ISS World Services A/S, One of the World's Leading Facilities Management Providers, Finds Efficient Road to Security Visibility

ISS World Services A/S is a specialized facilities management provider with 430,000 employees spread across five continents. Its offerings range from cleaning and catering to such diverse services as maintenance of nuclear power plants, design of office interiors, and optimization of buildings’ carbon dioxide emissions.

The company places a premium on IT security. “Our customers include some of the largest companies in the world, and many operate in sectors that are constantly under threat, like defense contractors and data centers,” says Mark Kuhre Jensen, global information security manager at ISS World Services A/S.

Until 2020, dozens of largely independent teams handled day-to-day security management throughout the various business units of ISS World Services A/S. Then the company experienced a malware incident that led management to transform its strategy.

As the group mapped their path forward, they knew they needed more frequent and consistent penetration testing. “When we build a capability, we shouldn’t assume that our systems are secure,” Martin Petersen, Chief Information Security Officer (CISO), ISS World Services A/S.

The team projected that they would need to add two pen testing specialists to adequately increase the frequency and scope of their manual security-control assessments. However, breach and attack simulation (BAS) software offered a more cost-effective solution. “We saw the opportunity to automate and run all sorts of attacks and techniques through it,” Jensen says. “We knew we could dramatically improve visibility into our security effectiveness, and be more efficient with our team resources.”

ISS considered several options. A key criterion in the selection process was tight integration with the company’s Microsoft security stack. “Among the BAS solutions that Microsoft listed as officially integrated with its solutions, the AttackIQ Security Optimization Platform was the most mature,” Petersen says. “In addition, AttackIQ provided the best service throughout the sales process, which gave us confidence in their ongoing support.” The choice became indisputable when ISS ran proofs of concept for the platform on its shortlist.

The global information security team rolled out the AttackIQ Security Optimization Platform, beginning with identifying all of the types of malware that the company had encountered in the past. They cross-referenced these threats against the comprehensive MITRE ATT&CK framework, created by the nonprofit MITRE Corporation, and broke each down into the discrete tactics, techniques, and procedures (TTPs) required to bring the attack to fruition. Next, they built simulations to pinpoint any vulnerabilities in their systems.

Automated control validation has revealed vulnerabilities that the company was not previously aware of, enabling the company to transition away from certain managed service providers whose security was not up to ISS World Services A/S standards. In one case, Jensen reports, a business unit was relying on a hosted endpoint detection and response (EDR) solution. A third party had tested the control and provided a written report stating that it was secure, but AttackIQ revealed troubling security gaps.

The global information security team now performs continuous validations of the company’s most important controls. They use the results of these tests to support the business case for needed security upgrades.

In addition to tuning and optimizing internal security controls, the Security Optimization Platform is playing a crucial role in ISS mergers and acquisitions (M&A). “When we are going to acquire a new company, we can use the AttackIQ platform in the due diligence process,” Petersen says. “Testing controls in the target company before the deal closes enables us to understand their security hygiene. Does it make sense to integrate our security systems, or should we plan on fully absorbing them into our infrastructure because their current environment is just too risky? AttackIQ helps us make those decisions.”

Finally, the AttackIQ platform gives the global information security group proof of the success of the company’s security investments. “We’re able to use it to document that our security stack and the processes around it are working as intended,” Petersen says. “It helps me provide detailed reports to the C-suite, the board, and auditors to create transparency around our return on investment as a corporate security function.”

“There are still a lot of things that keep me up at night,” he concludes, “but I am sleeping much better now than I did before we started working with AttackIQ.”

Ready for your cybersecurity program to be tested-against real-world threats, optimized for effectiveness, and prepared for future attacks?