David Weisong, CIO at California-based environmental consulting firm Energy Solutions, explains how the company has gained a competitive advantage to win more business as a result of modernizing its security posture.
Cyberattack threats against utility companies continue to rise in quantity and sophistication and, as the CIO of an environmental consulting firm that works with them, their concerns are our concerns.
Considering that our work includes handling sensitive personally identifiable information (PII) and location data, our utilities clients are smart to ask us to verify our security practices, and to ask us to undergo validation checks conducted by third parties.
This security scrutiny has become ever more heightened year-to-year – as it should be. From encryption to access controls to mobile device management to employee training, clients continually raise the bar when it comes to the protections they wanted to see in place.
This evolution recently led us to take a hard look at our security offerings, and to acknowledge that a range of improvements was in order if we were to keep pace with our clients’ evolving requirements. Following that honest inventory, our organization committed to building out a more robust, more modernized information security program capable of delivering the next level of protection.
The decision wasn’t just good for security posture. Holistic and provable security can be a differentiated advantage to win more business, as it has been for us. Here’s what we did.
Planning a holistic cybersecurity stack by following an established blueprint
To begin, we identified SOC 2 Type 2 certification as an ideal framework for structuring our security capabilities. Intended for services organizations like ourselves that manage customer data, SOC 2 Type 2 compliance requires safeguards that prevent physical or logical access to sensitive data and systems.
SOC 2 Type 2 also calls for controls that ensure the security, availability, processing integrity, user confidentiality and privacy of client data. Committing to the pursuit of SOC 2 Type 2 certification ensured we’d have a structured approach to meeting the breadth of our client’s security needs.
Implementing upgrades to encryption and more
Our SOC 2 Type 2 certification planning made our need for new encryption technology clear. Our existing tooling for managing Microsoft BitLocker and Apple FileVault encryption keys was, to be honest, implemented badly.
We considered continuing to rely on these solutions for their ability to protect data at rest on our devices. However, our team felt constrained by the manual nature and limited management options offered by BitLocker and FileVault, and ultimately opted to seek out a solution with greater automation and control.
Gaining the ability to easily produce the compliancy reporting SOC 2 Type 2 calls for, and thus help our clients easily demonstrate compliance if an auditing event were to occur, also became a priority.
We discovered an effective solution for meeting these client needs in BeachheadSecure, a managed device security platform that provides encryption and access controls within a zero-trust security posture.
This solution now enables our team to automatically remove data access from any PCs, Macs, phones, tablets and USB devices that hold our clients’ sensitive data – and do so in response to pre-set risk conditions.
For example, if a device travels outside an authorized geofenced location, or experiences a set number of failed logins, automatic protections kick in to eliminate any risk to data.
Modernizing endpoint security
To bolster the endpoint security we provide to clients, we added Webroot endpoint protection via the Webroot Evasion Shield. This system protects against file-based and fileless script attacks, detecting and blocking malicious scripts while allowing whitelisted scripts to run.
We also deployed Webroot DNS protection, in order to block high-risk domain requests through automated filtering and threat intelligence. Additionally, we implemented Datto RMM for cloud-based remote monitoring and management. Doing so has enabled us to secure, monitor, manage and support our clients’ endpoints through remote sessions to effectively oversee and protect those systems.
Securing a competitive advantage
Revamping our information security program positioned our company as a one-stop-shop for our clients’ needs, and quickly created new opportunities for us to work with utilities that prefer a singular trusted partner for both energy technology and security. The road we followed to build this competitive advantage is available – and recommended-to businesses across industries looking to enhance their offerings and their position in the marketplace.
We asked David Weisong, CIO at Energy Solutions, further questions to find out more.
Can you explain how cyberattacks against utility companies have increased in sophistication? What challenges have been created by this?
Utility companies are facing a uniform escalation in threats and I don’t see that ebbing anytime soon. This acceleration is necessitating across-the-board improvements to their cybersecurity defenses.
Utilities are, understandably, incredibly sensitive about protecting their infrastructure – any successful attack that disrupts any part of their energy generation or delivery systems has huge implications financially and reputationally.
As a result, we’re seeing organizations we’ve worked with for 20 years quickly heightening their security standards, beyond where they were even six months ago.
Utilities now regularly include language in their contracts to treat any business that interacts with their personally identifiable information (PII) or location data – as our energy efficiency and clean energy services do – with the same extensive security requirements as an energy vendor.
This is because any vulnerabilities in a utility’s extended support chain represent a serious risk.
The infamous SolarWinds hack is a stark example: the company had a great infosecurity program, had done their SOC 2 audits and still fell to a vulnerability in an open source library that their software depended on. That attack represents the fragile environment that utilities exist in and why they must be more diligent than ever.
Against this backdrop, utilities’ cybersecurity questionnaires for vendors have grown from a relatively short yes/no list of security measures to now requiring that we provide evidence of our hardened security processes – with third party validation through a SOC 2 audit or penetration and vulnerability test.
And, for any answers where the vendor says, ‘no, we don’t have that specific security feature’, utilities require them to delineate exactly when they will remediate that shortcoming.
We came up against this exact issue when it came to introducing multifactor authentication (MFA) on one of our internally-developed applications. While we had this functionality on our project roadmap for the year, our utility client required a specific date that we’d be able to deliver MFA, or else they couldn’t pursue a relationship with us.
The utility also made it clear that sooner was better. That made us rewrite our product roadmap to accelerate delivery. It’s a major change for utilities to now prescribe the specific security tooling required to be their vendor.
The clear ROI case for implementing what they require now shapes security strategies across utilities’ ecosystems. The reality is that utilities want to ensure that any vendor they work with follows their same internal compliance practices, almost one-to-one.
The evolving requirements in those contracts paint a picture of prevailing security trends. Certainly, MFA is quickly becoming essential. Mobile device management (MDM) is also a huge concern, with utilities closely gauging vendor sophistication in protecting data at any endpoint where it might reside.
The challenge for vendors is prioritizing those initiatives and doing enough to meet utilities’ needs. Another challenge is that there’s no uniform standardized cybersecurity questionnaire: every utility is doing it differently.
A SOC 2 audit, validated by the tech arm of a CPA firm, used to serve as that recognized standard. Now SOC 2 is just a checkbox and a lot more questions and evidence are required.
How has providing enhanced security translated to your company winning more business?
With utilities upping the ante on their security standards and requirements every time they engage with us, providing that enhanced security has been absolutely requisite for us to win business.
Utilities regularly revise their cybersecurity addendum, with no allowances for redlines. You either accept and provide for the complete heightened scope of utilities’ security standards or…you do business elsewhere.
Vendor executive teams would be wise to accept the fact that this drive toward greater security isn’t going away. Some vendors naturally shy away from security because they have prominent gaps, but that’s a poor long-term strategy.
For our part, we’ve claimed a position of going beyond the minimum security that utilities ask for and found a competitive advantage in doing more and offering ourselves as a more trustworthy partner. The ROI case for going above and beyond the minimum security thresholds (which themselves are increasingly higher) is absolutely there.
Would you encourage other companies to try to achieve SOC 2 Type 2 certification?
Absolutely. Meeting SOC 2 Type 2 certification requirements isn’t cheap or easy. It calls for a strategic investment and commitment, including a full year of dedicated activity to demonstrate secure practices throughout your organization. However, it’s now table stakes for doing business with many clients and will also pay major dividends from the ROI point of view.
How did SOC 2 Type 2 certification help your company meet your clients’ security needs?
Beyond being increasingly required to work with our utility clients whatsoever, our SOC 2 Type 2 certification has fundamentally transformed and improved our security mindset, our security capabilities and even how we think and talk about security within our organization.
This certification impacts our activities and promotes best practices that even well-run companies simply wouldn’t bump up against unless they were using the SOC 2 framework.
Can you explain how BeachheadSecure offers greater automation and control?
During the SOC 2 Type 2 certification process, we quickly realized that a standard encryption approach was not robust enough and – importantly for us – wouldn’t have the flexibility to support our Mac systems as thoroughly as our Windows clients.
We needed feature parity that cut across both Windows and MacOS, including options for mobile device management. This prompted our search for a new remote encryption management and remote device access control solution.
We liked BeachheadSecure’s zero-trust security automation and its built-in Compliancy Report capability – the latter of which generates evidence reports to demonstrate our SOC 2 compliance whenever we need to.
The platform also allows our IT team to prepare automated responses to risk conditions. (For example, we can remotely wipe data from any device in scenarios where that device experiences a set number of failed login attempts, or in many other threat circumstances.)
Having that OS breadth of coverage along with zero-trust automation helped with SOC 2 Type certification and continues to reinforce our security strength on new cybersecurity questionnaires.
What advice would you give to other companies that wish to go through a similar process of enhancing their security posture?
One important piece of advice is that you absolutely need full buy-in from your company’s leadership in order to succeed at your security modernization and enhancement initiatives.
Checking boxes on security questionnaires is now required to win business, but truly effective security has to also go beyond checking boxes. It requires a committed culture and mindset and, often, changes in practices at the corporate level.
It also requires a significant commitment financially. If security enhancement isn’t a substantial line item in your budget, you’re underspending, whether you know it or not.
My other advice is to start now, because there are time requirements to security that you just can’t accelerate. As I said before, there’s no way to implement SOC 2 compliance overnight, or even in three months.
It’s really a year-long process of weaving controls throughout your environment, with an eye toward providing conclusive evidence for a successful SOC 2 Type 2 audit. You must demonstrate that you’re adhering to security controls over a period of time, making the decisiveness to begin that process an essential factor.
Click below to share this article