For Bill Heinzen, information security project manager at National Information Solutions Cooperative (NISC), information security is not just a technical initiative: It’s an ongoing business continuity risk. NISC provides technology to rural electric and telecommunications cooperatives, and having a robust information security program in place is critical to protecting their customer data. Heinzen turned to Rapid7’s vulnerability management solution Nexpose to monitor his environment and manage risk. How does he know it’s working? It’s all in the numbers.
My name is Bill Heinzen. I am the Information Security Project Manager at National Information Solutions Cooperative. We call that NISC for short. We develop and support software solutions for electric and telecommunications cooperatives located throughout the U.S.Show more Show less
Information security is not just a technical initiative, it's an ongoing business continuity risk. A data breach can end a company over night, and specifically with regards to NISC, we are seen as technology providers to rural electric and telecommunications cooperatives, and it's very clear to us that for us to be good custodians of our customer's data, we need to have a solid information security program.
We are using Nexpose primarily as our vulnerability scanning and remediation tool. We have Nexpose deployed, scanning several thousand assets on a weekly basis, and we specifically use Nexpose to identify things like unsupported operating systems, unpatched software, potentially unnecessary processes that need to be running. Not only do we use it to identify those vulnerabilities, but we also use it to prioritize them and implement remediation accordingly.
The reason that we know Nexpose is working is simple. It's the numbers. My background is an accountant. I like numbers, they're concrete. They're tangible. When you run a Nexpose scan every asset in your environment is assigned an individual risk score. You also get an enterprise risk score. So how do you know you're winning? It's by the numbers. It's when that risk score goes down. It's that easy.
As a new user, getting up to speed and using Nexpose was fantastic. Again, my background, I'm not necessarily a very technical person. I'm an accountant. I see numbers. I like numbers. They're easy. It's a universal language, and that's exactly what Nexpose is. It's a dashboard of numbers. It's these are your assets. This is your risk score. These are your top remediation. If you address these 20 vulnerabilities you'll remediate 75% of your risk score. As an end user, it was incredibly easy and quick to grasp even for someone who did not necessarily have a technical background.