1. Page 1 of 10
How the Switch to a Predominantly
Remote Workforce Accelerated
IT and Security Transformation
At Global Book Publisher HBG
Transcript of a discussion on how the rapid shift to remote work accelerated the digital transformation of a
New York-based publishing organization to reduce risk while preserving a highly creative and distributed
culture.
Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Bitdefender.
Dana Gardner: Welcome to the next edition of the BriefingsDirect podcast series. I’m Dana
Gardner, Principal Analyst at Interarbor Solutions, your host and moderator.
Our next security innovations discussion examines how the rapid shift to remote work has
accelerated a rethinking of security and IT processes at a New York-based publishing
organization.
Rearchitecting the security posture of a business means adjusting work patterns and IT in ways
that both reduce risk and heighten performance. But the trick is to do so without alienating
workers -- wherever they may be -- and maintaining strong productivity.
Here to share her story on how to digitally transform a
traditional business structure, reduce risk factors, and
preserve a highly creative culture is Heidi Holmes, Senior
Director of Information Technology Services at Hachette Book
Group (HBG) in New York. Welcome, Heidi.
Heidi Holmes: Thank you. It’s nice to be here and I’m looking
forward to this.
Gardner: Let’s start by having you tell us about HBG and why
you needed to significantly adjust your security objectives over
the past couple of years.
Holmes: HBG is one of the world’s largest publishers. The
United States branch is part of a larger global Hachette, and
we have some very, very big authors, such as James Patterson and David Baldacci.
We literally print almost every kind of book you can think of. So, our company is highly creative,
and very intelligent. On a personal note, it amuses me because at other IT organizations I’ve
been with, I could send out an email and never think twice about it. But here, you send out an
email and you’re going to be critiqued from every editor across the board. It’s amazing. Even the
CEO, he spots things that aren’t quite in the right order. It’s awesome.
Holmes

2. Page 2 of 10
So, Hachette: We’re a pretty amazing company. I’ve been here since 2019. I came into a very
different IT organization. The leadership in place was great, but around some of the security
practices, we really had to mature, to grow our business, and to grow how we monitor, maintain,
and secure everything -- from the PC all the way to the edge.
Gardner: It sounds like – being global and dealing with so many authors, editors, and artists –
that you were already a fairly distributed organization. And then we all had the move to more
remote work in 2020. How did that rapid shift impact your digital transformation journey?
Diversity strengthens security strategies
Holmes: In such a diverse organization, no two sets of tools are the same. Just in the IT
organization, every group is unique. And we’re talking five to 20 people. We are an
amalgamation because we’ve acquired many different companies over time.
For example, Orbit, which is our science-fiction department. They are amazing, but they operate
in one way, whereas Little, Brown Books for Young Readers, which is all of our young-readers’
literature, operates completely differently. It’s almost as though it’s IT for a ton of small
businesses that operate within a large business structure. It’s pretty interesting.
So, they were diversified to begin with. But when more
people began working from home, supporting them all
became even more critical. The traditional IT model
was moat and castle. We had to protect ourselves by
using the best firewalls. You can protect anything, but
once you’re outside the castle, everything is looser.
Once people began working from home, then all of their data lived in their laptops. How do you
manage and secure that? What do you do to get your arms around that? This is where our new
challenges arose. If you’re used to the castle technology, you have to create high-speed
connections to and from every office to access all of your data for home workers.
Gardner: So, you had constellations of different businesses and cultures – as well as legacies
of different IT. To corral that together, you almost have to be a managed service provider (MSP)
as an IT organization. Is that fair?
Holmes: I do manage the help desk infrastructure. We also serve up all of the data, all the data
center services, and the cloud data management, as well as cybersecurity. From my position,
we are set up to service different groups on different platforms and support a wide range of tools
across the larger IT organization.
It’s amazing. We’ve taken those requirements and built the tools to service the overall
organization. And some of them are complex. Then we come back in with the security and
managing compliance around how users access data inside of the tools and how it’s all unique
across each of those separate publishing entities. It’s fascinating.
Gardner: In addition to a focus on endpoint security to support a distributed and remote work
force, you’ve also had to look at transforming IT.
The traditional IT model was moat
and castle. … You can protect
anything, but once you’re outside
the castle, everything is looser.

3. Page 3 of 10
A lot of times, people have architected their IT -- and then they add on security. Did you try to
simultaneous engineer for security and IT productivity and digital transformation? Is there a new
way of doing security from your vantage point given your responsibilities?
Security as speed bump, not roadblock
Holmes: Yes, there is a new way of doing security. When I entered, security was a bolt-on,
after-the-fact approach. For example, they may have already built a tool. But have they tested
it? Or an application. What has been done with them?
We were at the ground floor, as new projects were coming up, on security. The teams were
coming to us from a cybersecurity standpoint and saying, “What’s the best way for us to secure
this? How about outside software-as-a-service (SaaS) providers?” Things like that.
We needed to make sure that they filled out the security forms to make sure that their
architecture and best practices matched with what we were looking for with security. But we
found out early in the game that they weren’t compliant. They didn’t have security as their first
thought.
It’s more about balancing risks and building in security. As
I tell everybody here, cybersecurity is about being a speed
bump -- and not a roadblock. Everything we do should be
about slowing down, so you don’t bottom-out your car. You
want to keep going, not come to a full stop. There’s no
productivity if we have to come to a complete stop. We
need to keep moving. We’re getting there.
Gardner: Of course, if you have a security breach, that’s one way of coming to a full stop. You
need to have a balance between reducing risk, but also maintaining productivity and creativity.
What have you learned the past couple years about those balances? Has it changed with the
remote work? How does digital transformation give you the tools to have the insights to reach
that balance better?
Holmes: One of the tools we use, and why I’m here, is Bitdefender. We’re looking at their
dashboards all the time. We can see what’s commonly going on. The [endpoint detection and
response (EDR)] tools are great for our digital transformation because they’re on every one of
our computers, on all of our servers, monitoring and automatically blocking risks.
If Bitdefender sees lateral movements on the network, it will block and halt those or delete
certain files. It’s really given us an advantage. It gives us the capability to look at what’s going
on. Because if we see a large increase, then we can look into our other tools that complement
Bitdefender and say, “What are we seeing on our firewalls? What are we seeing in our security
information management (SIM) tool? What are we seeing on our email filtering? Do we see a
coordinated attack or is this just a run-of-the-mill type of attack?”
Bitdefender helps us be proactive on what’s going on. For us, it’s been great.
You want to keep going, not
come to a full stop. There’s
no productivity if we have to
come to a complete stop.

4. Page 4 of 10
Gardner: And being proactive means you want to react swiftly. Is there a way that you’ve
adjusted to the remote workforce -- all of those laptops and home desktops -- rather than being
inside the moat? Is there a way for you to take the information you’re getting from your
Bitdefender dashboards and be more actionable with it?
Holmes: Absolutely. If we see a large number of attacks, even if they’ve stopped, we can open
up a help desk security ticket and reach out to the user. If the incursion seems to be trying to
install something or to attack others in the environment, we can remotely deactivate that device.
We just have them ship their laptop to us so we can take a closer look, and we ship them out a
new one.
We don’t play games with anything in our environment. It’s better to stop it at the source and
move on. But, yes, the tools give us the capability to get out ahead of it all. And we’ve
developed a team that is constantly monitoring, seven days a week. Our dashboards look for
any correlation, anything ahead, and then work with us to automate or alert us if something
needs to be acted on more quickly.
Gardner: And, Heidi, how does your background as a network engineer help in your digital
transformation and with security concerns? Have you been able to bring more of an architect’s
perspective to how you’re modernizing your IT and security?
Architecting for change
Holmes: Yes, I have. For the past 20-plus years, I’ve worked as an architect, network
engineer, and network security engineer. The biggest thing I’ve learned is to go back to the
business risk. We understand what the business risk is, and how to mitigate or isolate that risk.
But that also means understanding the business you’re working with.
Part of an architecture isn’t designing the fanciest, most
secure tooling -- because that’s how you get the
balance versus the speed bumps. You have to learn
the business, learn about the people, know where their
risks are, and then architect around that to say, “Okay,
stage one is where we see in our transformation the
need to move certain things to the cloud.”
Or, “Our most vulnerable systems need to be isolated because some of them might be near
end-of-life and we can’t do certain things with them anymore. We’re going to move them over to
something such as a different layer or to firewall them with intrusion prevention and monitor it
that way. Maybe some of our websites are older and we need to do something with that.”
We might put some sort of a web application firewall (WAF) in front of it. But you have to lay it
all out in stages. And the easiest way to architect and build is to know what the business needs.
And then you start designing to have the least productivity impact while giving the most security.
So, the biggest bang for your buck: “Let’s start there, let’s hit the quick wins while we’re still
planning out the other things.”
And part of architecture is understanding that when you build a process and a project that it
changes. It’s a constant re-evaluation. What are the latest tools? The tools from 2019 are not
You have to learn the business,
learn about the people, know
where their risks are, and then
architect around that.

5. Page 5 of 10
the same tools that I’m working in at this point. Because every year, every six months, every
month, something else is out there offering a better way to do things.
For example, a zero-trust architecture was at first a little bit nebulous. Trust nobody and
everybody’s like, “Why can’t we trust people?” That’s like, “Well, not everyone’s your friend and
even the computer next to you isn’t your friend necessarily either.”
Gardner: Well, that’s a perfect transition to my next question. In an organization like Hachette
Book Group, the goal is for people to communicate, collaborate, be creative, and be open.
When you come to them with a security mentality of, “You need to be very suspicious and zero
trust-oriented,” that creates potentially a cultural conflict. How have you been able to get
people’s buy-in on what you need? Behavior is such an important part of security. At the same
time, you want to allow them to be as open as possible and share ideas as they are used to.
Make wide, yet light, security footprints
Holmes: The right mentality is to have the least visible footprint in the things that you’re
communicating on, on any given computer. But you also have to trust the communication tools.
The things that you use such as Zoom or Teams or something like that. Those are commonly
known ports and IP addresses.
We don’t have to overthink it like 15 or 20 years ago, when I needed to know every port that the
teams used and qualify that. Our security tools will automatically understand, and part of the
artificial intelligence (AI) built into them, knows that these are okay communication methods and
it’s fine for us to continue to communicate that way.
So, there’s an openness with video communication and collaboration with a level of security and
staying away from custom-built tools to communicate. That will protect you because inherently,
custom-built tools usually need extra updating and the people who develop them don’t always
keep them up to date. That also will protect you in a zero-trust environment.
But honestly, it’s gotten so much easier with zero trust
… because Bitdefender is fantastic for that. It’s always
monitoring. The AI is telling us as it’s looking at patterns
instead of always at a specific port where you can lock
people down and isolate them. So, it can see a lot of the
lateral movements, you can see different firewall rules
that are not industry-standard and as attacks try to pass
through. It’s the only real way to go.
Gardner: You’re describing what people have come to think of as what a security operations
center (SOC) as a service could be. Is that how you’re starting to view something like
Bitdefender? Or is that a place you’d like to see it go, of where you have a SOC as a service
benefit all the time and everywhere?
Holmes: Well, that would be fantastic. And we have spoken to Bitdefender about this. From my
past experience, I’ve worked with SOCs, did a little bit of management of SOCs, and brought
that into a new organization.
The AI is telling us as it’s
looking at patterns instead of
always at a specific port
where you can lock people
down and isolate them.

6. Page 6 of 10
What you see a lot of times is they give you a lot of data. And traditionally, any SOC will
overwhelm you with 3,000 alerts and events in a day. And you have a team of three and you’re
hiring a SOC to help you. But instead, your team of three needs to remediate all of these things,
otherwise they’ll keep showing up, and the SOC’s going to keep reporting and then it becomes
completely useless to you.
The modern SOCs, and a lot of what I understood
from the Bitdefender side is, they’re using more AI to
filter out the things that are less meaningful. It’s no
longer every single thing that comes across your
dashboard. That helps you dive in quicker when
there’s a bigger problem. A SOC can become a
benefit instead of a hindrance to a small team
because the teams are always already trying to remediate their problems. They only need to
know about the things that are brand new major holes because patching everything else should
take care of the rest.
Another thing I wanted to mention on SOCs: Back to our transformation, when I mentioned the
SIM tools, and having the different dashboards, it takes a while to bring a security team up to
speed on what they should be watching for. That’s about identifying what’s meaningful to you.
And then to fix the problems they’re finding from doing the scans. The last few years, we’ve
been training security staff to do just that. When a SOC comes into play now is when the team
is already expert at security and then everything is meaningful. Sometimes you can take the
jump to a SOC too fast.
Gardner: A lot of what we hear in the marketplace now is that people are resisting tool sprawl.
Too many security tools are not a good thing. They also want tools that will integrate, that play
well together.
How are you looking at that balance between having the right number of tools, but also tools
that are integrated well in advance?
Just say No to tool sprawl
Holmes: I literally just said “no” this week to a couple of security tools because it was just more
sprawl. We need to use our tools right. Tools should be useful. They should give you
information you don’t already know, or they should coordinate multiple things into one tool so
that you can easily discern where a problem is.
So, if a tool doesn’t have multiple uses and it’s not cost-effective, then we don’t want it. There
has to be a very specific reason to look at it. Also, every tool needs to be easy to use because
we can’t send somebody to three weeks of training. We can’t train a second person for when
the first person goes on vacation.
And it has to be automated, it has to be able to page us if it hits certain thresholds. All of that
needs to be set up very quickly. Because when we take holidays, there are always less eyes on
dashboards. And we still need to know if something’s going on. We need to get paged, woken
up, and brought back to the dashboard.
The modern SOCs … are using
more AI to filter out the things
that are less meaningful. It’s no
longer every single thing that
comes across your dashboard.

7. Page 7 of 10
So that’s what we’re looking for. The tool sprawl: Everybody has a tool that they want to sell you
-- everybody. It needs to work for on-premises, and it also needs to work in the cloud. It needs
to give us all of the information we need. It needs to work in your home to tell me what’s going
on in your laptop there. That’s what we need from our security tools.
Gardner: Whenever you ask folks to qualify and quantify how their security is working, the
number one response is, “Well we’re not getting hacked, so that’s good.” But because you’re
involved with not just security but IT and digital transformation, there’s probably more ways that
you can measure the effectiveness of your security approach in terms of productivity, team
collaboration, and how your IT support group is able to please your end-users.
Do you have specific ways of looking back and saying, “We made good choices, and we can
prove it by blank?” How do you measure your success in digital transformation and security?
Holmes: As far as the users go with collaboration, the easiest way for us to tell is the number of
help desk tickets we get. If the users aren’t calling us because they can’t work on their computer
-- either because they’ve had an attack or because they just can’t use it because it’s still in lock
down -- that’s a good measure.
And if we’re not seeing a proliferation of viruses and malware in our environment then those
metrics are great for us, too. We’re constantly watching them, we’re updating them, and we’re
reporting all those metrics to our senior leadership in the company. So, it’s been amazing.
Gardner: Let’s briefly look at costs. We’re also seeing many organizations that need to do more
with less. Is there a way for you to balance the economic side of the equation with these metrics
of success?
Holmes: With the metrics for success, if we
purchase tools that help us get ahead of a problem
and we don’t have any downtime or a loss of
productivity, that is our number one way of evaluating
that. So, know your risk, your way of knowledge, and
the tools. Tools must do multiple things, be easy to
use, and be cost effective.
That’s huge for us because I don’t have to hire extra people, which is cost. I don’t have to have
extremely skilled people. I can weigh the cost and the amount that we’re spending in our
security and IT budgets and say, “We are doing the right things for our people with the right
level of protection and our downtime is in individual users -- not systems.”
That’s how we measure it. Productivity; not lost time. The ability to shift if there is a problem.
And that gets back to the training. For example, we recently had a security incident. It turned out
to be something from something very old, more than 10 years old, that was transferred to our
environment and we found it with our tools. We shut down a portion of the network and --
because of the training – we only lost about two hours while we investigated it.
A couple years ago, we would have had vice presidents down our throats saying, “Why can’t we
do this?” But because we’ve trained our team so well, it was literally, “Okay, let us know when
it’s available again. We want to support you. We’ll work on something else.” It was great.
Know your risk, your way of
knowledge, and the tools. Tools
must do multiple things, be easy
to use, and be cost effective.

8. Page 8 of 10
So, it’s all about having the tools, the costs managed, and being able to measure all of our
training and practices around the knowledge and people that are behind us. They want a secure
environment, and they’re willing to pause if they need to for a little bit while we look at things.
Gardner: You had a speed bump, not a car crash. So that’s a really good indicator.
Holmes: Yes, it was great.
Gardner: Before we end, let’s look to the future. I’ve heard a few words from you, Heidi, like
“automation,” “AI,” and “SOC as a service.” What new challenges do you foresee, and what are
the best tools or approaches for you to meet them proactively?
Detection advances from signatures to patterns
Holmes: The problem is, we don’t know what we don’t know or what the next security problem
will be. You need to be prepared for everything. You need to stay ahead as a leader in this field
and just listen, watch the articles, and be prepared to pivot when things happen.
The AI and the new tools are great because they
are looking for patterns. It’s not like the old days
where I would just look for a signature. So,
somebody would do something that applies a
specific signature, and it could only catch that. It’s
now looking for the pattern and then correlating the
pattern. As a result, we’re getting many less false positives because it doesn’t look for just one
minor anomaly. It looks for a pattern of anomalies, and then it might immediately block it.
There may still be some false positives because of the old applications out there.
We love the tools that we use, such as the Bitdefender console. It delves into so many things. I
personally look at the executive dashboard on a regular timeframe because out of all of our
tools, it is one of the best and the easiest to drill into. I can say, “Wait, there’s a spike in viruses.”
I click on it even though they’re blocked. It shows right there on the line if any of them got
through. Then we can raise the flag, even though it’s already been blocked. But who is affected
and where? I can click, and it shows me the actual machines, and it shows me what it was
trying to do.
That’s the best way to stay ahead. That is part of the automation; it is automatically blocking.
So, our firewalls automatically block, or quarantine, or do whatever needs to be done. We get
automated alerts that ring our cellphones, that send us messages depending on what it is, and
we have bridges. We also have automated [processes] where we can automate traditional
patching or fight zero days [attacks] or anything that comes up. We have that all scheduled to
go. So, that’s not a manual process anymore.
Gardner: Heidi, before we sign off, for those who are also going on a journey where they want
to change the way they’ve done security, where it becomes simultaneous to and maybe even in
advance of IT decision-making or IT architecting, what advice do you have for them now that
you’ve gone through this? What words of advice do you have for people who can make security
part-and-parcel with their digital transformation activities?
[The AI] doesn’t look for just one
minor anomaly. It looks for a
pattern of anomalies, and then it
might immediately block it.

9. Page 9 of 10
Start where you are, then dig deeper
Holmes: Get to know your business. Learn. Learn what your business is doing. Then, while
you’re learning, start with the fundamentals. What are you doing well in your business right now
or in your security?
Do you have good malware protection? Firewalls on your laptops? Things like that. Start with
your servers, with your laptops, every device in your environment. That’s an easy place to start.
Make sure your patching is up to date.
And then you can start looking a little bit deeper.
Vendors -- understand what your vendors are doing.
Just because it’s in the cloud doesn’t mean it’s secure.
It is not the same thing. You need to understand where
you’re putting your data, and what your people are
doing. And that goes back to learning the business.
Lastly, shadow IT. Because everything can go to the cloud, every business is going to try, and
every department is going to try, to find their own tool in the cloud. But they won’t necessarily
vet it the way your IT security organization will.
So, get to know the business, gain their trust, and help them by giving them speed bumps and
not roadblocks. That’s my advice.
Gardner: Well, I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored
BriefingsDirect discussion on how the rapid shift to remote work accelerated a rethinking of
security and IT processes at a New York-based publishing organization.
And we’ve learned how Hachette Book Group digitally transformed a traditional business
structure successfully, reduced risk factors, and preserved a highly creative culture.
So, please join me now in thanking our guest, Heidi Holmes, Senior Director of Information
Technology Services at Hachette Book Group. Thanks again.
Holmes: Thank you. It’s been great talking with you.
Gardner: I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator
for this ongoing series of BriefingsDirect discussions. A big thank you to our sponsor,
Bitdefender, for supporting these presentations.
Also, a big thank you to our audience for joining us. Please pass this on to your IT and security
communities, and do come back next time.
Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Bitdefender.
Transcript of a discussion on how the rapid shift to remote work accelerated the digital transformation of a
New York-based publishing organization to reduce risk while preserving a highly creative and distributed
culture. Copyright Interarbor Solutions, LLC, 2005-2023. All rights reserved.
Just because it’s in the cloud
doesn’t mean it’s secure. You
need to understand where
you’re putting your data and
what your people are doing.

10. Page 10 of 10
You may also be interested in:
• For UK MSP, optimizing customer experience is key to successful security posture and
productivity
• Why today’s hybrid IT complexity makes 'as a service' security essential
• Defending the perimeter evolves into securing the user experience bubble for UK cancer
services provider
• How A-Core Concrete sets a solid foundation for preemptive security
• How an MSP brings comprehensive security services to diverse clients
• Better IT security comes with ease in overhead for rural Virginia county government
• SambaSafety’s mission to reduce risk begins in its own datacenter security partnerships
• How MSP StoredTech brings comprehensive security services to diverse clients using
Bitdefender
• For a UK borough, solving security issues leads to operational improvements and cost-
savings across its IT infrastructure