How do you provide security for more than one million customers and well over ten thousand employees? How do you make sure the customer data in hundreds of products and services is safe? How do you design security for widely different markets and segments, from the cloud payroll system for small businesses, to public sector health care? For more than a hundred different companies in more than twenty countries?
– You don’t.
You empower the people who are responsible for their company, their customers and their products to make good security decisions themselves. From junior developer to board member.
This is accountability.
Then you test, test and test to ensure that security is in fact good. Then you share the results, and you not only welcome, but encourage everyone else to test us too.
This is transparency.
Welcome to the Visma Security Program
The Visma Security Program empowers companies in Visma to manage their own security by providing specialised tools, capabilities and training. It is important that security is not a gatekeeper, or someone that takes control (and thereby responsibility) away from anyone.
In Visma, we say: “You do not report to security. Security works for you.”
But we do set a high standard for security in Visma. Based on industry best practices, our own research and our own high expectations.
And we spend a considerable amount of our time on training and guidance, because we believe that good security comes from people that are competent and confident. People that build a strong security culture together, from the bottom up.
Providing good security is not just our duty as an employer and service provider. These are competitive advantages, and the Visma Security Program enables companies in Visma to use security, legal compliance, best practices and training as a natural part of their business.
Because in the end, everyone is a security decision maker. The support consultant, the junior developer, the Managing Director. The customer, the partner and the end user of our systems.
We want every decision maker in Visma to easily make good security decisions every day.
The hows and whys of the Visma Security Program
When a company joins the Visma family, it also joins the Visma Security Program. The program uses a combination of training, guidance and numerous advanced security services to provide security for named and specific assets, such as software products or personal devices. This is offered directly to companies, teams and individuals in Visma, often on a self-service basis and with very few exceptions completely free of charge.
The company chooses its own desired level of security, based on its unique needs, threat intelligence and other considerations of business. For new companies joining the Visma family, setting the desired security level is done as part of the onboarding process.
Each security service addresses one or more specific risks for the asset in question. For example, code scanning (a service) looks for security vulnerabilities in the product code (an asset). Each asset is protected by several complimentary security services in order to provide good all-round security.
The gap between actual, measured performance and the desired security level is the current level of risk for that asset. In the Visma Security Program, risk is always presented in concrete and actionable form, such as “fix this critical vulnerability, patch that server”.
The time it takes to reach the desired level of security is a measure of learning, and the ability to maintain performance over time with a consistently short time-to-fix, is a measure of security maturity. Because at the end of the day, good security comes from people that are competent and confident in their abilities.
We believe that learning is (an often) temporary change in behaviour resulting from experience. Therefore, the Visma Security Program contains strong elements of recurring actions, and focuses on providing opportunities for learning from experience.
In practice, we believe that a development team will learn more, and their product security will be better, from moving through the security program and at the end consistently performing at the highest security level and being able to be on the public bug bounty program, than they ever will from clicking through mandatory courses, watching presentations or filling in reports.
And since a product is developed continuously, often with multiple releases every day, and the team is never constant- people leave and people start- the recurring actions make sure that the overall competence of the team naturally adjusts over time. This includes everything from measuring the time to fix bugs, recurring training or the billions of lines of code we scan for vulnerabilities every day.
And we believe that the security team, with its highly specialised competence, is better utilised as mentors, guides and specialists than auditors, sysadmins or gatekeepers. (And as developers and researchers.)
An appropriate level of security.
An important task for companies joining the Visma Security Program is to choose an appropriate security level for their products and other assets. The security levels are predefined by the security team, and are Bronze, Silver, Gold and Platinum. This is all presented in a gamified, modern user interface that we make ourselves to best support all the companies and products in Visma.
To take the example of a software product in the program, to be on Gold generally requires weekly security-work by the development team that is responsible for the product, and Platinum requires daily security-work.
This demands that the team is competent and knowledgeable about security, and uses the available suite of security services to its full potential in order to provide high security with short response times, both with regard to time-to-fix and time-to-deploy.
Each team assigns at least one Security Engineer who acts as the team’s go-to person for all things security, and who receives extra training and resources through e.g. participation in the Visma Security Guild. This guild has a flat structure, and is used to share experiences and coordinate efforts.
Penetration tests are performed by a high skilled team with relevant certifications. The tests are designed to identify application level weaknesses and vulnerabilities, based on industry best practices such as OWASP Top 10. The testing- team is wholly separate and independent from the team, product and company that is being tested, at both the legal unit and managerial level.
All results are shown openly and live in the “Security Maturity Index”, which shows the targeted security levels versus actual performance in real-time. That is, we use gamification and transparency to celebrate good security performance, and perhaps most importantly:
To make it easy for a non-expert to make good security decisions.
We’re putting a lot of effort into making the index an easy to use tool not just for the security professional, but also for non-experts, because these are often the decision-maker we should enable and empower. The maturity index is followed closely in board- and management groups, and is an effective way of setting Key Performance Indicators or other goals, even at top management level.
Finally, we learn from each other continuously through transparency: best practices, experiences from incidents and similar are shared as a matter of course, and the entire process of security is democratised by everything being visible to everyone at all times.
Not just security
The Visma Security Program is not strictly limited to security. It also contains strong elements of compliance, in particular for privacy, and is closely related to group governance. We also incorporate whistleblowing and legal services such as intellectual property, licensing, contract law and anti-corruption training.
Further, the Visma Cloud Delivery Model, the Visma Architecture and Technology Program and various internal tools also use the Visma Index, ensuring that products and services in Visma are managed in a coherent manner. All our in-house stuff, including of course the Index itself, is on Platinum and on the Visma Cloud Delivery Model.
Group security
Even though we’re all about empowering the company, the team and the individual employee to manage their own security, there are of course numerous group- level security functions too.
We maintain 24/7 security operations for monitoring, detection, prevention, incident- and crisis management, as well as intelligence service and various other capabilities to support group management, our companies and maintain a coherent security posture for all of Visma.
The Visma Cyber Crime Centre (VC3) works specifically with preventing cyber crime, you can read more here.