Information Security: In Conversation with Dr. Marco Ermini, CISO at EQS Group
An interview about preventing breaches, dangers and the worst case scenarios. Read our blog article now to find out all about InfoSec.
In an age where information is the lifeblood of businesses, ensuring its security and integrity is of paramount importance. In this exclusive interview, we sit down with Dr. Marco Ermini, Chief Information Security Officer (CISO) at EQS Group to discuss the nuanced world of information security and the critical role it plays in safeguarding compliance software.
What is Information Security?
Information security (or InfoSec as its commonly known) is anything that goes into protecting the information of a company. For EQS this relates to both internal company information and information we hold on behalf of customers. We have a classification policy for our information depending on the sensitivity of the information. Some information, like this blog post, is not sensitive and open to the public, but our source code, for example, is our intellectual property and is therefore highly commercially sensitive. We use a simple traffic light protocol to classify our information – green if the information is public, amber if the information is for EQS internal staff, and red is only for restricted groups within EQS. Customer information is always classified red.
What is the difference between Information Security and Cyber Security/IT Security?
Let me clarify my standpoint: among various definitions, I consider the one derived from ISO/IEC standards to be the most appropriate.
Cyber or IT security is focused only on digital information. Information security goes much wider than this and encompasses the protection of all forms of information, regardless of whether it’s digital or physical. Aside from the differences in everyday processes and tasks, the difference manifests most clearly when it comes to strategic decisions. For example, if a company decides to expand to new markets, it initiates a chain of events with significant ramifications for information security. In such instances, the role of information security becomes pivotal, demanding its involvement at a much earlier stage in the process compared to the functions of cyber security or IT security, owing to the numerous interdependencies it entails.
This is just my viewpoint, and it’s not meant to be exclusive. Some readers might use frameworks other than ISO and have a different taxonomy, which is perfectly fine, as long as we can understand each other.
Why is Information Security in software so important?
It is estimated that 75% of the economy at least in the western world depends directly on information. Regardless of your industry, whether or not you operate in the software sector, the impact is universal. In today’s landscape, software is essential for anything, be it safeguarding intellectual property, running industrial machinery, or simply tracking your sales team’s fleet. Software is a necessity for operation and the safeguarding of valuable information. When your information is jeopardised in any way, for example if your competition or a hacker steals it, or when the information is not available to you because there is an outage – all of these things have a direct impact on your business, and will cost you a lot of money. Maybe even your business entirely.
What measures can companies put in place to prevent breaches?
EQS employs best practices when it comes to information security, adhering to the most important international information security standards including ISO 27001, ISO 27017 for cloud and ISO 27018 for privacy. We use these frameworks to develop our multiple controls. We request audits from external, reputable firms and ratify our third party certifications once a year to confirm that we are fulfilling the minimum acceptable level for security.
We always try to be one step ahead. We also employ strong authentication and access controls: we mandate 2-factor authentication for all our employees which means they have to accept an authentication challenge over an external device – which is resistant to phishing attacks. We also have special security software which scans our entire estate, and also multiple type of source code scans and a four or six-eye review before the software we develop goes into production. Threats change daily and we have to be vigilant, and constantly improve our security posture.
We set up an internal Security Operations Center (SOC) which in 2024 will run 24/7 to react to customer requests, potential intrusions from hackers, and any kind of information security event. While many companies outsource this externally, we prefer that the first response comes from us internally as we understand the environment. We use encryption everywhere, and we don’t use any internal networks at EQS anymore. We have moved away from VPNs, and adopted a Zero Trust Network Access framework, which means that every computer and identity at EQS is always authenticated. Every piece of traffic on these computers is inspected.
We do regular testing and training, in particular we train our developers in secure coding. We also commission external penetration tests on our products which offers our customers additional confidence. We also run a so-called bug bounty programme which offers a reward to external researchers if they find problems with our software.
All Microsoft Windows systems employ Rapid-Recovery technology to defend against ransomware, and we reinforce security with a range of external monitoring tools that continuously scan EQS’ estate for vulnerabilities.
And if all else fails, we always have backups! We backup everything into secure, remote locations every four to 24 hours, depending on the environment.
If, despite all of this, a data breach occurs, we have adopted a “retainer service”. This is a renowned, specialized, world-class threat and incident management firm which intervenes, 24 x 7 x 365, within four hours of our call. They produce an independent report which can be provided to customers, as required.
All this is considered a very good level of protection, and companies should demand at least a similar level of security from any SaaS provider they work with.
Of course every company is different. The shape of a company’s information security programme will depend on its risk assessment.
What are the dangers of a lack of Information Security especially in compliance software?
If a company adopts insecure compliance software, there are many dangers. You are putting very sensitive information into this software – approvals, policies, whistleblowing information – which is controlled by an external entity. It is paramount that this information is kept secure because it would be disastrous if leaked.
But the dangers are not just on our side. The security of our software depends on shared responsibilities and our customers need to understand this. This includes effective management of their accounts and which employees have access to what information. These are elements which we as a SaaS provider have no control over!
I strongly advise caution when considering collaboration with a small company that lacks a robust information security program.
Certain companies, lacking a robust security infrastructure, attempt to obscure the situation by presenting certifications and audit reports of their data centers as if they were their own. It’s important for customers to grasp the exact scope of ISO/IEC 27000 certifications or ISAE/SOC audit reports and determine whether they cover both the SaaS offerings or are restricted solely to hosting services.
Remember, your data’s safety and confidentiality depend on how much attention your SaaS provider pays to this critical subject.
What are the worst case scenarios in terms of damage and costs?
Data breaches can happen, particularly if you choose the wrong software. They can result in extremely expensive privacy fines but there are also reputational damages for a company. For example, there are examples of mergers and acquisitions becoming much more expensive following a data breach, such as the merger of Verizon and Yahoo. There are also costs of notifications if you have to inform customers and employees of a data breach. In this case you might even have to pay them legal and privacy protections. There are cases as well where it becomes a criminal case and the CISO receives a court sentence as a result – this happened recently at Uber.
How does EQS Group and Compliance COCKPIT comply with Information Security standards?
In addition to ensuring strict GDPR and legal compliance, as previously discussed, we have implemented multiple monitoring and prevention systems. Perhaps even more importantly, we have a dedicated, highly skilled security team. Our security experts come from diverse backgrounds and nationalities, and we proudly maintain a significant female presence in the team, which is not common in the industry.
Our security professionals undergo continuous training, certification, and actively participate in major security and hacking conferences. This means that we can detect security events within minutes and address them immediately, preventing them from escalating into breaches.
We value our information security staff and compensate them above market rates, providing them with the best tools and education. Furthermore, our company is known for being a great and desirable place to work, which attracts top talent. As a result, we have never needed external recruiters because our reputation is well known within the industry.
We also want to stay in touch with our customers on this topic and we have hired for a special role – starting in October of this year – specifically responsible for responding to information security requests raised by our customers and prospects.
I am extremely grateful to EQS executives who hold information security and customer information in the highest regard and have granted me the opportunity to establish such a comprehensive security program.
Can a small or even a larger company, not as committed to security, one that doesn’t hire trained incident responders and security professionals or conduct annual disaster recovery drills, make the same claims?
Companies should demand nothing less from their SaaS provider.
More about this topic
Dieser Leitfaden erklärt übersichtlich, wie Sie erfolgreich eine Analyse der Compliance-Risiken in Ihrem Unternehmen durchführen