That's why we initially advised this customer against pen testing at multiple locations
Most customers have a pretty clear idea of what they need from us for their information security. Nothing would be easier than simply accepting that and delivering exactly that. However, that is not our approach: at the beginning we carefully check whether the customer's request is really the best way to achieve optimal results.
In this case, it would have been easy for us to carry out and check off the two international pentests we wanted. Would that have made the customer safer? No. In this success story we explain why we decided to take a different path together with the customer and how the company was able to make efficient progress in its cyber resilience as a result.
This company is one of the world's leading suppliers of glasses for the beverage industry. At several international locations, over 450 employees produce glasses designed and refined specifically for brands.
CFO of the company
The company's CFO is responsible for internal IT and cooperation with an external IT service provider. He therefore understands the importance of the topic of IT security on both a content and management level. Through strategic planning in budgeting, he enables rapid progress in this area.
The CFO of the manufacturing company came to us with the desire to subject two production sites to a comprehensive penetration test. The basis was the problem that the current status of IT security was not known.
The order itself highlighted one of the biggest challenges: the IT for various international locations was not controlled centrally or uniformly. In addition, due to the production, there was an extensive infrastructure overall.
At the organizational level, we also encountered peculiarities: there was an internal IT department, but no dedicated manager. Responsibility lay with the CFO, who also coordinated the collaboration with an external service provider.
The task for us in brief: Tell us where we stand in terms of safety and where we need to make improvements!
In the first planning phase, we sometimes notice that, in our experience, the initial customer request does not represent 100% the optimal solution approach. This was also the case in this case: We first discussed what results we wanted to achieve together by the halfway point of our contract term. Since this was the first pentest, we recommended initially limiting it to one production location. Background to this recommendation: Due to the decentralized control, the local restriction enabled us to start resolving the findings found much faster. This enabled us to run the company more efficiently by quickly minimizing risk.
Following a comprehensive pen test (IT and OT) at the first location, we presented the results in a management presentation in order to create transparency at this level as well. Overall, continuous management reporting to the CFO enabled uncomplicated and targeted adjustments to budgeting in order to be able to implement necessary measures promptly.
To quickly minimize risks, we processed the periodized findings in consulting together with internal IT and the external service provider.
After processing the first pentest, we finally included the second location in a second pentest. We also provide consulting support in resolving the vulnerabilities found.
The internal IT, together with the external service provider, was able to resolve 75% of the findings from the first pentest within a year. This is a very good result, especially given the complex and decentralized infrastructure and the involvement of an external service provider.
We were then able to begin assessing the risks of the international locations in order to raise the overall level of information security to a uniform level.
How do you combine innovation and digitalization with security? How do you create operational space for the efficient implementation of IT security projects?
