Case Study May 19, 2024




I don’t care what anybody says. I don’t think there’s any organization out there that doesn’t suffer from minor incidents all the time. And the key to avoiding a minor incident, changing into a major one, is just being proactive and tightening up security as much as possible.

My name is Michael Rose. I lead information and product security for a company called Vertiv. We build data centers, and and pretty much everything that goes inside of them except for servers and compute. Maturing any security team is definitely front of mind for every cybersecurity leader.

I think getting teams from the reactive position to more proactive also can then reduce the number of tickets that take a lot of time to resolve minor problems, and then you can divert their time towards more strategic objectives such as fine tuning of systems, and then improving the detection capability. As you work to eliminate those minor things that cause the runaround and time waste, you can ultimately keep optimizing your environment. When it comes to success, I think any cybersecurity team will first and foremost say is not suffering some kind of major incident you couldn’t recover from.

And I think being able to manage, like, the detection piece and even getting more proactive with seeing misconfigurations, and then correcting things prior to the incident actually happening. And then if there is an incident, the quick detection of it, that mean time to response, the time it takes to respond, and ultimately, applying lessons learned. We use security scorecard for third party risk management.

And it’s not just for us, It’s, again, for our customers. We monitor our supply chain, our vendors, the people who process our data, the people who supply us with critical elements that that go into the products we make ourselves.

And that gives us that opportunity to preempt a problem or at least rapidly detect it. If one of our customers determines one of our vendors is compromised, they’re gonna start asking questions. And with a tool that can give us that information, we can have a very thoughtful, intelligent response. The security scorecard onboarding process was pretty seamless.

We were up and running right away. We have a pretty solid understanding of our external facing IP ranges. So it was a really quick onboarding, and we began to see and receive insights almost immediately. From a cost benefit perspective, we’ve we’ve been able to skip the whole manual search process for information that would pertain to a security risk, and we can better aggregate information to communicate to teams who need to fix different things in our infrastructure, so they can rapidly move forward in fixing those things.

When it comes to talking with my peers about, third party risk management and external attack surface management, I I definitely believe in having, again, that outside in point of view or viewing yourself from the lens of your customer, or general anyone on the internet. And while no one initially likes to have their flaws pointed out to them, in the long run, it’s definitely what people should be doing. It’s the right thing to do. It’s better to know and to be able to respond, and I think the overall level of customer service has been great with SecurityScorecard.

So, I’ve used a competitive tool in the past, and I don’t think the value was there. Just going towards the future, you know, I wouldn’t turn back. It’s it’s just a great a great tool to use and if you’re gonna do anything, start looking at yourself from the outside in and avoid, you know, the heartbreak and disaster that comes with the the the incident you don’t wanna have have happen. It’s been a great relationship, and it’s been very easygoing.

And anytime I ask for help I get it.