faster than we could realize from our own logs and audits. For example, we have a Voice over Internet Protocol (VoIP) system that a threat recently emerged in rather quickly. It was developing literally by the hour, and the dashboard was the first one to bring it to our attention.


Incidentally, twice a day, I look at the IT news and it was only in the second half of the day that this threat started to emerge in the news. But our GravityZone program served that up to us first thing in the morning. We were already ahead of the threat. That allowed me to reach out to the suppliers earlier. I wasn’t waiting in line saying, “Okay, what’s the best way?” We still needed to function as a business. Right away we were able to mitigate the situation quickly. And to our knowledge, we mitigated a rather large risk with very little disruption to our staff -- and more importantly, no privacy breaches.


Gardner: With that sense of accomplishment, you’re able to reduce the overall stress on your IT and security staff. That’s important these days because it’s hard to find and hold onto qualified people. If you can give them an environment where they feel like they’re making a difference, they have the tools to attack these problems early -- and do it so they’re not in a fire drill -- that must make for a good labor environment.


Move beyond reacting to assessing


Jobson: Yes, that’s a really good way to say it, Dana. When you’re reacting, you’re just reacting. You haven’t had time to read through the different mitigations, the plans A and B. Now, most of the time, we don’t have to react with intensity. We still need to act, but we have different mitigations in place. The team can talk about what’s the best approach. We can do a store by store and kind of learn from each store as we apply the process. We can do a quick follow-up with the team and say, “Okay, great. What problems did you encounter? Were there any dependencies that were affected?” So, it’s the way to go if you want to come out of this and be able to go home and sleep well at night.


Gardner: Right. And it’s interesting, too, Paul, because you are not trained as an IT person, but you’ve been able to get into this at a higher risk assessment and mitigation level. By having the right technology, you have crossed a barrier from when only a techie could do this to now, when somebody who can use the tools well is managing rather than struggling.


Jobson: One of the interesting side-effects of having a dashboard like this is you can focus on the people element. At the end of the day, for me, I wish IT stood for innovation and team, because we’re using the tools to help people be more productive. We’re assisting the team with solutions that work for them and allow them to function better and better.

The second we see the dashboard alert and look at the affected devices ... we tighten our policies. People are more understanding because we share the insights that we get from the security system.

What’s nice about having a tool like this is that you’re actually able to share the information with the users. Sometimes we’ve had to reach out to users and say, “You know what? Sorry to interrupt you, but our system has flagged you. You have an app or configuration that’s been flagged as high-risk. We need to deal with it immediately.”


By just seeing the words “high-risk,” our users deescalate. They do not wonder, “Okay, do you need me to do this? Do you really need to touch my computer right now while I’m at work?”


They may be with a customer, but the second we see the dashboard alert and look at the affected devices, we say, “Hey, sorry, but you’re one of them.” As we tighten our policies, people are more understanding because we share the insights that we get from the security system.


We can say, “Listen, it’s not that we want to block you on this photo app, or it’s not that we don’t want you to be able to put your favorite picture on the desktop background. But there is a greater agenda that we have, and these are some of the ways we’ve been told to mitigate it,” whether it’s from signals from our security system or from looking to the NIST Cybersecurity Framework.


Gardner: We would be remiss in talking about your security posture if we didn’t bring up email. It is still one of the leading threat vectors -- after all these years. Tell us how you deal with email security. I’m sure you have it coming in all different directions. Is there a way in which you’re managing your email issues and leveraging this dashboard at the same time?


Successful email security systems


Jobson: Yes, email security is the single most important vector of any security program because it’s where the rubber meets the road for most users. That’s where we get the most outside influences.


We have a three-tiered approach to how we do things. First, we make sure to protect all the endpoints. Second, we secure the network using an XDR solution. But last, and we did it last because it’s the most involved, we have an email security process in place. And when I say it’s the most involved, it’s because if you are truly trying to achieve email security, you are going to put in rules and guidelines that are going to be restrictive.


So, on a typical day, we probably quarantine about 800 emails that get reviewed quickly by the IT team. They are assessed for their risk and then forwarded on. But what’s nice is we’re able to quickly see patterns. We’re also able to call people and say, “What are you sending? You’re sending an encrypted, password-protected thing. We have no idea what’s in there. Is there a way we can make a change, or is there another way we can get the information, like can we get it off a web link?”


We find a way to reduce the risk. And when we’re sharing with our suppliers, some are rigid. They can’t make the changes, but we have had some that said there is another way to deliver the service.


Combined, that all reduces the risk from email. But something else amazed us initially. When I said we were quarantining about 800 a day, we get about 2,000 that are genuine spam. They’re not all evil, if you will. Some of them are just people promoting themselves. But when you have 300 users a day using their computers, there will be risks in the spam. By putting in this frontline of defense, we have not had any significant scares, and I attribute it to our processes.


The email security feature I like the most: Every single link in an email, when it is clicked, goes through a secure scanner first. So, we don’t have to count on a person who’s a day or two in who doesn’t know if they’re receiving a legitimate link from one of the manufacturers or not. The system has their back on that. We’ll scan it for them.


And we do get some angry calls every now and then from someone saying, “I was trying to do this. I’m blocked.” But it changes very quickly when we go back to them and say, “Hey, you know what? Are you aware that was a malicious site? Did you know that site was trying to take your credentials and our system blocked you and protected you?”


The business team is just so much more supportive of additional initiatives once they’ve gone through that process. You don’t know what you need until the need comes up. So, once they’ve gone through that process, we just find they’re so much more willing to help secure the business.


Gardner: And again, with email -- like some of your other services you mentioned earlier -- it’s the knowledge about what’s going on that brings you to that higher-order discussion about how to be risk-averse rather than how to be unproductive. And so, that’s the key, I think, is you’re able to get people’s buy-in rather than have it just seem like they’re being naughty.


Jobson: That’s right. But I will say to anybody implementing it, there is a transition period. The first day you turn it on, be prepared. One of the things we’re learning is communication is critical. We do a style of management that’s all about cascading messages to employees and we found that, you know what? I think the perception of the IT team sometimes is, “Oh, does anybody notice what we do?” The answer is yes. On a grand scale, they notice what we do.

Communication is critical. We do a style of management that's all about cascading messages to employees. They notice what we do.

When we make small changes, users are affected, and they communicate back to us. So, good messaging helped us get through it. We had a tuning process that we did and we were grateful to our user’s patience while we did it. But today, everybody’s confident that we’re much more secure because of these measures that we put in place and it’s worth the inconvenience or sometimes having to wait an extra hour for a flagged email to pass through the gates.


Gardner: The alternative might be that your business is down for three or four days -- and talk about aggravation.


Jobson: That’s right, and the reality is we just can’t monitor the volume. You need to leverage a system to monitor that for you.


Gardner: IT and security people are dealing with so many different tools. There’s a new tool coming out every week for some other new aspect of security issues. What’s your philosophy about how to handle that sprawl, to get the most out of the tools but without being overwhelmed by them? Is the dashboard part of that ability to get the right balance?


Plan ahead to prevent tool sprawl


Jobson: That’s a great question. You need a plan on how you’re going to implement these things. For us, in looking at the dashboard, we love the information that we get back. It scans a lot of the network, but there were some limitations on endpoint security.


That led us to the next path, which the NIST Cybersecurity Framework also hinted at, and that’s the internet of things (IoT). And for us that meant raising our awareness about how much priority and privilege each device should get. We started to think about segmented network security, which is what you can do with XDR. So, we’d have networks for IoT, networks for our guests, networks for our main enterprise business, network for staff devices, and we’re able to reduce the risk by going into these specific lanes for each category.


When you get a signal back from the dashboard, the solution isn’t always an IT thing. Sometimes the solution could be sending a memo saying, “Please don’t install any unapproved apps unless you reach out to the IT department first.” Or it might be going further, as we’ve done, and put some clamps down on what can or cannot be installed on people’s PCs.


So, we have used education, restructuring the network, calling the manufacturers, and further isolating some devices. We have some suppliers that have devices that they never update. It’s not our property. No problem, we’ll put that on a network outside of our regular network to keep us safe. So, each one is a problem to solve. How you solve it is really up to you.


Gardner: Right. But the key is that you have that knowledge and insight that the risk is there.


Jobson: Absolutely.


Gardner: Before we close out, Paul, let’s look to the future. How do you expect to leverage automation more? You said you can’t do this all manually, and even using intelligence to gain a larger view of risk. Do you look to the dashboard to help you attain more automation and intelligence?


Embrace expertise to manage threats


Jobson: The dashboard is one of the tools we’re using, along with Bitdefender GravityZone. There is a series of tools we use to manage things. One thing we really like is like the Bitdefender Threats Xplorer. A lot of people’s notion of security is just an antivirus scanner on the PCs. Scarily, for a lot of businesses, that is their level of understanding. But the threats are becoming more sophisticated. You can either ignore that or you can work with partners that have more experience.


As we look to the future, XDR has been an area where we’re paying more attention. It gives us greater insights on the devices that aren’t PCs and it watches our whole network. But it’s also giving us in real time a description of the threats as they’re happening.


For example, we recently had an incident. It was from a remote software that we use to support people. The supplier made a change in their software, and the change had a piece of software that was associated with malignant code. That malicious software was attacking businesses, and we were in a meeting at the time, the whole IT team, and our system started to shut down users.


By the fourth or fifth person being shut down, someone knocked on the glass and pulled us out of the meeting, and said, “You know, there’s four or five PCs shut down.” We were nervous that this was a virus. In fact, what it was our system operating in real time. When it saw a threat, it turned that PC off and isolated it. When it did that, the software, the remote software would go to the next node and try to scan the network. And, so, it would be shut off, too.


In a very short amount of time, it shut off the five offending PCs. If that had been a real risk … What’s so great is my team cannot be on alert all of the time. We are relying on the automation and technology to take care of things and let us to do the analysis after-the-fact. If you’re not leveraging these tools that can do that for you, you might be creating a lot of risk for yourself.


Gardner: Any recommendations to those listening?


Jobson: In IT, you have so many choices. I mean, you just have to run any popular program, PC optimization program, and it’ll tell you 1,700 fixes you can do to fix your PC. You scale that over a large organization, and you can literally have hundreds of thousands of choices.


For us here at Bruce, the tech team, it was critical that we had something that prioritized it from a risk point of view -- from mildly inconvenient to threatening your business. Once we had that prioritization, and the whole team understood what it meant, that’s when we started to gain enormous traction on long-standing issues with how we were managing our PCs.


In order to have a game plan, you need to know what the objectives are. Our Bitdefender scorecard helps us identify the highest priority objectives.


Gardner: I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored BriefingsDirect discussion on how Bruce Auto Group gained deep insights not only to how their systems, apps, and data are secured -- but also how risks can be averted across its entire IT and services supply chain.


And we’ve learned how innovative managers like Paul have elevated IT security to a mission-critical value of comprehensive risk mitigation and overall business resiliency. Please join me now in thanking our guest, Paul Jobson, Director of Marketing and IT Strategy at Bruce Auto Group in Nova Scotia. Thank you so much, Paul.


Jobson: Thanks again, Dana. Have a great day.


Gardner: I’m Dana Gardner, Principal Analyst at Interarbor Solutions. Your host and moderator for this ongoing series of BriefingsDirect discussions. A big thank you to our sponsor, Bitdefender, for supporting these presentations. And a big thank you as well to our audience for joining. Pass this on to your IT and security communities, and do come back next time.


Listen to the podcast. Find it on iTunesRead a full transcript or Download a copy. Sponsor: Bitdefender.


Transcript of a discussion on how Bruce Auto Group gains deep insights into their systems, apps, and data to manage and reduce risks across their entire IT and services supply chain. Copyright Interarbor Solutions, LLC, 2005-2023. All rights reserved.


You may also be interested in: