For many companies looking to get the best from managed IT services, the issue of security is a thorny one. While experts agree that security should be at the forefront of all IT installations, the reality is that when it comes to managed services, it’s often tagged on at the end, if it’s included at all. But the need for integrated security services has never been greater. That’s why managed services specialist Ergo has decided to incorporate IT security front and centre in all of its offerings.
“The key message is that this is about protecting customers on the long-term journey that they’re on because our day-to-day operations put us at the cutting edge of working with target state environments. We know what the challenges are in cloud, in data analytics and in the area of the Internet of Things,” said Jimmy Sheahan, managed services director of Ergo. “We’re familiar with the risks and with the solutions to mitigate against those risks, so we’ve built our security practice around that – it’s about a lot more than firewalls and antivirus.”
In recent times, Ergo has been quietly building out a managed security service function, based on the idea that security should be integrated into every aspect of what it does. “Our approach is very much a holistic one. Lots of our customers over the last 18 months have been moving into target state environments, onboarding new technologies and embracing new ways of working from an operation or from a line-of-business perspective,” said Sheahan. “But with that, they still have the same security and compliance considerations even though the landscape they are dealing with has significantly shifted. The mapping from
the compliance and security requirements through to the landscape they’re working in no longer matches. We’ve had a lot of customers move and then afterwards try to catch up from a security threat perspective,
so what we’ve done is natively embed a security built-in approach into our engagements.”
If Ergo is working on a project to change or transform for a customer, security and compliance must be considered from the very beginning. “Obviously, it has to be this way, because good security is a habit not an act. We have to make sure that when customers are undergoing change, that we’re mapping governance, risk and compliance (GRC) requirements for them and providing technical and process solutions for them
in the first instance,” said Sheahan.
Particularly in the cloud environment, new features and capabilities emerge all the time, as do new users and business demands. “The net generation is now emerging as one of the primary users in the workplace, so the demographic of who is using this technology is changing. We have to maintain the level of security and GRC for the customer in that new environment on an ongoing basis,” said Sheahan.
“For example, the business is demanding more and more from the IT function, and that demand has now overtaken a lot of our customers’ capabilities. How can they keep up with the rate of change currently happening? It’s a tall order, but at Ergo, we face these challenges every day of the week – everything from ransomware to data loss prevention in the cloud context through to rights management, audit and governance around auditing.”
Since its inception, Ergo has helped its clients deal with a diverse range of security threats, from system intrusion, data theft, employee tampering to cybercrime and ransomware. “We’ve seen a huge range of
problems, pretty much anything that can affect either the availability, integrity or the confidentiality of intellectual property and data. One way to help companies insure against these kinds of risks is to help them achieve ISO27001 certification so they’re seen to be security aware and are taking reasonable security precautions,”said Sheahan. “Typically, cyber security, and security awareness in general around data and IT
services, aren’t just projects to be undertaken, they’re ongoing operational considerations. We can do security projects for companies, things like penetration testing and security assessments and so on, but, more realistically, what we want to do is introduce an operational methodology of governance, risk aversion, compliance, internal policy implementation and adherence because that’s where real security is brought
to bear in organisations."
“Obvious things like hacking and malware threats and internal confidentiality integrity – are all different types of attacks you can get. Your security policies and internal practices need to cover each part of your organisation’s access to data. How do you access data, how long do you keep it and how do you guide your staff to use your systems? If you can do that through process and operational methodologies, then you are effectively taking all reasonable precautions to keep your data safe.”
More and more, we have been hearing about companies who are not yet fully compliant with GDPR. In the latest...Read now
Security architecture refers to a unified security design that addresses requirements and potential risks involved in a certain scenario or...Read now