Hexagon: How to Secure a Fast-Growing Large Enterprise
With the threat level growing, the attack surface expanding, and AI augmenting attacks, enterprises are having an increasingly tough time trying to secure themselves and their digital assets from cyber threats.
It is a difficult enough task even for smaller enterprises. But how would a multi-billion-dollar large enterprise, that has thousands of endpoints, large digital and cloud infrastructure and complex data environments go about thinking of securing its operations?
Luckily, one such company faced that scenario and has implemented a strategy that can be used as a case study for others to follow: Hexagon AB.
With a presence in over 50 countries and a workforce of approximately 24,500, Hexagon is at the forefront of creating sensors and software that manage and organise the vast amount of data generated by our increasingly connected world.
Yet, this position in managing large amounts of data for numerous clients makes It an attractive target.
Therefore, a safe pair of hands, knowledgeable about the company from top to bottom, is what is needed. Hexagon has just that.
A large enterprise’s objectives for security
At the helm of its information security efforts is Steve Lorimer, the Group Privacy and Information Security Officer. With nearly 23 years of experience across multiple roles within Hexagon and its subsidiaries, Steve brings a wealth of knowledge and insight to his role.
"I joined Hexagon as a software engineer and through a number of different roles got a good understanding of how the business operates and how our customers operate across our global reach,” says Steve.
“It gives me a really good insight into what we need to do to protect the organisation while maintaining good business continuity and not disrupting the organisation from delivering its innovation and its digital requirements."
Steve is currently responsible for deploying all of Hexagon's information security solutions globally across all its divisions.
This sees him manage everything from the enterprise’s defensive posture – covering hardened network and perimeter and good security controls internally – through to its operations and incident response, compliance management and security awareness programmes.
“We're looking at protecting the organisation, protecting our data and increasing the resilience of the organisation to make sure that we can operate effectively as a commercial organisation,” Steve explains.
Yet his role extends beyond internal security. He also collaborates with product teams through the R&D side of the business, ensuring that Hexagon's products are built with security and privacy in mind. "We build secure by design and privacy by design," he emphasises, highlighting the company's commitment to creating robust and compliant solutions.
Hexagon's security habitat
When Steve assumed his role in 2018, it marked the first time Hexagon had a global security officer at the corporate level.
This presented challenges and opportunities. "In a sense, it was really a greenfield opportunity” Steve explains. “I needed to work with the organisation to understand what it needed, what its requirements were, but also to understand the existing maturity levels in the security teams."
As a result, Hexagon's approach to security has undergone significant changes over the years.
The company has transitioned from a decentralised security model to a fully centralised one, fundamentally altering its approach to security.
This shift was driven by the need for consistency and efficiency across the rapidly growing company.
"As an example, we were at a point where we had seven different EDR or antivirus solutions in play,” Steve explains. “Building consistency across those solutions is very complex and it becomes very difficult to provide assurance that the control set is robust."
This led Hexagon to move to a process of deciding between a best-in-class or platform solutions. Deciding on things like how security can be managed, what organisations are needed to support it, and the process of moving from a decentralised to a centralised function in an economical fashion, the company implemented a strategy of identifying and upgrading across its divisions.
“We worked with the existing set of solutions and processes to help migrate them from where they were to our global template,” Steve explains. “Some of the technologies persisted because we agreed they were best of breed and capable for the new world and others we retired and introduced the replacement technologies that become our standardised solution across the globe in line with all of our other divisions at the same time.”
Partnering for a full spectrum of security
Hexagon's success in securing such a large organisation is partly due to its strategic partnerships with large-tech giants and smaller, specialised firms.
Steve mentions partnerships with AWS and Microsoft for broad technology needs, as well as with niche players like Darktrace, 1Password and MetaCompliance for specific security solutions.
But with so many vendors all offering several solutions, finding the right one for the best fit can prove difficult.
Therefore, Hexagon has implemented a rigorous approach to vendor selection, especially for critical services.
"We ran a large RFI-RFP process to select a new vendor. The first step was a a desktop exercise to narrow our focus to a manageable number of organisations that could each meet our essential needs," Steve explains. “Following that, we entered into extensive discussions with each vendor to ensure that they could deliver the necessary quality of services at a scale to meet Hexagon needs.”
Equally, Hexagon selects its partners based on a company’s familiarity with the underpinning solutions it works with, so that it can support those solutions and operate to the maximum level of efficiency with those platforms.
One company that this vigorous system of selection helped Hexagon partner with is eSentire. An IT security service company, its managed SOC provider has proved particularly crucial.
"eSentire provides us with a managed service security operations centre (SOC). They ingest all our log data, all of our security event information, and they triage and analyse that data in real time to identify signals of interest," Steve explains.
This partnership allows Hexagon to maintain 24/7 monitoring of its systems and networks, ensuring rapid detection and response to potential security incidents.
Keeping safe in a growth-filled future
Hexagon is a fast-growth company that has grown through acquisitions over the past 20 years to expand its offering and client base. Yet, with new growth comes new challenges. Additional markets and new regions lead to increased systems and services that require monitoring and protection.
Another aspect that drives change is the compliance landscape. "Institutions and government organisations are bringing forward new legislation which will require resilience of the digital space as companies evolve to ensure they are adhering to new regulatory frameworks,” Steve explains. “The NIS2or CRA are emerging regulations which we have to meet in order to retain our competitive position in the marketplace."
In addition to regulatory challenges, Hexagon is continually working on technology projects to enhance its security posture. These include protecting cloud infrastructure, improving attack surface management operations as well as standardising network and endpoint management across the organisation.
AI is also playing an increasingly significant role in Hexagon's security strategy. "AI has already had a big impact. We've had an internal AI innovation team for many years who build AI into our products and deploy it for our customers' benefit,” says Steve.
“But we’ve also seen AI being used by adversaries to refine their attack techniques and methods."
Hexagon is, therefore, actively exploring ways to leverage AI for defence against AI-based attacks. Steve anticipates that AI will be particularly useful in combating sophisticated social engineering attempts, such as deep fake videos and voice simulations used in fraud attempts, which have grown exponentially and with a sophistication that has yielded a higher success rate.
Hexagon will also use AI to enhance its security capabilities. "We utilise technologies like Microsoft Security Copilot which we're starting to use to speed up the incident response process. It can provide significant insights into understanding the evolution of an incident much faster. It also provides clear benefits to reduce the workload of Security Analysts when generating incident reports. Continual evolution of our processes will help us to defend and respond to incidents more quickly, as well as resolve them in a timely manner, " Steve explains.
Securing the gains of tomorrow, today
As Hexagon continues to pioneer digital reality solutions, its commitment to robust security and privacy measures remains paramount.
With Steve Lorimer guiding a complex transition to centralisation, steering sector decisions on world-class versus platform solutions, and implementing a rigorous vendor selection process, Hexagon has a strong security foundation to build its high-growth ambitions. "For me, the most important factors within security are to make sure that you are aligned to the business, and you are supporting the organisation's overall strategic success,” Steve notes. “That means you need to be in tune with the organisation, its primary objectives, its core mission and values, and you are there to support that as a part of the overall business, not as an add-on to hinder that organisation from achieving its goals."
In an era where digital innovation and security are increasingly intertwined, Hexagon stands as a testament to how companies can successfully balance these crucial aspects.
**************
Make sure you check out the latest edition of Mining Digital and also sign up to our global conference series - Manufacturing LIVE 2024
**************
Mining Digital is a BizClik brand
