Building cybersecurity transparency with clients using compliance automation tools by Iurii Garasym — Chief Information Officer at ELEKS
In this presentation you can dive into the complexities of managing third-party relationships and highlight the importance of proactive cybersecurity reporting driven by vendors.
2. AGENDA
01 02 03
About ELEKS New Elements in
Building Trust in
Value Delivery
Chain
ELEKS case of
building trust
using eCAP
Vision for
3rd party risk
management
04
4. The custom
software
development
and innovations
company
We are a technology partner
of choice for complex and
innovative software
development projects.
We have been delivering value
to our clients thanks to our
expertise and experience gained
from working as a software
innovation partner since 1991.
88%
Master’s
Degree
4%
PhDs &
MBAs
31 A Top 100 Global
Outsourcing
Company
years of
experience
We focus
on complex tasks
Long-term
partnerships
with clients
Deep
technical
expertise
Top
scientific
talent
6. Our
clients
Milano
Copenhagen
Madrid
London Berlin
Birmingham Amsterdam
Munich
Kyiv
Stockholm
Paris
Amman
Dubai
Tokyo
San Francisco
Seattle
Kalispell Minneapolis
Detroit
Philadelphia
Raleigh
Washington
Chicago
New York
Boston
Tel-Aviv
Singapore
Geneva
Zurich
Basel
Brussels
Lyon
end-to-end solutions
delivered
700+
of clients do more than
one project with us
90%
years of cooperation
with our oldest clients
20+
active client
accounts
150+
We build long-term
partnerships with industry
leaders and technology
challengers to create truly
transformative results
7. ``` ```
ISO 27001 ISO 9001
```
```
SOC2
HITRUST
```
GDPR
Certifications and frameworks
In progress with:
```
CREST
* ISMS - Information Security Management System
QMS - Quality Management System
ELEKS is a company with well-
established quality management,
cybersecurity, data privacy and
business continuity processes in
line with international standards
There was not a single service
outage or security breach in our
history, including the period of
Russian invasion to Ukraine
In 2023 ELEKS successfully
passed annual re-certification
process for ISO9001, ISO27002,
SOC2 and is continuously
improving its compliance posture
with more certifications in pipeline
ELEKS – ISMS/QMS*
9. Every organization exists in multiple
business ecosystems. These business
ecosystems are dynamic networks of
entities interacting with each other to
create and exchange sustainable value
for participants. The challenge is
deciding how your organization will
survive and thrive in its ecosystem.”
Andriy Krupa,
CEO ELEKS
“To deliver value to the end
customer, you need to play the
team game. You need to partner
both with your vendors and your
customers in order to create and
exchange sustainable value.
Your need trust, collaboration
and agility.”
10. Trust is necessary for
collaboration and
innovation.
To establish and maintain trust,
companies have to address
several components: Quality,
Security, Compliance, Privacy,
Transparency
Having the enabling
tools and technologies
to build this trust is
important.
Such technologies speed up
business interactions and build
trust across geographies, while
helping companies to deliver
value with lower operational costs.
11. 1. Value continues to
migrate online:
Cloud, Big Data
2. Corporations are
expected to be more
‘open’ than ever before
3. Everything
is connected
4. Supply chains are
increasingly
interconnected.
Difficult to know what you even own,
difficult to analyze
Mobile, Social Networks, IoT, BYOx (bring
your own device / app …) are an easy point
of entry into corporate networks for malware
Everything is vulnerable
No perimeter any more. Companies are
encouraging vendors and customers
to join their networks
Trends in business
12. SECURITY VENDORS MAP
Tons of data + tons of
alerts. You can’t sit more
people to deal with it
Lack of budget, people,
skills, management
support… or decision
making
Security
technology
silos
Algorithms, machine learning,
AI are already on our side, but still
100+ days to discover a breach,
gaps in compliance obligations
14. The opportunity
Expensive
The cost of compliance is
growing while the
companies mostly fail to
improve their compliance
process assurance for
senior management
Manual
Personel account for 79%
of compliance costs
Complex
As the number of
regulations constantly
grows, the complexity of
compliance process also
exponentially increases
Inaccurate
The high rate of human
errors for repetitive high-
volume compliance tasks
puts companies at risk of
penalties
Inefficient
Companies struggle to
enforce all the
requirements and
continuously ensure they
work as intended
Today, most companies are
struggling to build proper
compliance workflow.
Compliance with customer
requirements, industry best
practices, regulations or
even their own requirements.
They characterize their
current processes as:
15. Cost-efficient
Compliance process in your
organization becomes
manageable along with a
50% decrease in cost
Scalable
You will be able to handle an
increase in transaction volume
without any negative impact on
operational expenses
Capable
You will establish a robust
onboarding process for new
regulatory requirements
Reliable
While algorithms will handle most
compliance cases, your experts will
have an opportunity to review the
exceptions carefully and achieve
near-zero error rates
What if there was a single tool that made
the compliance process a lot easier?
The solution
16. COMPLIANCE AUTOMATION PLATFORM GOALS
eCAP is an advanced
GRC (Governance, Risk and
Compliance) tool that helps to:
• Reduce costs by automation of
information security governance
activities (policies/controls design)
• Perform comprehensive security
and risk management monitoring
• Improve efficiency of internal
audits and success rate of
external certification audits
(ISO27002, SOC2, HITRUST)
More info is available on eCAP landing page: eleks.com
17. Generate
Information
Security policies
Generate Information
Security policies based on
applicable standards and
allow convenient
management of the
documents (review/approval
flow, version tracking,
retention in line with records
management requirements)
Compliance score
and security
controls reporting
Connect to various data
sources and obtain the
details on actual situation
with information security
controls. Both operational
and strategic level reporting
are available.
Enable Security
monitoring for
clients
Based on data collected
create easy to read
reporting for your clients
regarding security controls
on their projects. Multiple
clients can be handled at
the same time individually
defining the scope for
monitoring.
Reduce efforts
for certification
audits
All the data
created/collected in eCAP is
connected to original
requirements from
standards and allows to
instantly generate
evidences for auditors
Gather regulatory
and standards
related updates
Collect and auto-tag the
news to be up to date with
changes in regulatory
landscape
ELEKS COMPLIANCE AUTOMATION PLATFORM FEATURES
News Feed
Standards/
Policies/Controls Dashboards
Compliance
Score
Map and Gap
reporting
18. eCAP – Cybersecurity
Excellence Awards
Cybersecurity Excellence
Awards recognizes
companies, products and
professionals that
demonstrate excellence,
innovation and leadership
in information security.
More details available at:
cybersecurity-excellence-awards.com
The awards are produced by
Cybersecurity Insiders in partnership
with the Information Security
Community on LinkedIn, tapping into
the vast experience of over 400,000+
cybersecurity professionals to honor
the world’s best cybersecurity products,
professionals and organizations.
19. eCAP for ELEKS clients
ELEKS provides eCAP to clients in order
to introduce transparency and build trust.
Clients using eCAP have 24/7 access to
metrics calculated for their projects.
eCAP is aiming to become a single reporting window with our clients
Employees
General information for employees
working on the project, information
security trainings and monitoring
of obsolete accounts.
Endpoints
Metrics covering endpoints being
used by specialists on the projects
(OS updates, anti-malware, disk
encryption, etc.)
Additional metrics
There are additional metrics
present in our pipeline. They will
be introduced automatically on
the dashboards once released.
eCAP helps ELEKS clients to:
• Perform independent 24/7
monitoring of security metrics and
events on their projects
• Simplify the process of information
security audit of ELEKS as a vendor
20. ECAP: PROACTIVE APPROACH – CLIENT IS AUDITS
eCAP
(on-prem) eCAP SaaS
Client C
ELEKS
EU Data Center
Access to SaaS
Client A
ELEKS IS Solutions
(IAM, SIEM, Anti-Malware, Ticketing
System, HRMS, etc.)
Information
Security related
data feeds
Processing of data and generation
of security metricsc
eCAP SaaS
Client B
eCAP SaaS
Client A
EU/US
Microsoft Azure
Access to SaaS
Client B
Access to SaaS
Client C
Client Team
Client Team
Client Team
21. CASE STUDY
DELIVERED SOLUTION
eCAP as an advanced GRC
(Governance, Risk and
Compliance) tool helped to:
• Reduce costs by
automation of information
security activities and
certification audits
• Improve transparency by
allowing to monitor security
on their projects
• Support business growth by
enabling robust/predictable
certification process and
“distinctive” information
security capabilities
GOAL
Build a single pane of glass on
security compliance and introduce new
standard for risk management and
trust on software development market.
Improved efficiency
of compliance and risk
management
governance
ELEKS COMPLIANCE
AUTOMATION PLATFORM
CUSTOMER
Large IT company with delivery
centers in Europe and USA.
25% 60% 40%
Certification
audits
Controls
execution
Client InfoSec
audits
Savings up to:
23. What’s next?
• External audits
• External scanning
• 3rd party reporting
Standardized data feeds
to assess 3rd party IS
posture assessment
Pre-requisites
Ongoing update of IS requirements
Outcome
Real time reporting and remediation
of the incidents (cut-off)
Cost-saving for 3rd party assessments
and incident management
Continuous assurance
24. VISION FOR 3rd PARTY RISK MANAGEMENT
Vendor A
(continuous monitoring – internal controls)
Independent assessment
(continuous monitoring – external scanning of Vendors A and B)
Compliance
management team
GRC solution
Vendor B
(continuous monitoring – internal controls)
Security auditor
Independent assessment
(periodical IS processes assurance of Vendors A and B)
(organization IS requirements as a feed from GRC)
Security vendor
Vendor A
Vendor B
Standardized
IS controls
reporting
25. Have a question? Write to
info@eleks.com
Find us at
eleks.com
Thank you
for your attention!
https://eufordigital.eu/e-card/what-exactly-is-trust-and-security-in-the-digital-field-is-it-just-about-cybersecurity/
Cybersecurity is very important in this context, can differentiate one company among others.