Magazine Button
How modernizing our security posture helped grow our business

How modernizing our security posture helped grow our business

EnergyEnterprise SecurityInsightsTop StoriesWest Coast

David Weisong, CIO at California-based environmental consulting firm Energy Solutions, explains how the company has gained a competitive advantage to win more business as a result of modernizing its security posture.

Cyberattack threats against utility companies continue to rise in quantity and sophistication and, as the CIO of an environmental consulting firm that works with them, their concerns are our concerns.

David Weisong, CIO, Energy Solutions

Considering that our work includes handling sensitive personally identifiable information (PII) and location data, our utilities clients are smart to ask us to verify our security practices, and to ask us to undergo validation checks conducted by third parties.

This security scrutiny has become ever more heightened year-to-year – as it should be. From encryption to access controls to mobile device management to employee training, clients continually raise the bar when it comes to the protections they wanted to see in place.

This evolution recently led us to take a hard look at our security offerings, and to acknowledge that a range of improvements was in order if we were to keep pace with our clients’ evolving requirements. Following that honest inventory, our organization committed to building out a more robust, more modernized information security program capable of delivering the next level of protection.

The decision wasn’t just good for security posture. Holistic and provable security can be a differentiated advantage to win more business, as it has been for us. Here’s what we did.

Planning a holistic cybersecurity stack by following an established blueprint

To begin, we identified SOC 2 Type 2 certification as an ideal framework for structuring our security capabilities. Intended for services organizations like ourselves that manage customer data, SOC 2 Type 2 compliance requires safeguards that prevent physical or logical access to sensitive data and systems.

SOC 2 Type 2 also calls for controls that ensure the security, availability, processing integrity, user confidentiality and privacy of client data. Committing to the pursuit of SOC 2 Type 2 certification ensured we’d have a structured approach to meeting the breadth of our client’s security needs.

Implementing upgrades to encryption and more

Our SOC 2 Type 2 certification planning made our need for new encryption technology clear. Our existing tooling for managing Microsoft BitLocker and Apple FileVault encryption keys was, to be honest, implemented badly.

We considered continuing to rely on these solutions for their ability to protect data at rest on our devices. However, our team felt constrained by the manual nature and limited management options offered by BitLocker and FileVault, and ultimately opted to seek out a solution with greater automation and control.

Gaining the ability to easily produce the compliancy reporting SOC 2 Type 2 calls for, and thus help our clients easily demonstrate compliance if an auditing event were to occur, also became a priority.

We discovered an effective solution for meeting these client needs in BeachheadSecure, a managed device security platform that provides encryption and access controls within a zero-trust security posture.

This solution now enables our team to automatically remove data access from any PCs, Macs, phones, tablets and USB devices that hold our clients’ sensitive data – and do so in response to pre-set risk conditions.

For example, if a device travels outside an authorized geofenced location, or experiences a set number of failed logins, automatic protections kick in to eliminate any risk to data.

Modernizing endpoint security

To bolster the endpoint security we provide to clients, we added Webroot endpoint protection via the Webroot Evasion Shield. This system protects against file-based and fileless script attacks, detecting and blocking malicious scripts while allowing whitelisted scripts to run.

We also deployed Webroot DNS protection, in order to block high-risk domain requests through automated filtering and threat intelligence. Additionally, we implemented Datto RMM for cloud-based remote monitoring and management. Doing so has enabled us to secure, monitor, manage and support our clients’ endpoints through remote sessions to effectively oversee and protect those systems.

Securing a competitive advantage

Revamping our information security program positioned our company as a one-stop-shop for our clients’ needs, and quickly created new opportunities for us to work with utilities that prefer a singular trusted partner for both energy technology and security. The road we followed to build this competitive advantage is available – and recommended-to businesses across industries looking to enhance their offerings and their position in the marketplace.

Click below to share this article

Browse our latest issue

Intelligent CIO North America

View Magazine Archive