Security processes: A matter of continual trust

While security processes and implementations usually originate from inside organizations, the impetus can just as well come from the outside world, as global credit control and financial services company Dun & Bradstreet found.

D&B’s former head of information security and compliance Sanjay Verma said it was a matter of keeping up with its customers such as banks and financial institutions who are increasingly investing heavily in cyber security.

“We have 205 million business records and must be a fully trusted partner,” Verma said.

Senior executives at D&B set Verma with the task of reassuring the company’s three million customers of its commitment to shore up its cyber defence posture. The result was Project Octave.

“The aim of Project Octave was to defend the organisation [and] existing revenue as well as increasing earnings, but also to make D&B compliant with international best practices and standards,” Verma said.

One key aspect was to ensure business continuity management so D&B could remain operational even during a severe crisis - anything from natural disasters, severe weather events, physical theft, IT systems outages, staff sickness and terrorist attacks.

Verma and his team implemented the ISO 22301 international standard to prepare D&B for such events.

“We wanted to give everyone the tools to react when disasters strike and hackers attack,” Verma said.

A tight deadline of 12 months along with an $8 million budget to push through the international standard meant Verma needed the support of D&B's worldwide operations and resources. Deloitte, BCM Solutions and BSI Group were key partners for Project Octave.

“Without the support of the senior executive worldwide, Project Octave would have been very difficult to achieve, especially on the aggressive deadline,” Verma said.

“For instance, we needed to buy gear for Project Octave quickly, in December 2014, a month after we started - having the support of the group speeded up the procurement process to enable our team to get going fast."

Project Octave was independently audited and certified as ISO 22301 compliant by BSI Group - D&B ANZ was the first organisation in Australia and New Zealand to gain the accreditation.

Business continuity has now become an integral part of D&B, Verma said. He credited Project Octave with successfully changing the mindset within D&B to become more active on security matters.

“It does not end with the ISO accreditation,” he told iTnews.

The local success of the project has meant it will now expand out of Australia and New Zealand and to the wider global D&B group.