Information security leaders today are faced with increasingly complex challenges, needing to balance the demands of a growing business against the risks of operating in a global, connected marketplace. To be successful, they must bring a novel approach to problem solving and foster collaborative relationships across the organization. This is why each year, IDG “honors innovative security projects that demonstrate thought leadership and outstanding business value” with the CSO50 Awards.
BitSight is proud to share that one of our customers, Jasper Ossentjuk, CISO of TransUnion, is among the honorees. Below is a transcript of our conversation with Jasper discussing his award-winning security program.
BitSight: Welcome, Jasper. Thanks for taking some time to talk with us today! It must be very exciting to receive this honor. Can you tell us about your nomination?
Jasper: Thanks for having me. Information Security is of utmost importance to TransUnion. We were nominated for our Enterprise Security Ratings Platform (SRP), which is a program we built around BitSight’s security ratings technology, for monitoring an organization’s security posture on an ongoing basis. SRP supports our third party security program, self-assessment exercises, security benchmarking (competitive and internal), and mergers and acquisition activities.
BitSight: It sounds like you are using security ratings in many parts of your business and I would love to dig into that some more. For starters, can you tell us a bit more about how you are using BitSight in your third party security program?
Jasper: Our initial focus with the SRP project was monitoring the information security disposition of critical third party service providers. As you may know, doing this manually requires a lot of time and human resources, so we were interested in working with BitSight to gain deeper visibility and automate some of the work. The SRP provides flexibility to add, modify or delete service providers as needed, and the Platform provides a risk rating reflecting the security posture of each organization. Using the risk rating, we are able to determine which service providers are maintaining an adequate risk posture and which service providers need additional focus and follow up.
BitSight: You also mentioned that SRP is being used for self assessments and competitive benchmarking exercises. Would you share some details on that aspect of the program as well?
Jasper: SRP is used to self-assess TransUnion's global information security posture. As a service provider to many banks, insurance companies, healthcare organizations, financial services and government agencies, TransUnion's information security program is frequently evaluated. SRP enables us to keep a real time pulse (through continuous self-assessment) on the dynamic threat environment and risks to TransUnion and ensures that we are well prepared to address our customer's heightened expectations for security controls.
We also use SRP for internal assessments to benchmark TransUnion business units and geographies. It helps us to categorize and tag our assets by business unit and by geography, and produce reports to stack rank the security ratings across the TransUnion enterprise to drive heightened transparency, visibility, ownership and accountability for resolution of security deficiencies. Using the stack ranking reports, we are able to drive measurable accountability and ensure greater consistency and cohesiveness of our global information security program. We have ongoing and immediate visibility to business units and geographies that are falling behind enterprise standards and expectations for security controls.
Additionally, the platform provides us with the detail required to benchmark TransUnion's information security program against that of our competitors. We are able to see on a rolling basis where our security program ranks relative to our competitors, and this visibility helps us gauge the level of information security investment and business risk appetite associated with our program in comparison to our industry and peers. This information is shared with the Board of Directors, the Audit Committee and our leadership team to provide an independent view and assessment of the TransUnion Information Security program relative to our peers.
BitSight: How is TransUnion using SRP in their mergers and acquisition strategy? With an increase in publically announced security breaches, including some associated with M&A activity, I am sure that many organizations would be interested in hearing about this part of your program.
Jasper: Absolutely! SRP is used for assessing the security of all merger and acquisition activities at TransUnion. When an acquisition or investment is identified by the business, the target organization is included in SRP and we begin monitoring and evaluating immediately. The enhanced insight we receive from SRP prior to the acquisition (or investment) better informs all of our due diligence activities across the business, technology and security work streams. The Security Ratings Platform gives us an early read on security deficiencies and this enhanced visibility, particularly with respect to material deficiencies, is considered in the development of the acquisition pricing, legal day one activities, and integration plans. On the day an acquisition is approved, we already have an initial plan underway for security control remediation and additional assessment activities.
BitSight: Your SRP program is being used to drive some critical business decisions across your organization. Are there any measurable results that you have seen from this project?
Jasper: Our results can be measured in three areas: improved security, transparency, and efficiency.
Improved security: SRP enables TransUnion to monitor more service providers on a continuous basis. We have insight into more service providers, and can go deeper into our risk weighting categories than previously available. Prior to the implementation of the Security Ratings Platform, we could only conduct onsite and teleconference reviews of our service providers. With the addition of SRP, we've added a third category of monitoring, leveraging the automation provided by SRP. We’ve leveraged SRP to monitor about 6x more vendors than we were able to a year ago and are on track to monitor as many as 10x more. This provides much greater coverage in managing the extended security footprint of TransUnion. The ability to look across a broader range of our service providers, coupled with SRP's ability to produce reports directly for our service providers, results in significant security improvements that we previously could not assess.
Transparency: SRP generates benchmarking reports that compare TransUnion's security posture to that of our competitors. This is a portfolio view that we can maintain dynamically, allowing the addition or removal of competitors on the fly. With this flexibility, we are able to compare not only to our competitors, but also to key customer segments or key customers directly in the banking, insurance and healthcare industries. These benchmarks are shared with the TransUnion Audit Committee, and with TransUnion senior leadership. The information gives leadership a comparative view of the strength of our security program in real time over an extended time horizon. As the TransUnion portfolio grows either organically or through acquisition, the changing security posture is reflected and helps guide management decision-making with respect to business risk appetite. Benchmarking data has been a key data point in securing additional funding for acquisition integration (to invest in improved security tools and remediation activities for acquired entities) as well as additional funding based on changes in the underlying threat environment. The transparency and benchmarking data provided by the SRP has been a component of the business case to increase TransUnion information security program funding.
Efficiency: SRP has greatly improved efficiency by increasing our capacity to monitor 6x the number of vendors (currently) without increasing headcount and up to 10x the number of vendors with only minimal FTE impacts. In fact, the cost avoidance we've achieved through leveraging SRP results in the program being fully self funding. To make that point clear, SRP has allowed us to expand our current service provider coverage by 6x without adding any new FTE. The cost of FTE to achieve the same 6x increase would have cost twice as much as we are spending on SRP.
BitSight: With such amazing results, I can see why TransUnion was selected for the CSO50 Award. You and your team have taken a truly innovative approach to information security and operate a world-class risk management program. Thank you for sharing your insight with our readers. BitSight has enjoyed working with you and is so excited that you are being acknowledged with this award.
Jasper: Thank you. It’s been great talking with you and we really appreciate your support in making this award possible.
Want to learn how you can reduce cyber risk in your organization? Download Making Risk Management More Effective With Security Ratings to learn how to benchmark your level of risk versus the industry, how to manage third-party risk, and more.