Tuesday, July 11, 2023

How WFH accelerated IT and security transformation at global publisher Hachette Book Group

The next BriefingsDirect security innovations discussion examines how the rapid shift to remote work has accelerated a rethinking of security and IT processes at a New York-based publishing organization.

Rearchitecting the security posture of a business means adjusting work patterns and IT in ways that both reduce risk and heighten performance. But the trick is to do so without alienating workers -- wherever they may be -- and maintaining strong productivity.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.


Here to share her story on how to digitally transform a traditional business structure, reduce risk factors, and preserve a highly creative culture is Heidi Holmes, Senior Director of Information Technology Services at Hachette Book Group (HBG) in New York. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: Tell us about HBG and why you needed to significantly adjust your security objectives over the past couple of years.


Holmes: HBG is one of the world’s largest publishers. The United States branch is part of a larger global Hachette, and we have some very, very big authors, such as James Patterson and David Baldacci.



We literally print almost every kind of book you can think of. So, our company is highly creative, and very intelligent. On a personal note, it amuses me because at other IT organizations I’ve been with, I could send out an email and never think twice about it. But here, you send out an email and you’re going to be critiqued from every editor across the board. It’s amazing. Even the CEO, he spots things that aren’t quite in the right order. It’s awesome.

So, Hachette: We’re a pretty amazing company. I’ve been here since 2019. I came into a very different IT organization. The leadership in place was great, but around some of the security practices, we really had to mature, to grow our business, and to grow how we monitor, maintain, and secure everything -- from the PC all the way to the edge.


Gardner: It sounds like – being global and dealing with so many authors, editors, and artists – that you were already a fairly distributed organization. And then we all had the move to more remote work in 2020. How did that rapid shift impact your digital transformation journey?


Diversity strengthens security strategies


Holmes: In such a diverse organization, no two sets of tools are the same. Just in the IT organization, every group is unique. And we’re talking five to 20 people. We are an amalgamation because we’ve acquired many different companies over time.


For example, Orbit, which is our science-fiction department. They are amazing, but they operate in one way, whereas Little, Brown Books for Young Readers, which is all of our young readers’ literature, operates completely differently. It’s almost as though it’s IT for a ton of small businesses that operate within a large business structure. It’s pretty interesting.

Once people began working from home, then all their data lived in their laptops. How do you manage and secure that? This is where our new challenges arose. 

So, they were diversified to begin with. But when more people began working from home, supporting them all became even more critical. The traditional IT model was moat and castle. We had to protect ourselves by using the best firewalls. You can protect anything, but once you’re outside the castle, everything is looser.


Once people began working from home, then all of their data lived in their laptops. How do you manage and secure that? What do you do to get your arms around that? This is where our new challenges arose. If you’re used to the castle technology, you have to create high-speed connections to and from every office to access all of your data for home workers.


Gardner: So, you had constellations of different businesses and cultures – as well as legacies of different IT. To corral that together, you almost have to be a managed service provider (MSP) as an IT organization. Is that fair?


Holmes: I do manage the help desk infrastructure. We also serve up all of the data, all the data center services, and the cloud data management, as well as cybersecurity. From my position, we are set up to service different groups on different platforms and support a wide range of tools across the larger IT organization.


It’s amazing. We’ve taken those requirements and built the tools to service the overall organization. And some of them are complex. Then we come back in with the security and managing compliance around how users access data inside of the tools and how it’s all unique across each of those separate publishing entities. It’s fascinating.


Gardner: In addition to a focus on endpoint security to support a distributed and remote work force, you’ve also had to look at transforming IT.


A lot of times, people have architected their IT -- and then they add on security. Did you try to simultaneous engineer for security and IT productivity and digital transformation? Is there a new way of doing security from your vantage point given your responsibilities?


Security as speed bump, not roadblock


Holmes: Yes, there is a new way of doing security. When I entered, security was a bolt-on, after-the-fact approach. For example, they may have already built a tool. But have they tested it? Or an application. What has been done with them?


We were at the ground floor, as new projects were coming up, on security. The teams were coming to us from a cybersecurity standpoint and saying, “What’s the best way for us to secure this? How about outside software-as-a-service (SaaS) providers?” Things like that.


We needed to make sure that they filled out the security forms to make sure that their architecture and best practices matched with what we were looking for with security. But we found out early in the game that they weren’t compliant. They didn’t have security as their first thought. 

It’s more about balancing risks and building in security. As I tell everybody here, cybersecurity is about being a speed bump -- and not a roadblock. Everything we do should be about slowing down, so you don’t bottom-out your car. You want to keep going, not come to a full stop. There’s no productivity if we have to come to a complete stop. We need to keep moving. We’re getting there.


Gardner: Of course, if you have a security breach, that’s one way of coming to a full stop. You need to have a balance between reducing risk, but also maintaining productivity and creativity.


What have you learned the past couple years about those balances? Has it changed with the remote work? How does digital transformation give you the tools to have the insights to reach that balance better?


Holmes: One of the tools we use, and why I’m here, is Bitdefender. We’re looking at their dashboards all the time. We can see what’s commonly going on. The [endpoint detection and response (EDR)] tools are great for our digital transformation because they’re on every one of our computers, on all of our servers, monitoring and automatically blocking risks.


If Bitdefender sees lateral movements on the network, it will block and halt those or delete certain files. It’s really given us an advantage. It gives us the capability to look at what’s going on. Because if we see a large increase, then we can look into our other tools that complement Bitdefender and say, “What are we seeing on our firewalls? What are we seeing in our security information management (SIM) tool? What are we seeing on our email filtering? Do we see a coordinated attack or is this just a run-of-the-mill type of attack?”

If Bitdefender sees lateral movements on the network, it will block and halt those or delete certain files. It's really given us an advantage. ... Bitdefender helps us be proactive on what's going on. For us, it's been great.

Bitdefender helps us be proactive on what’s going on. For us, it’s been great.


Gardner: And being proactive means you want to react swiftly. Is there a way that you’ve adjusted to the remote workforce -- all of those laptops and home desktops -- rather than being  inside the moat? Is there a way for you to take the information you’re getting from your Bitdefender dashboards and be more actionable with it?


Holmes: Absolutely. If we see a large number of attacks, even if they’ve stopped, we can open up a help desk security ticket and reach out to the user. If the incursion seems to be trying to install something or to attack others in the environment, we can remotely deactivate that device. We just have them ship their laptop to us so we can take a closer look, and we ship them out a new one.


We don’t play games with anything in our environment. It’s better to stop it at the source and move on. But, yes, the tools give us the capability to get out ahead of it all. And we’ve developed a team that is constantly monitoring, seven days a week. Our dashboards look for any correlation, anything ahead, and then work with us to automate or alert us if something needs to be acted on more quickly.


Gardner: And, Heidi, how does your background as a network engineer help in your digital transformation and with security concerns? Have you been able to bring more of an architect’s perspective to how you’re modernizing your IT and security?


Architecting for change


Holmes: Yes, I have. For the past 20-plus years, I’ve worked as an architect, network engineer, and network security engineer. The biggest thing I’ve learned is to go back to the business risk. We understand what the business risk is, and how to mitigate or isolate that risk. But that also means understanding the business you’re working with.


Part of an architecture isn’t designing the fanciest, most secure tooling -- because that’s how you get the balance versus the speed bumps. You have to learn the business, learn about the people, know where their risks are, and then architect around that to say, “Okay, stage one is where we see in our transformation the need to move certain things to the cloud.”

Or, “Our most vulnerable systems need to be isolated because some of them might be near end-of-life and we can’t do certain things with them anymore. We’re going to move them over to something such as a different layer or to firewall them with intrusion prevention and monitor it that way. Maybe some of our websites are older and we need to do something with that.”

We might put some sort of a web application firewall (WAF) in front of it. But you have to lay it all out in stages. And the easiest way to architect and build is to know what the business needs. And then you start designing to have the least productivity impact while giving the most security. So, the biggest bang for your buck: “Let’s start there, let’s hit the quick wins while we’re still planning out the other things.”


And part of architecture is understanding that when you build a process and a project that it changes. It’s a constant re-evaluation. What are the latest tools? The tools from 2019 are not the same tools that I’m working in at this point. Because every year, every six months, every month, something else is out there offering a better way to do things.


For example, a zero-trust architecture was at first a little bit nebulous. Trust nobody and everybody’s like, “Why can’t we trust people?” That’s like, “Well, not everyone’s your friend and even the computer next to you isn’t your friend necessarily either.”


Gardner: Well, that’s a perfect transition to my next question. In an organization like Hachette Book Group, the goal is for people to communicate, collaborate, be creative, and be open.


When you come to them with a security mentality of, “You need to be very suspicious and zero trust-oriented,” that creates potentially a cultural conflict. How have you been able to get people’s buy-in on what you need? Behavior is such an important part of security. At the same time, you want to allow them to be as open as possible and share ideas as they are used to.


Make wide, yet light, security footprints


Holmes: The right mentality is to have the least visible footprint in the things that you’re communicating on, on any given computer. But you also have to trust the communication tools. The things that you use such as Zoom or Teams or something like that. Those are commonly known ports and IP addresses.


We don’t have to overthink it like 15 or 20 years ago, when I needed to know every port that the teams used and qualify that. Our security tools will automatically understand, and part of the artificial intelligence (AI) built into them, knows that these are okay communication methods and it’s fine for us to continue to communicate that way.


So, there’s an openness with video communication and collaboration with a level of security and staying away from custom-built tools to communicate. That will protect you because inherently, custom-built tools usually need extra updating and the people who develop them don’t always keep them up to date. That also will protect you in a zero-trust environment.


But honestly, it’s gotten so much easier with zero trust … because Bitdefender is fantastic for that. It’s always monitoring. The AI is telling us as it’s looking at patterns instead of always at a specific port where you can lock people down and isolate them. So, it can see a lot of the lateral movements, you can see different firewall rules that are not industry-standard and as attacks try to pass through. It’s the only real way to go.


Gardner: You’re describing what people have come to think of as what a security operations center (SOC) as a service could be. Is that how you’re starting to view something like Bitdefender? Or is that a place you’d like to see it go, of where you have a SOC as a service benefit all the time and everywhere?


Holmes: Well, that would be fantastic. And we have spoken to Bitdefender about this. From my past experience, I’ve worked with SOCs, did a little bit of management of SOCs, and brought that into a new organization.


What you see a lot of times is they give you a lot of data. And traditionally, any SOC will overwhelm you with 3,000 alerts and events in a day. And you have a team of three and you’re hiring a SOC to help you. But instead, your team of three needs to remediate all of these things, otherwise they’ll keep showing up, and the SOC’s going to keep reporting and then it becomes completely useless to you.

Bitdefender is using more AI to filter out the things that are less meaningful. It's no longer every single thing that comes across your dashboard. That helps you dive in quicker when there's a problem. 

The modern SOCs, and a lot of what I understood from the Bitdefender side is, they’re using more AI to filter out the things that are less meaningful. It’s no longer every single thing that comes across your dashboard. That helps you dive in quicker when there’s a bigger problem. A SOC can become a benefit instead of a hindrance to a small team because the teams are always already trying to remediate their problems. They only need to know about the things that are brand new major holes because patching everything else should take care of the rest.


Another thing I wanted to mention on SOCs: Back to our transformation, when I mentioned the SIM tools, and having the different dashboards, it takes a while to bring a security team up to speed on what they should be watching for. That’s about identifying what’s meaningful to you. And then to fix the problems they’re finding from doing the scans. The last few years, we’ve been training security staff to do just that. When a SOC comes into play now is when the team is already expert at security and then everything is meaningful. Sometimes you can take the jump to a SOC too fast.


Gardner: A lot of what we hear in the marketplace now is that people are resisting tool sprawl. Too many security tools are not a good thing. They also want tools that will integrate, that play well together.


How are you looking at that balance between having the right number of tools, but also tools that are integrated well in advance?


Just say ‘no’ to tool sprawl


Holmes: I literally just said “no” this week to a couple of security tools because it was just more sprawl. We need to use our tools right. Tools should be useful. They should give you information you don’t already know, or they should coordinate multiple things into one tool so that you can easily discern where a problem is.


So, if a tool doesn’t have multiple uses and it’s not cost-effective, then we don’t want it. There has to be a very specific reason to look at it. Also, every tool needs to be easy to use because we can’t send somebody to three weeks of training. We can’t train a second person for when the first person goes on vacation.


And it has to be automated, it has to be able to page us if it hits certain thresholds. All of that needs to be set up very quickly. Because when we take holidays, there are always less eyes on dashboards. And we still need to know if something’s going on. We need to get paged, woken up, and brought back to the dashboard.

So that’s what we’re looking for. The tool sprawl: Everybody has a tool that they want to sell you -- everybody. It needs to work for on-premises, and it also needs to work in the cloud. It needs to give us all of the information we need. It needs to work in your home to tell me what’s going on in your laptop there. That’s what we need from our security tools.


Gardner: Whenever you ask folks to qualify and quantify how their security is working, the number one response is, “Well we’re not getting hacked, so that’s good.” But because you’re involved with not just security but IT and digital transformation, there’s probably more ways that you can measure the effectiveness of your security approach in terms of productivity, team collaboration, and how your IT support group is able to please your end-users.


Do you have specific ways of looking back and saying, “We made good choices, and we can prove it by blank?” How do you measure your success in digital transformation and security?


Holmes: As far as the users go with collaboration, the easiest way for us to tell is the number of help desk tickets we get. If the users aren’t calling us because they can’t work on their computer -- either because they’ve had an attack or because they just can’t use it because it’s still in lock down -- that’s a good measure.


And if we’re not seeing a proliferation of viruses and malware in our environment then those metrics are great for us, too. We’re constantly watching them, we’re updating them, and we’re reporting all those metrics to our senior leadership in the company. So, it’s been amazing.


Gardner: Let’s briefly look at costs. We’re also seeing many organizations that need to do more with less. Is there a way for you to balance the economic side of the equation with these metrics of success?


Holmes: With the metrics for success, if we purchase tools that help us get ahead of a problem and we don’t have any downtime or a loss of productivity, that is our number one way of evaluating that. So, know your risk, your way of knowledge, and the tools. Tools must do multiple things, be easy to use, and be cost effective.


That’s huge for us because I don’t have to hire extra people, which is cost. I don’t have to have extremely skilled people. I can weigh the cost and the amount that we’re spending in our security and IT budgets and say, “We are doing the right things for our people with the right level of protection and our downtime is in individual users -- not systems.”


That’s how we measure it. Productivity; not lost time. The ability to shift if there is a problem. And that gets back to the training. For example, we recently had a security incident. It turned out to be something from something very old, more than 10 years old, that was transferred to our environment, and we found it with our tools. We shut down a portion of the network and -- because of the training – we only lost about two hours while we investigated it.

A couple years ago, we would have had vice presidents down our throats saying, “Why can’t we do this?” But because we’ve trained our team so well, it was literally, “Okay, let us know when it’s available again. We want to support you. We’ll work on something else.” It was great.


So, it’s all about having the tools, the costs managed, and being able to measure all of our training and practices around the knowledge and people that are behind us. They want a secure environment, and they’re willing to pause if they need to for a little bit while we look at things.


Gardner: You had a speed bump, not a car crash. So that’s a really good indicator.


Holmes: Yes, it was great.


Gardner: Before we end, let’s look to the future. I’ve heard a few words from you, Heidi, like “automation,” “AI,” and “SOC as a service.” What new challenges do you foresee, and what are the best tools or approaches for you to meet them proactively?


Detection advances to patterns


Holmes: The problem is, we don’t know what we don’t know or what the next security problem will be. You need to be prepared for everything. You need to stay ahead as a leader in this field and just listen, watch the articles, and be prepared to pivot when things happen.


The AI and the new tools are great because they are looking for patterns. It’s not like the old days where I would just look for a signature. So, somebody would do something that applies a specific signature, and it could only catch that. It’s now looking for the pattern and then correlating the pattern. As a result, we’re getting many less false positives because it doesn’t look for just one minor anomaly. It looks for a pattern of anomalies, and then it might immediately block it.


There may still be some false positives because of the old applications out there.

We love the tools we use, such as the Bitdefender console. It delves into so many things. I personally look at the executive dashboard on a regular timeframe because out of all of our tools, it is one of the best and easiest to drill into. 

We love the tools that we use, such as the Bitdefender console. It delves into so many things. I personally look at the executive dashboard on a regular timeframe because out of all of our tools, it is one of the best and the easiest to drill into. I can say, “Wait, there’s a spike in viruses.” I click on it even though they’re blocked. It shows right there on the line if any of them got through. Then we can raise the flag, even though it’s already been blocked. But who is affected and where? I can click, and it shows me the actual machines, and it shows me what it was trying to do.


That’s the best way to stay ahead. That is part of the automation; it is automatically blocking. So, our firewalls automatically block, or quarantine, or do whatever needs to be done. We get automated alerts that ring our cellphones, that send us messages depending on what it is, and we have bridges. We also have automated [processes] where we can automate traditional patching or fight zero days [attacks] or anything that comes up. We have that all scheduled to go. So, that’s not a manual process anymore.


Gardner: Heidi, before we sign off, for those who are also going on a journey where they want to change the way they’ve done security, where it becomes simultaneous to and maybe even in advance of IT decision-making or IT architecting, what advice do you have for them now that you’ve gone through this? What words of advice do you have for people who can make security part-and-parcel with their digital transformation activities?


Start where you are, then dig deeper


Holmes: Get to know your business. Learn. Learn what your business is doing. Then, while you’re learning, start with the fundamentals. What are you doing well in your business right now or in your security?


Do you have good malware protection? Firewalls on your laptops? Things like that. Start with your servers, with your laptops, every device in your environment. That’s an easy place to start. Make sure your patching is up to date.


And then you can start looking a little bit deeper. Vendors -- understand what your vendors are doing. Just because it’s in the cloud doesn’t mean it’s secure. It is not the same thing. You need to understand where you’re putting your data, and what your people are doing. And that goes back to learning the business. 

Lastly, shadow IT. Because everything can go to the cloud, every business is going to try, and every department is going to try, to find their own tool in the cloud. But they won’t necessarily vet it the way your IT security organization will.

So, get to know the business, gain their trust, and help them by giving them speed bumps and not roadblocks. That’s my advice.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: Bitdefender.

You may also be interested in:

Monday, April 24, 2023

Why today’s hybrid IT complexity makes 'as a service' security essential

Amid rapidly growing IT security costs and the added complexity of distributed workforces, the challenges facing IT services providers are clearly outrunning past practices. That’s why more automation, integration, and acquiring security “as a service” are in hot demand.

Listen to the podcastFind it on iTunes. Read a full transcript or download a copy.

Stay with us now as the next BriefingsDirect security innovations discussion examines how Heartland Business Systems is seeking such new ways and new partners to ensure that security incidents are kept in check across a variety of hybrid IT services and scenarios.

Here to share his story of increasingly embracing security-as-a-service Jason Nuss, Vice President of Cloud Services at Heartland Business Systems (HBS) in Little Chute, Wisconsin. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: Jason, what are some of the top trends driving the need to do things differently when it comes to risk management and endpoint security?


Nuss: Endpoint security is getting more important and broader every day. Cyber insurance definitely has had a huge influence over the last several years. I can remember when cyber insurance applications were just a couple of questions. Now, in some cases, they’re a dozen pages long.



That’s urging more requirements to tighten up security practices. At the same time, the hackers are getting smarter, and they’re moving to new techniques. You know, we’re starting to see more extortion as opposed to just encryption scams, which really has a much greater effect on not only on a specific customer, but sometimes that customer’s clients as well.


During the last few years of the pandemic, we’ve also seen a migration to a more mobile workforce. Some of the companies we work with have closed their office doors. They aren’t going back to physical offices, which has brought in other challenges when it comes to making sure their environments are secure.


Gardner: And how about the current hybrid IT environment? How is that forcing you to do things differently?


Data is everywhere, but is it secure?


Nuss: Data is now everywhere -- as is your staff. We used to be able to secure inside of your walls and you didn’t have to worry so much about external trends. But now we have people working from home and accessing home networks, which makes those endpoints even more vulnerable to more security threats than the ones behind your corporate firewall.


You also have more cloud data and cloud services applications. You need to make sure those are secure as well, which plays a huge new factor. One of the common misconceptions we see is that everything from the cloud is perfect.


A lot of people think that cloud-based software-as-a-service (SaaS) applications include everything and that they are fully secure and fully redundant. But that’s just not the case. People need to take more time to look at the services that we’re adopting and make sure the providers are on the up-and-up. Do they have all the proper security tools, backups, and disaster recovery? Should they have an outage, how will that impact our businesses as well?


Gardner: Right, we have to evaluate the security robustness, if you will, of our entire technology supply chains.


Nuss: Absolutely.


Gardner: How about rising costs, such as for labor? How is that affecting your ability to deliver security effectively?


Nuss: Security costs over the last several years have gone up quite a bit. I often tell customers that security costs have gone up 500 to 600 percent from what they were five years ago.


I’ve been around this industry almost 30 years now. Before, you only had to worry about an antivirus product and a modem for connectivity to the Internet. Then it moved into buying firewalls. But now you have things like endpoint detection and response (EDR)managed detection and response (MDR), and extended detection and response (XDR).


It’s very confusing. You have security information management (SIM)security operations centers (SOCs)privileged access management (PAM), and all these other new technologies that make the landscape very, very cloudy. No pun intended.

But you know, sometimes we have to right the ship for the customer to make sure that we’re looking at security from a proper rollout perspective. You’re starting with the most critical things, whether it be a backup or multi-factor authentication or endpoint security. And then maybe layering on some of the additional services. But it doesn’t make sense for our customers to start out with penetration testing if they haven’t secured their environment ahead of time. We’re going to find out holes, right?


Gardner: And why is SaaS and more automation generally attractive to folks like you as you’re specifying the next generation of security?

Expertise at scale


Nuss: Expertise at scale is very important -- and often overlooked. Just making sure you have a SOC, and maybe if it’s a guy or two, that is not good enough. You need to be able to react appropriately.


So having a larger staff, having a knowledge base behind that, is very important in solving the protection issues -- or even identifying the security issues quickly. Automation is critical to that. When you’re ingesting hundreds of thousands -- or millions -- of logs, you need to be able to comb through that data really quickly. So, automating that is critical. You’re starting to see more artificial intelligence (AI) and machine learning (ML) take over in that space. A lot of the more recent products are using those technologies to identify threats before an analyst would have caught them manually.


Gardner: As we mentioned before, we have to be concerned about our suppliers and partners --- perhaps more than ever. They can come under attack as well. How has that changed how you look at your suppliers?


Nuss: As far as our suppliers go, we’ve started to take a deeper look at the supply chain completely. There are a lot of smaller companies coming out with new technologies. As we look to vet things, not only are we betting on functionality, but we’re also vetting on security elements.

Just turning on an API isn't always a good thing. You want to make sure you're minimizing the impact should they have a breach and that it does not impact you as well. You have to look over the vendors and make sure they follow the best practices.

Just recently, we were looking at a product that would integrate into our customer resource management (CRM) tool to do better data mining out of Microsoft 365, Exchange, and Outlook. And, you know, we came to find out that, hey, that data is being stored overseas. They’re also injecting a bunch of email messages, and so we had concerns around those tools.


Just turning on an application programming interface (API) isn’t always a good thing. You want to make sure you’re minimizing the impact should they have a breach and that it does not impact you as well. You have to look over the vendors and make sure that they’re following best practices. If they’re not, I think it’s good to call them out and let them know. Such as, “Look, you don’t need access to all of these tables for the pieces that you’re trying to access. Let’s minimize the blast radius should you be compromised and so as to not affect us as well.”


Gardner: So, it’s services-subscriber beware, right?


Nuss: Absolutely. You know, with some of the other things that are playing into it as well, with the mobile workforce, you have to secure the edge and make sure you have good endpoint controls, firewalls, and other components.


That was one of the things where Bitdefender rose above the rest for us. They were able to store those things, looking at other cloud storage providers. You know, you also see shadow IT out there. I cringe when I hear people that don’t have corporate policy around cloud storage and where they’re putting up data using things such as Dropbox or Microsoft OneDrive. It’s okay to use those, but make sure you have a governance policy around them, such as a backup strategy and how you’re going to secure that data.


Gardner: We have seen a lot of cloud services use sprawl and ungoverned use, for sure. Eventually, you have to gain maturity about how you do that.


Let’s hear about Heartland Business Systems (HBS). Tell us about your company. What you do, and what do you think distinguishes you from other managed service providers (MSPs)?


Widespread, yet local service


Nuss: HBS is based in the Upper Midwest, we’re just south of Green Bay, Wisconsin. We’re now up to about 12 locations throughout Wisconsin, Minnesota, Illinois, Iowa, Nebraska, Missouri, Arkansas, and Arizona. We have been around since the 1990s, with around 650 total employees and about 350 technical service professionals across many specializations.


People often ask what sets us apart from the other guys in the industry. I think there are a couple of things. We have both breadth and scale. We also believe very heavily on having in-market expertise where we have a physical presence. We try to have expertise so that when our teams are going out on-site, we deliver a quality experience. We’re not always relying on engineers from the center of our company, so to speak, to roll that out.


Our expertise is widespread. So, we not only do the normal networking- and systems-type work -- with a robust Microsoft practice; we’re a gold partner in 16 of 18 different competencies -- we also have an enterprise security and risk management team. [They can also help when] you’re doing compliance audits, vulnerability assessments, and penetration testing. Just in December, we purchased another company, Pratum, that has a SOC-as-a-service offering. It will be interesting to see how that plays into our security offerings over the coming months.

Gardner: When you talk about breadth and scale, that sounds like you have to scale not just up but down and sideways, if you will. That means servicing a lot of different types of organizations across a lot of different industries. So how do you serve that variety? How do you scale up and down and remain efficient?


Nuss: It’s sometimes difficult to address all the different markets. Our total market is pretty much comprised equally and in thirds: of small-and-medium business (SMB), medium-to-large enterprises, and then the government and education spaces.

Sometimes those needs are very different. You have to have offerings that address the needs that they all want. In the SMB space, they typically don’t have security professionals, so we end up being the security professionals for them.


In the enterprise space, a lot of times it’s more of a co-managed solution set. You have to have solutions that address the needs of each of those different classes. For us, we have separate engineering teams in a lot of those spaces, where they focus on specific technology stacks for the specific market segment. They become more expert there, with a SMB-type engineering staff as well as an enterprise engineering staff. They focus on different manufacturers, in some cases, and more elaborate technology at the higher end of the spectrum.


Gardner: With a sizable public-sector business, and I have to assume quite a bit in education and schools, how is that a challenge for security?


Nuss: The biggest challenge in the public sector is often budget. A lot of times it is so focused on hardware migrations – the replacing of endpoints at the desktop, networking, or servers – that security gets overlooked, even though it’s more and more important.

On the IT side, we look at building best practices around policy. Everything starts with that policy, and then you can measure against that policy as you move forward. 

Also, for them, they’re trying to solve physical security concerns in addition to IT security. So, we work with customers on things like video surveillance systems, ID badges, and access control systems.


On the IT security side, we look at building best practices around policy. Everything starts with that policy, and then you can measure against that policy as you move forward. They are also moving to devices that may have less susceptibility, such as Chromebooks where they’re not storing data locally. They’re storing it up in the cloud so they can better protect those cloud assets. They are then less worried about the endpoints, but you definitely have to begin with that comprehensive policy and then obtain the tool sets that goes with it.


Gardner: Is there a positive pay back when you automate more, go policy-driven, and use cloud and multi-tenancy to their full effects?


Multi-tenancy critical in the cloud


Nuss: Yes. For us, multi-tenancy is absolutely critical. I run our cloud services division, our data centers. We have two data centers. As we looked to security tools like endpoint security, it was absolutely critical that these things were multi-tenant. We had products before we found Bitdefender to support 20,000 endpoints through a single management console. To roll out that type of scale, you have to have consistency. There are a lot of great security tools in the marketplace, but if they don’t play into your operational processes at scale, they really don’t do you any good.


As we evaluated for endpoint security, and EDR specifically, we needed to make sure that number one, it was a good product. We looked at MITRE ATT&CK trends and things like that to see where they were playing within the Mitre framework. But number two is how did it work into our processes and into our tool sets?


Could I have a global policy that I could roll out to everyone, so they knew that I had consistency? It’s inefficient for me to go touch 600 different customers within that portal to make one change. I need to make it at a global level and have that be inherited down the chain. At the same time, we have more enterprise customers who want control of those policies themselves. We were looking for a tool that would allow us to give them the access rights to customize the policy or manage their portal as they saw fit. So, we really like those aspects of it specifically.


Gardner: When you try all kinds of new services and products, one of the challenges in security is the sprawl of having so many tools. What do you look for when you’re evaluating your security suppliers and services when it comes to how well they integrate services, in how well they combine tools and meet more requirements, so that you don’t have to?


Tools and services work well with others


Nuss: A lot of times we’re looking for integration. We’re a ConnectWise shop end-to-end so we’d like solutions that integrate into that tool set. Whether it be pushing the software out through ConnectWise Automate and those kinds of deployment tools, or whether it’s alerting within the tool set to let us know that there’s been a ticket that’s been created, or better yet, even closing out that ticket once it’s been remediated.


Those capabilities are very important to us. You can’t just use email anymore to notify people of issues that arise. It just becomes noise and we’ve consulted with customers where they have things like monitoring solutions.


You can’t have a better example than we had when a city government here locally had a ransomware attack. They had security tools that actually notified them the day before that the hacker was in the system, but because of all the noise, they didn’t have the alerts tuned enough and the processes well defined enough so that they missed the alert. The next day, they were hit with ransomware and encrypted across the entire environment. So, you know, lesson learned -- it’s not just about having the tools to block attacks. It’s also about having the processes in place to react when the chips are down, right?


Gardner: Yes, and it integrates into your processes as you pointed out in your help desk or SOC and your other systems that are already in place. You have to take advantage of what you put in when it comes to fast remediation, fast alerts, and email just doesn’t cut it.

Okay, let’s think about reporting and data and understanding what’s going on. It’s about having information to the right in the right ways. What do you look for when it comes to reports for that that single view, or one throat to choke, if you will?


Nuss: We need to be notified of the alert immediately. We’ve created mechanisms that if there is a critical alert, it’s sending a page out to people that are on call and setting off other alarm bells for us to react very quickly.


From our SOC services perspective, we outsource much of our MDR services. So, we create workflows with those vendors that are overseeing some of those security aspects on who should they call first, and how that escalates through our system so we make sure that those can be addressed quickly.

From our SOC services perspective, we outsource much of our MDR services. We create workflows with those vendors that are overseeing some of those security aspects on who should they call first and how that escalates through our system so they can be addressed quickly.

I tell this story to a lot of our prospects. It was the Friday before Fourth of July weekend, and I got a call from one of the SOC analysts telling us that we had someone in one of our client’s environments They were making some lateral movements and they were pretty convinced it was a hacker.


Had that gone on for another three days, who knows how they would be? Now, the good news to the story is it wasn’t actually a hacker. They were having a penetration test done within their environment over the weekend -- so no harm, no foul there. But, you know, had that been somebody that was in there, you hate to even guess how far they could have gotten throughout the environment, how pervasive that could have been without having someone notified quickly.


Many of our clients have seen that in one of their portals. Had they gone in there, they might have seen it in an email when they got to it, maybe the next week when they got back from vacation. But when it comes to security time is money.


Gardner: Let’s look at your security solutions choices. How was your journey in terms of solving these issues?


Nuss: There are two aspects to it. As we looked at endpoint security, we spent more than a year analyzing different platforms. We looked at all of the major vendors out there, the Microsoft Sentinels, the CrowdStrikes, the Sophos, you name it -- we looked at all of them. We narrowed them down from their “based-on” capabilities, based on some of the tools set integrations, based on their go-to market strategies, some competitive natures. Then we went in and started doing field trial tests, so we put them in place. We would kick the tires, tested integrated to our tools, to make sure those workflows came through, and then we moved forward from there, rolling that into our offerings.


It’s a pretty detailed process -- one that was probably more detailed than many of them out there. That’s a big aspect of making sure you’re not just jumping in and saying, “Well, this one’s rated really well. Let’s just take that and move forward with it.”


One of the competitors in that particular space that we looked at -- we really liked the product, but we also looked at financial capabilities of the company. You know, they should be profitable. They shouldn’t be hemorrhaging cash left and right. You need to make sure that they’re going to be in there for the long haul. Having been in the IT space for 30 years now, we’ve seen a lot of great vendors come and go. And so that’s almost as important -- their financial viability -- as is the technology.


Gardner: How much further do you have to go to get to where you need to be?


Operational maturity for success


Nuss: It’s always a constant evolution. With security changing so fast, we try to look at what is  integrating more openly. Who has APIs to integrate into other tools?


Talking about Bitdefender, with this recent acquisition that we have had, they do a lot with Microsoft Azure Sentinel, so we’re working on an integration into Azure Sentinel so that we can have cross-platform capabilities and a layered approach.


We want to make sure the tools that we have can integrate with the overall platform so that we can pick and choose the right platform to deploy to our customers. The other piece of it is you really have to work closely with the customers to make sure they have proper operational maturity levels.


I look to five different levels of operational maturity, and you should move up and to the right in the levels. You should take that same approach with security. Make sure you’re starting with the core components to make sure that you have the big building blocks there first -- such as endpoint security, firewalls, advanced threat protection, on-site and off-site backup, and policy management -- before you move to some of the next-generation, such as SaaS technology, zero-touch network access, zero trust at the endpoint level, and DNS protection. You can go on and on and on.

Security awareness training is also key. For example, our enterprise security and risk management teams came up with a top 10 list that we present as a place to begin. And then we start to talk about where to go as your budget allows.


The other big thing is to get out in front of the process from a budgeting perspective with your clients. I tell them that security costs are probably five times what they were just five years ago, but we don’t necessarily see that in the budget. A lot of times, IT has a real struggle relaying the value of that to the business leadership.

Get out in front of the process from a budgeting perspective with your clients. Security costs are probably five times what they were just five years ago, but we don't necessarily see that in the budgets. IT has a struggle relaying that value to their business leadership.

I like to tell stories and relate things back to what I’ve seen in the past. For example, I was at a trade show and one of the security analysts was telling us about a letter he received the day before from one of his MSP clients. It was basically an extortion letter from a cyber attacker who said, “We’ve been in your business for the last 30 days. We have 300GB your files. Here’s the list of files we have. You can pick any three, and we’ll send a copy of the files just to prove that we have them.”


This was purely financial: “Here’s how much money we want. And by the way, if you don’t pay us, we’re going to start calling every one of your competitors and every one of your customers to tell that we have your data and then try to extort them in the same fashion.”


You tell that story to a business owner and it almost makes you sick. Those types of things are happening out there every day. A lot of times, I don’t think they’re very well publicized because people don’t want to know who has been hacked. But it’s real, and they need to react to it and take it seriously. By telling those stories, or if they know somebody who has been hit up for ransomware or extortion, whatever it may be, those stories make a big difference, too.


Gardner: On measuring that value, what are your most important key performance indicators (KPIs) to demonstrate to your leadership that you’re spending your money properly and wisely? When it comes to things like EDR and what Bitdefender is providing for you, how do you measure the value?


Nuss: That’s always a tough question. At the end of the day, we look at where we see threats and infections and the reactive support needs. We have an incidence response team here to help clients. And we try and track what’s happening there -- how many alerts, remediations, and things that are fixed on a monthly basis to prove value.


From an MSP perspective, we send out reports to our clients showing all the security events that we’ve seen. These are the things that have been blocked to make sure that they understand the value that’s there. Otherwise, the value is out-of-sight, out-of-mind, right? If they don’t have a problem, they don’t necessarily think that any problems ever existed because you’re blocking something. You’re doing a good thing, but they don’t always realize that.


Gardner: Of course, not being hacked or ransomed or extorted also factors pretty high up there.


Nuss: Yes, for sure.


Gardner: Okay, let’s look to the future. What comes next? What are you looking to do in the next three years?


Take down tool sprawl


Nuss: Some of the big things that we’ll look at include which tools are working better together and where we can consolidate reporting. So, combating tool sprawl. It’s a real problem out there, trying to bring reporting from the different tools together so we can show the overall, cohesive strategy. That is going to be more and more important.


We want to work with vendors that are really open. I would be surprised if we don’t see more of the security vendors adopt standards where they’re sharing things in a more cohesive fashion. Whether it’s endpoint security, DNS protection, or zero trust – ways that security threats can be more consistently delivered to reporting mechanisms to develop better overall dashboards.

You’ll start to see more API integrations, where you have reporting tools that now are able to work with vendors to block things. So maybe your endpoint security is integrated into your SOC services. You could, at the click of the button, have a disconnect or block of a particular event automatically -- or even manually -- when they see those issues without necessarily having to move into different tools.


That’s where you’ll see the automation components come in. And then they’ll start to create workflows that work with that, so if an event is triggered, they can use that to run scripts against things to start to shut things down or just connect them or remediate at inception to prevent it spreading. That’s where I think things will be headed more and more.


Listen to the podcastFind it on iTunes. Read a full transcript or download a copy. Sponsor: Bitdefender.

You may also be interested in: