Altair
Transcript:
Jeff Marcini, Chief Information Security Officer
So my name is Jeff Marcini. I’m with Altair Engineering Incorporated. My title is Chief Information Security Officer. Altair is a worldwide organization. My business is looking at our product portfolio, which includes mechanical engineering solutions—that’s our heritage, that’s our oldest part of our operation. But increasingly over the years, we’ve actually acquired organizations, we’ve grown organically as well.
We help organizations with business intelligence, workflow management, high-performance computing—which is a really big area now—and of course, much more now in the civil engineering and other disciplines in engineering. We also do services. We have customers that have our staff onsite, embedded in their operations, so they trust us with their data. And then lastly, and this is the part that is increasing too, doing cloud services, SaaS software, that type of service, so that our customers do not have to necessarily run the entire stack on-premise anymore.
What happens is we have to look at our services and the software and so forth that we publish to our customers, make sure it’s safe, make sure it’s secure, help with patches, help with security advisories, that type of thing. But also internally, make sure our infrastructure—because we’re developing software that our customers have to trust—can be trusted.
Before SecurityScorecard, we had to look internally at ourselves. But also, in many cases, our customers would reach out to us and say, “Did you realize your web server is running an outdated version of Apache?” SecurityScorecard came in because we did have largely a manual process. We had spreadsheets of all our vulnerabilities. We had things like Splunk, intelligence logs of things that were being probed. Our domain name starts with an “A” in the Latin alphabet, which means the script kiddies—pardon the term—would often be attacking us before, say, another organization that was further down.
So we had to deal with that fact. And really, when it came down to it, those manual processes were essentially stealing our time away from being able to harden our products and harden our infrastructure. And in many cases, we were missing signals that perhaps we should have been paying more attention to.
When I was evaluating solutions with my team, we were looking at what do our customers trust, what do our service providers and so forth use, so that we can align with them and possibly move faster. And it turned out that SecurityScorecard was very well regarded in the industry already back then—and this is years ago. It was sophisticated enough where it could look at our entire footprint, but the key is we could also add essentially these acquisitive companies that we were bringing on board. We could add them to the platform and very quickly scan them so that before they joined our network, before they joined our infrastructure, we could say, “You have X, Y, and Z issues.” And that really helped us move faster with these organizations.
So a day in the life of me as a CISO using SecurityScorecard—with my team, we have about 10 SaaS portals, some of which were done through acquisitions—we look at those every day to see, okay, what has changed since the last reporting? Is it good? Is it bad? We look at our patching cadence—that’s very important, of course, not only to ourselves but to our customers. So we look at that, and then we reach out using our ticketing system, which SecurityScorecard can integrate with, which is fantastic, to—if there’s pain points—get those addressed as quickly as we can.
But then also we look at our suppliers. So we have a large base of organizations that we use their software, we use their services. So we look at their status in the platform and see, okay, has anything changed? Hopefully, things have gotten better. And certainly with Scoring 3.0, we saw a huge shift in the level of detail we get, which is wonderful.
I’ve been most impressed with SecurityScorecard when we look at its ability to see our entire digital footprint. And that also ties into the wonderful CVE details platform. As a software supplier, we have to look at that very, very carefully. Our footprint is complicated, and we’ve been very acquisitive. We have many different networks. We’re in 35 different countries. So because of that, as a human, it’s very difficult to keep all of that in our minds.
So having that footprint in place can also expose where maybe we make a mistake and we bring something on that’s shifted to a different provider without telling us, for example. People sometimes forget—they’ll do something and not realize, oh, I should probably tell the security team. That discovery has been phenomenal for us, and it’s grown with us as we’ve grown as an organization as well.
When we work with our suppliers, we do use the action plans built into the platform. We can also invite them into the platform, which is very helpful. And that’s allowed them to look at their own score and see, okay, this is an issue.
SecurityScorecard has helped my program mature, you know, dramatically in actually several different ways. By looking directly at our score improvements and where we’ve been deficient, we’ve been able to very quickly see specifically where those problems are and then very quickly be able to reach out to our DevOps team or our IT team and say, can you please fix this?
And then those complex relationships where you’re a supplier and a customer—it really can be quite elaborate working on it—but it’s helped the entire ecosystem mature and be more stable. And that’s really what we appreciate SecurityScorecard for.
Where there are issues—for example, the Log4j vulnerability that was famous—we’re able to very quickly look at our entire footprint and notify everybody: this is the problem, this is how you can fix it. And that allowed us all as an organization—and our suppliers—to come along with us to be more mature.
So how has SecurityScorecard made a difference for me as a CISO of an organization that again is very acquisitive? It’s that I have a complete look at my entire digital footprint at all times. And I’m able to see my supplier footprint as well in one platform, which is very powerful for me, because it allows us to look at—if we’re going to outsource a piece of technology or if we’re going to insource a piece of technology—I can look at the footprint and see what that effect is going to be, not only in my staff time and my costs, but also: are we going to succeed or fail as an organization?
And obviously, we want to succeed.