Norway’s Visma Group has hundreds of companies under its wing. They all have to meet a certain security standard, but can still remain themselves. To achieve this, Visma proved to be a security specialist, advisor and supportive mother to all these companies.
Visma is not a company but a group with more than two hundred IT related companies under its wings. Acquisitions are a key strategy for the originally Norwegian group, which invests in companies of all sizes. In our country, for example, the scale-up Beeple was taken over, but so was the larger CRM specialist Teamleader. Traditionally, companies can continue to operate independently, but parent company Visma requires certain standards to be met. When it comes to security, there are a few things to consider.
common criteria
“We buy about one company a week,” confirms Espen Johansen, Chief Security Officer of the Visma Group worldwide. “How do you ensure these organizations have proper security practices in place?” Visma chooses a guiding approach that requires organizations to meet certain standards. “You can easily compare the approach common criteria‘ says Espen.
Exactly what companies should do depends on their maturity, their business model and the industry in which they operate. Of course, anyone offering a critical cloud product has to patch applications faster in the event of a security problem than a company that keeps software on-premises with customers. In general, companies under Visma’s wing must meet certain security standards, in which rapid patching plays an important role.
Playful to maturity
As CISO, Cindy Wubben is responsible for Visma companies in the Benelux countries. “Our job is to lead companies to a higher level of maturity,” she says. To achieve this, Visma has developed a series of programs that acquisitions must follow.
Wubben: “When we buy a company, we make it part of our safety program. We help with the onboarding and show them what they have to implement. They are encouraged to make rapid progress through gamification and a clear dashboard.”
Visma provides its own tools that monitor vulnerabilities, for example, but there is no universal set of hardware or software that companies need to use. “They can continue to use their own systems,” Wubben said. “We help them to improve where necessary,” continues Johansen. “But conversely, we can sometimes learn epic things from new companies under our roof.”
From mom and dad to the board of directors
Visma has more than 600 products in its portfolio. “At least one person per team is responsible for security,” says Johansen. “Separately, we have about 85 other people like Cindy and me involved in security.” Johansen and Wubben say they act as caring parents first. They help companies on their way to maturity, but let them decide for themselves. “And when things get really tough, it’s good to have a parent around,” Wubben laughs.
When things get really tough, it’s good to have a parent around.”
Cindy Wubben, CISO Visma Benelux
Of course there are limits to paternal and maternal love. Johansen: “We can quickly go from being a loving mum or dad to a board member. We monitor safety parameters with KPIs that are just as important as financial results. When a company’s performance is not up to standards, the manager has to come and explain.”
dates first
Security within the Visma Group is data-driven. For all services, the company collects data on vulnerabilities and their status. Clear dashboards show which services are OK and where there are problems. If a leak is not closed in time, it becomes visible in the Visma organization in a large and red area.
It is not always easy for new companies to connect their systems to the Visma backend. Wubben: “Of course they have to implement our system. This usually takes several months but can sometimes take longer when many legacy systems are involved. Exceptionally, a product even has to be rebuilt to meet the right standards.”
Wubben points out that all Visma companies have a clear understanding of what is expected of them and are able to get help in their own language if needed. She doesn’t mean Dutch or Norwegian: “Our security programs are developed by IT people for IT people.”
As a kind of security advisor, Wubben and Johansen help Visma Group companies on their way to adequate maturity. In addition, companies can choose their own tools, but must integrate their environment with Visma’s overarching system, which is responsible for monitoring and tracking security issues. This data-driven approach enables security KPIs.
Economies of scale with a SOC
Visma’s role doesn’t end there. Finally, companies that wish can subscribe to Visma’s SOC. Sun Security Operations Center, which monitors a company’s IT landscape in real time, is practically impossible for a single SME to implement. However, the Visma Group uses its economies of scale to provide a SOC itself as a kind of service. Wubben points out that this isn’t mandatory either, although it represents a great opportunity for acquired companies.
Bug bounty and pen testing
Does this security approach work? Visma prefers to be safe. Because of this, the group includes both a bug bounty program and penetration testing. Pen testing is the penultimate level of defense. Hackers themselves look for leaks in solutions, services or the infrastructure of the Visma Group and its companies. However, according to Johansen, penetration tests alone are not enough. “Such a test not only measures the security level, but actually also the skills of the testers,” he notes. By definition, they won’t find what they can’t find.
Visma’s last line of defense is therefore the bug bounty program. Visma invites white hat hackers to attempt digital penetration at will. Anyone who finds something and passes it on responsibly will be compensated for it and included in one hall of fame rightly so. It’s not free, although the cost of the program isn’t too bad. If hackers find a bug, they get compensation as a thank you. Johansen: “For services that have everything in order, the bug bounty program can cost thousands of euros. If we roll out a service a little faster for a specific reason, the cost can go up a bit.”
Threat Intelligence
Of course, Visma doesn’t wait for hackers to find something before taking action. The size of the group allows the company to assume the role of a true security specialist. “We have sensors in many places around the world,” explains Johansen. “We’re always trying to discover and understand new threats to our businesses.” For example, Visma has its own form of threat intelligence that protects the group from sophisticated attacks. “We are also informed if, for example, certain data is sold on the dark web,” adds Johansen.
All of this gives Wubben and Johansen confidence. “I think it’s very difficult to launch a successful attack on a Visma company,” says Johansen. This is important as Visma companies play a crucial role in keeping their customers safe. Anyone who invades Visma can theoretically cause great damage worldwide. The power of the so-called supply chainAttacks have become painfully obvious since SolarWinds and Kaseya. “Long before these attacks happened, we were already bracing ourselves against this type of hack,” says Johansen. “I think something like that only works with insiders who have been here for a long time.”
Visma seems to understand that security is a real priority. With data, dashboards, KPIs, their own SOC, penetration tests and a bug bounty program, Johansen and Wubben try not to leave anything to chance. Visma is thus developing into more than an umbrella group for companies. Looking at the overall strategy, Visma becomes a kind of security badge.
Source: IT Daily
As an experienced journalist and author, Mary has been reporting on the latest news and trends for over 5 years. With a passion for uncovering the stories behind the headlines, Mary has earned a reputation as a trusted voice in the world of journalism. Her writing style is insightful, engaging and thought-provoking, as she takes a deep dive into the most pressing issues of our time.
