IT security is more important now than ever. The digital industry has steadily been growing in importance, and criminals are upping their game: ransomware, DDoS and phishing have become prominent threats to both organizations and citizens. Schuberg Philis’s security reputation is exceptional – not least because in everything we do, security comes first. And second, and third. Colleagues Frank Breedijk (CISO), Daan Stakenburg (DPO) and Daniele Bonomi (Security Specialist) explain what this means in practice.
Frank: “In the end, security isn’t just about protection, but also about trust. If people don’t trust us, we can’t work for them. And one of the reasons people do trust us, is that our own security is top-notch. We are our own business case.”
Daan: “We’ve earned a lot of that trust by being extremely transparent about our actions and interventions. And by showing that we’re always thinking ahead. How do we respond when someone is attempting a DDoS attack? What do we do when someone tries to infiltrate a system? What measures are we taking now to prevent this from happening? Anticipating what might happen—it’s part of our DNA, down to the core.”
Frank: “If you want to be secure, it is important to think outside the happy flow. For example, when you ask a development company to build a new web shop, you will get a lot of functional questions: what should the shopping cart look like; what color will the site be, and so forth. And those are important items, but if you want to be secure, you also have to ask yourself: ‘What could go wrong?’ What if someone manipulates their shopping cart and manages to order a negative amount of products? Will they get money back instead? If you are mainly focused on development you don’t tend to ask these questions, but we do, because we always think ahead and apply a healthy dose of suspicion.”
According to Daan, Frank and Daniele, you have to be a little paranoid to be the best at what they do. And the current age requires it.
Daniele: “Security incidents are not only more prevalent; they also get more attention as people are becoming increasingly alert to the importance of security. The public at large has become aware of the risks of digital crime. This combination of awareness and the realization that the risks are considerable have made IT security a prominent topic for boardrooms and administrators.”
Which is why Schuberg Philis is helping companies large and small with services that now extend far beyond hosting and technical application management.
Daniele: “On all levels, we implement solutions that push our customers and ourselves to a more secure state. Our customer teams have the expertise to make continuous adjustments and improvements, offering the best service to our customers. We have bundled all our know-how on security and our customers’ business-critical systems in a tailor-made Security Information & Event Management service (SIEM), designed specifically for the kinds of systems we manage. This lets us identify, together with our customers, the measures needed to meet their requirements.”
The central idea is that security should be built in at the foundation. Yet, for many companies, security is still an add-on. While it’s a well-known adage in security circles that today’s security incident is input for tomorrow’s security policy, Schuberg Philis is living proof that we have reached an important turning point in the way organizations approach cybersecurity: from only or mostly incident-driven to more structural, integrated attention.
Having more security tools and services doesn’t automatically make you more secure.
Schuberg Philis uses a security model called the “security survival pyramid,” which takes a layered approach. Purchasing tools and services does play a part, but certainly isn’t the most important element.
Daan: “Having more security tools and services doesn’t automatically make you more secure. That’s why we make an effort to help our customers define a new way of working—which doesn’t necessarily involve large-scale or spectacular interventions. For example, a helpful improvement can be to simply create and update a patch calendar, or to initiate best practices in public cloud services. Such best practices could be about identity and access control, answering questions like: ‘How do people get access to this environment?’ and ‘What access level do you need?’”
What helps us give customers bespoke advice is that everyone at Schuberg Philis gives high priority to security, including the Customer Teams.
Frank: “We recently organized a security exercise here with colleagues from different teams. Everyone had to think of a red button that could be pressed in case of emergency to initiate the major security incident process. We asked: who gets to push the button when things fall apart? It was a hard question to answer, until we realized that for us, it doesn’t matter: everyone here knows the importance of security and can therefore sound the alarm. And our customers know it.”
Frank: “In our field you are as good as your last failure. But the real test isn’t how you keep bad things from happening. It’s how you respond when they do. How do you make sure things don’t spin out of control? It’s not that we never have security episodes. For us, every incident is an opportunity to educate ourselves. We learn lessons for next time, so that we don’t make the same mistake again. After all, in the end, preventing damage is important, but enabling trust is the most important.”