Headline
How a Centuries-Old Company Reached Security Maturity
In this case study, a 180-year-old life and pension insurer brought its security infrastructure into the modern age.
Source: M-Production via Alamy Stock Photo
LV=, the leading pension, savings, insurance, and retirement company in the UK, has a long and storied history. Over the years, the 180-year-old company has expanded its portfolio to provide every type of insurance, investment, pension, and retirement offering imaginable. It has continued to push the boundaries of what’s possible, investing in new technology.
By 2021, much of the new infrastructure and other digital modernization was complete. At the same time, company leaders suspected that its approach to security wasn’t as effective as it could be. To find out, the company hired one of the Big 4 accounting firms to assess the situation by comparing it to the NIST cybersecurity framework.
What came back was sobering.
“It became apparent how low the maturity was,” says Dan Baylis, the chief information security and data officer LV= hired to fix the situation. “That’s when they realized that they needed to invest and address the sins of the past.”
Assessing the Existing Security Stack
As soon as Baylis was hired, he assessed the entire security stack, along with processes and procedures.
He found plenty of issues. Most importantly, the infrastructure lacked modern security controls. For example, the system still had signature-based antivirus controls, and the email gateway wasn’t aware of modern threats.
Baylis also determined that there was no way to measure the effectiveness of security controls. In addition, each individual security control, such as anti-malware, wasn’t fully connected to the entire infrastructure. Instead, it could monitor only what it was directly connected to. And because there was no central view, the security team could only be reactive to things like vulnerability disclosures.
The relatively rudimentary security infrastructure also prevented company executives from making data-driven security decisions.
“Being data-driven takes the emotion out of things. For example, if we’re telling someone that they don’t have the right patching levels or are missing security controls in a certain area, the data should back it up,” Baylis says.
Baylis also believed that LV= needed the protection of continuous security validation but that it couldn’t get there with its legacy security controls.
“Continuous security validation would enable us to have the evidence to underpin the investments and improvements we needed,” he says. “So I could explain, ‘This is how attacks happen, and this is how resilient we are to them.’ So instead of asking them to trust me, I could show them.”
Overhauling the Security Infrastructure
With his assessment complete, Baylis started rebuilding the company’s security infrastructure from the ground up.
The first order of business was implementing a breach attack and detection system (BAS) to help monitor for security blind spots and provide continuous security testing.
More organizations than ever are using security tools that provide attack path management and security control validation like BAS, pen testing as a service (PTaaS), and continuous automated red teaming (CART). In a recent survey (subscription required), Omdia found that 71% of 400 security decision-makers consider these tools important or extremely important.
BAS is a methodology for determining how well security tools are working so they can be optimized, explains Andrew Braunberg, principal analyst at Omdia. BAS tools do this by simulating attacks, often using established threat models such as the MITRE ATT&CK framework. BAS tools can also typically perform automated simulations, threat model mapping, and continuous testing.
Baylis started by implementing Cymulate’s BAS solution. The most important features to him were the ability to test emergent threats, continuous security validation, and a consolidated view of the company’s security posture.
“I wanted a tool that could not only help me demonstrate our risk exposure but tell the story of how resilient we are to cyber threats,” he explains.
Using the tool, Baylis says he has been able to show decision-makers active attacks and demonstrate the company’s new resiliency to them, along with the health of endpoint controls and gateways.
Next up was choosing a tool for continuous control monitoring. Baylis chose Axonius, which monitors data from different sources — like Active Directory, anti-malware controls, and patching — and provides a holistic view. With that information, the team was able to build dashboards that show the company’s security-control coverage gaps.
Baylis also chose SecurityScorecard, a tool that calculates the health and effectiveness of an organization’s cybersecurity infrastructure. This addition enabled the organization to benchmark its security posture against its peers.
This led to another watershed moment, when LV= received a “C” on its security rating from SecurityScorecard. As a result, the team made hundreds of changes related to issues like expired certificates and weak ciphers. The company now has an “A” rating.
Rounding out the new security infrastructure were next-generation anti-malware controls, a new email gateway, a new Web gateway, and a password manager.
Supporting the Human Side of Security
Now that LV=’s security tooling has been modernized, Baylis is turning his attention to the human risk side of the security equation. He implemented a dedicated phishing test and training for employees. He’s also thinking about hardening the company’s email infrastructure.
“While we will have a continued focus on cyber resilience, we also want to encourage good security awareness,” he said. “Both are critical for effective security.”
About the Author
Contributing Writer, Dark Reading
Karen D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including ITProToday, CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek, and Government Executive.