Speaking at the ITWeb Security Summit, MiX Telematics CIO Quinton Pienaar yesterday outlined the way in which the company approaches internal security and how the Corporate Threat Model analysis has changed the business.
"Due to the nature of MiX Telematics' work, our system being online is vitally important to the 24-hour operation of our services.
"We used to take a fairly traditional approach to organisational security, but the game changed and customers' expectations changed, and we had to adapt accordingly."
Pienaar explained that, in the past, there were brief periods of intense focus and effort when it came to security, but it would merely be a matter of time before security was again relegated to the back of the mind.
"While penetration tests and assessments offer the opportunity to improve and advance internally, they do not provide answers beyond that."
With the growth of the business and the need to accommodate a growing number of remote workers, the scope of what MiX Telematics needed to manage increased significantly and single penetration tests would no longer be sufficient.
Talking sense
"The risks and security threats just piled up to a point where it felt as if we were treading water without making any significant progress," said Pienaar. "We needed a continual focus on security that would be repeatable and consistent."
Pienaar explained that MiX Telematics then approached SensePost, which introduced the company to the Corporate Threat Model.
"The model looks at locations, interfaces with systems, user profiles and possible attacks, giving a complete view of the security environment."
SensePost's Corporate Threat Modeller essentially provides a means to build a threat model across an entire enterprise. It is a free and open source tool that is available on the SensePost Web site.
While it is not meant to replace traditional risk assessments, it provides a list of threats that can be weighted according to validated findings.
Pick and choose
Pienaar said that, in his experience, the threat model provides a complete view of the risks in a company's environment. "The ongoing process also helps to create risk awareness.
"Scenario planning is also a very useful tool that saves resources by allowing you to see the different effects of strategies on your risk profile - essentially helping you to cherry-pick strategies that work, and implement them.
"Seeing your full risk profile can be very daunting, but having that full picture is beneficial once you get going."
Share