A large Canadian City Government partnered with ReversingLabs to profoundly improve risk management in their software acquisition and management lifecycle by de-risking desktop and server software acquisition by a factor of 6300% and converting an unreliable, multi-day workflow into a 15-minute process, delivering actionable results and an accompanying audit trail.
Their Cybersecurity Leader described an overwhelming backlog of COTS (Commercial Off The Shelf) software approvals due to a manual, multi-day, interruption-prone risk assessment process for each request. Spectra Assure® allows the team to rapidly assess risks, including malware and vulnerable components, thus dramatically increasing team throughput while maintaining flat labor costs and achieving better risk insights.
The new process involves sharing SAFE reports with their vendors using Spectra Assure’s built-in sharing ability, which is met with appreciation and a commitment to address specific risks. This has materially improved the City’s risk posture. Capturing results in the SAFE report provides intuitive visual cues for non-technical users along with detailed information required for remediation. In this sense, a once detective control has become preventive as the COTS attack surface is reduced in cooperation with key vendors.
As with most city governments, many requests are “urgent”. The introduction of Spectra Assure empowers the team to stay ahead of emerging threats and expedite the resolution of routine end-user inquiries centered around the question, “Is this safe?”
With an end-user population of roughly 18,000 and increasing geopolitical threats and privacy concerns, the City’s Security Operations team faces an ever-increasing influx of risks amidst an accelerating volume of requests from end users to download and deploy untested third-party commercial software. Furthermore, the City’s costs are meticulously reported, and team headcount increases are virtually impossible. The existing team is expected to maintain operational tempo despite increasing risks and legislated involvement with all RFPs and software requests, while their days are consumed developing controls around emerging capabilities such as AI.
Spectra Assure allows the team to optimize their approach to software requests, thus reducing risk while freeing up cycles for the team to remain nimble and responsive to an increasing volume of inquiries.
The City’s holistic approach to risk allows the Citizens to realize more value and better risk-avoidance from a cyber team that’s smaller than that of many comparable cities.
Sharing the SAFE report really works. We’ve had vendors thank us for letting them know, and affirm that they’ll fix the issue.
Security Leader, Canadian Municipal Government
The ease of sharing the Spectra Assure SAFE Report, which highlights items exceeding the City’s risk appetite, has revolutionized interactions with some of the City’s vendors. Unlike several years ago when entire weeks were consumed asking “where’s Log4j?”, the City knows where COTS risk resides and can make targeted requests for vendors to address specific risks instead of spamming emails to the entire vendor constellation every time there’s an emerging risk.
The City’s cyber team uses Spectra Assure to analyze commercial and freemium software packages requested by their end users to determine if a software package is safe to deploy. SAFE reports provide requestors with a consistent basis of understanding regarding why a requested package may be denied or granted a temporary exception pending vendor engagement.
The shareable Spectra Assure SAFE Report provides the Security and Risk staff a means to identify and report on the dangers of software threats like malware, vulnerabilities, and suspicious behaviors. Security issues are clearly labeled and organized by risk category and indicate which findings are in direct violation of tailored security policies. SAFE reports provide sufficient details for vendors to pinpoint and address risks.
Before Spectra Assure was in place, it was hard to envision proper processes. Now they are standardized and driving down risk.
Security Leader, Canadian Municipal Government
Previous processes were largely ad-hoc, thus, the only predictable outcome was that too much time would be consumed to yield an inconsistent and untrustworthy report on COTS risk. With software supply chain security as a growing priority for the local government, as highlighted by Verizon’s DBIR, Spectra Assure provides the Security Operations team with the capability to build a consistent process that allows better risk-reduction while demonstrably conforming to audited controls.