Information Security – Security as main goal
Fraudulent use of data and information remains a major problem. To counter that, you first need a complete insight as much as possible; which data and information are located within an organization with which classification. Product Manager Albertho Bolenius, responsible for Information Security, explains how SMT helps out.
“For years I had to explain over and over again why companies really had to invest in security”, Bolenius explains. “In recent years, people have realized that it can cost money if their security is not up-to-date. And then we are talking serious money. For reputational damage, loss of data, fines, but also simply because customers leave if companies cannot prove that their security in good order.”
Looking for pain
To prevent this kind of damage, SMT supports many organizations. “Via short steps we eventually climb a mountain. It starts with an intake. First, we look for the pain points of the customer. We look at the needs and choose an assessment that can be applied to the situation and needs of the customer. If they want to build a SOC (Security Operating Center, red.), we will do a technical assessment. But if customers want management buy-in, the assessment will be about risks. And sometimes a customer needs to comply with certain laws and regulations. Then we do an audit assessment.”
SMT brings all that information together. “That results in an SSAD – a SMT Security Assurance Document. It describes how we will bring together the customer needs, the assessment results and the solutions. It also shows in which stage of maturity the customer is at that moment. We look at five domains: business, people, process, technology and services. Besides that, we come up with a plan of action. And because transparency is very important to us, that includes attachments with all relevant information we have discovered.””
“We do not say ‘Dear customer, we can see that you are in pain, here you have some patches, good luck with it!’. We show where the pain is and suggest a number of solutions. Sometimes the customer only wants a patch, sometimes they prefer surgery. Together we start the project and we only stop when it is completely finished. After all, we have the knowledge and the partnerships to do such projects.”
Just as with IT Operations and Business Analytics, SMT also uses the SMT EDAP® (SMT Enriched Data Analytics Platform®) for Information Security. “It all depends on each other. To get the infrastructure for IT Operations in order, you must meet a certain security standard. A listed company in the Netherlands has to comply to the standards of the Dutch Bank/De Nederlandsche Bank. A company that is also active in the US, has to comply to the regulations there. To do this, you must first have your Business Analytics organized so that you know which data you need to classify. By using the SMT EDAP® we can connect the three domains “
Bolenius gives a real-life example. “At a large organization which is part of the central government, we provide consultancy and services on the data platform. But the IT-department had its own platform, just like the financial department. They were all individual islands. We have put efforts into bringing everything together into the SMT EDAP®. We also did a SOC assessment in which the SOC was fully screened; from the processes to the technologies and from the people to the culture. Especially at C-level, does the board know what’s happening in the SOC? This ultimately resulted in one data platform, with which all departments work. The SMT EDAP® collects all data from where analyses are performed and all involved departments have access to the available data. Operational actions can now be executed from unambiguous analyses. This also makes it possible for security to filter out abnormalities from the monitoring. Incident monitoring and response has a higher value of truth because of this.”
Bolenius gives another real-life example. “A large insurance company, where IT is mostly outsourced, had to comply to the standards of De Nederlandsche Bank. They had to have a certain level of control over their IT, but because they consciously chose not to have a SOC, this was difficult. Outsourcing a SOC is very costly, so that was no option either. The customer worked with five IT-directors for various areas that did not work well together. With the help of a data-analysis we were able to demonstrate that working together, also with a joint budget, would have enormous benefits. Not only in terms of costs, but also in terms of knowledge. Actually, a small step but with major consequences.
Obviously, with Information Security, SMT is also committed to predict attacks and avert them in time. “That can be done by analyzing abnormalities. We can tell something deviates from the normal statistics such as – simply put – unusual traffic at 11:30 PM. When IT Operations is set-up correctly, you can proactively turn these events into action and make a report without the interference of people. The next morning you do not need to talk about it for hours. The first steps have been done already by the enriched data platform.”
The objectives that are agreed upon differ greatly per company, but eventually the main goal is the same. “We want to offer Security Assurance. Security in the field of data and information.”