Open-Xchange is an international software and cloud provider that services hundreds of millions of users worldwide.
Martin Heiland is the CISO at Open-Xchange, overseeing the company’s Information Security Program.
As a cloud service, Open-Xchange works with customers in highly-regulated industries like telecommunications. Accordingly, the organization must comply with strict industry standards, such as ISO27001.
Preparing for these audits is a strong focus of Martin’s role, alongside planning for any security changes to the IT environment.
Martin and his team continuously monitor for cybersecurity risks to ensure Open-Xchange’s systems remain secure and capable of safeguarding sensitive data.
"Open-Xchange uses a vulnerability scanner across the organization’s internal and external attack surfaces. While the scanner provides in-depth coverage, it doesn’t have asset discovery capabilities. It can only monitor what we know. It doesn’t have a perfect register of where every IT asset is, especially as we use dozens of cloud services for testing purposes.”
The scanner’s speed is also a limitation.
“We have thousands of assets, so we can only do scans once a week per asset, and it's not in real-time.”
Before UpGuard, Martin’s team used a manual vendor risk assessment process. During onboarding, the team relied on spreadsheet questionnaire responses and vendor contracts to perform due diligence. They found that vendors were not very responsive and eager to complete the spreadsheet questionnaires.
As a small team, Martin said they primarily relied on this information to assess their level of risk to the organization.
“We don’t have the capacity to spend a week with a vendor and see if they’re actually doing everything right. We were sending around an Excel sheet. It wasn’t automated and wasn’t ideal for the vendor to fill out”.
Martin decided to invest in a modern external attack surface management solution after receiving frequent access invitations from customers’ respective platforms.
“I looked into different solutions that could be useful for our supply chain, but also our own security posture. That's where I ended up at UpGuard.”
After assessing several modern attack surface management solutions, Martin felt UpGuard aligned best with Open-Xchange’s values. While pricing and features were also important factors, Martin believes UpGuard’s continuous development and transparency are what drove his decision.
“I like having the opportunity to see where things are going and to see that things are actually happening. I look for products that are on the way up, and that’s why I chose UpGuard.”
Martin leverages UpGuard to automate the discovery process for Open-Xchange’s public-facing assets.
“I use UpGuard as a source for newly discovered assets. If an asset gets added to UpGuard, I add this information to the internal scanner and vice versa.”
Martin also uses UpGuard to detect third-party vulnerabilities from Open-Xchange’s critical vendors.
“We use UpGuard to improve visibility into our assets and our vendors’. With this level of insight into our top suppliers, we can see when things are going south. I also use UpGuard’s scanning results to create tickets to resolve internal issues.”
Martin has realized several benefits from using the UpGuard platform beyond continuous attack surface monitoring and instant asset discovery.
Improving Executive Reporting
Martin uses UpGuard's external reporting to present key stakeholders with "a condensed overview" of Open-Xchange's security posture.
“It’s useful to have external validation of how we’re doing as an organization.”
UpGuard’s competitor comparison tool has also helped Martin communicate more effectively in his quarterly reporting.
“Being able to say we’re number one or close to it is a good metric we get out of UpGuard. We operate in a small industry, so the supervisory board and management team are very interested in seeing how we compare to our competitors.”
Automating Vendor Risk Assessments
Attack surface monitoring was Martin’s primary objective with UpGuard, but he found an opportunity to enhance the team’s manual vendor risk management processes through automation.
“I migrated the spreadsheet into UpGuard’s questionnaires and combined this with the technical monitoring of vendors. It adds a lot of value and ties the information together in one place.”
With UpGuard, Martin said the team can now perform quick external checks on vendors by checking their security scores in the platform.
“Before we sign up a vendor, we do technical due diligence by running them through UpGuard to detect any red flags. If we find a new vendor with a score of 300, it raises questions, and we use it as part of our due diligence.”
Reducing Third-Party Risk
As a European company, Open-Xchange must comply with strict privacy requirements that extend to its vendors.
Martin said the Open-Xchange team found a new use case for UpGuard to help manage the "legal aspect of privacy" in third-party risk.
“We're exploring the idea of using UpGuard questionnaires for non-security purposes. Our legal team is interested in creating custom questionnaires to help assess our vendors’ compliance risk as part of the due diligence process.”