Case Study: PEXA broadens security posture visibility

PEXA has broadened its security visibility to get a better understanding of the threats and risks of operating in a cloud-based environment.

David Willett, the now former CISO at PEXA, told Digital Nation that PEXA's migration from "traditional on-premises, server-based infrastructure in a data centre here in Melbourne to being completely cloud-based" created new requirements around visibility.

Willett joined PEXA in 2019 as part of a new and revitalised security team, but at a time the company was struggling with “the way that we were growing in the cloud”.

This involved visibility of best practices, security and cloud posture, but also visibility of threats.

“What we were also struggling with at that point in time as well was how we measured the effectiveness of our security program across a number of different domains," Willett said.

For this use case, it particularly involved cloud security “and the number of different products we had, what was going on in terms of our coding, [and] were assets configured to best practice for the different frameworks that we were aligned or certified to."

He said Palo Alto Networks' Prisma Cloud was one of the early tools trialled that provided “that complete unified and very scalable view as well as a cloud-first product in a cloud-first environment.”

PEXA integrated Prisma Cloud with its AWS accounts to gain visibility into that space.

Willett explained that the system enabled PEXA's security team to broaden its visibility across the cloud network."

It also offered PEXA an overview of various assets such as high-risk configurations and regulatory requirements.

“We were able to very easily roll access and dashboards to the tool out to the broader cloud and dev communities within the organisation as well so that they were able to see how they were progressing as well," Willett said.

This covered teams' understanding of how secure their products, code and other resources under management were.

“That allowed us to share some of that ownership out with the broader business, because back in 2019 security teams were still shouting into the void a little bit in terms of trying to get people to understand why we needed to do certain things.

“This created a really good, almost visualisation that worked on a very technical level so that engineers and developers were very quickly able to get up to speed on security.

“On another level”, he continued, as the CISO, “as much as I would love to be spending more time getting down in the weeds and having fun with the technical teams, I needed a very simple view.”

“I was able to work with my cloud security lead to leverage the tool to be able to provide me some very simple, in some cases, singular metrics that I could report up to my executive and my board to show how we were progressing on our road map of ensuring that we aligned to best practice with security in the cloud."

Willett said the team was able to achieve this by implementing current best practice frameworks and then adding its own policies into the mix as well.

“You could very clearly track that journey over the course of two to three years," he said. “That enabled a really robust and pragmatic discussion around how that progress was tracking."

In addition to aiding executive reporting, the system had proven useful for communicating cyber risk to other non-technical staff and helping them to understand the efficacy of actions they took in response.

However, Willett said customers are the ones who ultimately benefit.

Willett said that over the next year, the company will continue to build out visibility.

“There are probably two main things that tie into this solution that are important for the next 12 months," he said.

“We've grown a lot overseas and we have a lot of new organisations, which has increased the complexity of our tech stack.

“One of my main priorities is to make sure that we have a consistent level of visibility, control and management from a security perspective over the entire group so that we avoid having weak links in the chain.”

He also foreshadowed additional integrations with other security tooling to present "a consistent view of where our vulnerability exposure lies, be it from patching requirements, our bug bounty program, or also from any penetration test findings that we have, too."

“Again, making sure that we can measure it is important."