Intelligent CISO Issue 43 - Page 52

COVER STORY
Can you describe a typical day in the life of a CISO at DB Schenker ?
My day generally starts with checking emails and messages , followed by reviewing our central IT security reports for intrusion detection and IT security incidents . I then spend a lot of time in meetings . As the IT security organisation within DB Schenker is global , I schedule my meetings accordingly : in the mornings I meet with colleagues in the APAC ( Asia-Pacific ) region , during the middle of the day with colleagues in EMEA ( Europe , the Middle East and Africa ) and in the afternoons with colleagues in the Americas . These meetings focus mainly on regional projects , customer audits and supporting customers ’ Request for Quotations ( RFQs ). In between meetings I steer and manage the DB Schenker IT Security Program .
The IT Security Program was established a few years ago to build up the overall IT security capabilities and improve the
IT security architecture by aligning it to our overall IT security strategy . The target is to improve the overall security of our complete supply chain , which is very important when providing critical services to our customers and partners , especially the global ones .
DB Schenker never sleeps and neither does the requirement of IT security .
Can you explain how the project streamlined the management of critical security policies and enhanced secure access and authentication to business applications ?
We started developing our Identity and Access Management solution over 10 years ago . This gave us a strong platform to deliver integrations for applications deployed in our network . With the change to consuming Software-as-a-Service and using the cloud , we identified limitations in our capabilities . After trying a couple of open-source solutions , we decided we needed a more mature , feature rich solution . We set out to create a central strong and risk-based authentication service . James Naughton , Head of Identity Management , lead the project to select and implement this solution . After selecting Ping Identity as our preferred supplier , we were able to use its capabilities to implement our own modern web-based security policies . Our policies combine web-based single sign-on capabilities , with risk-based Multi-Factor Authentication .
We utilise device and location information from an authentication request , combined with the security level of the target business application for which access is being requested . Depending on the calculated risk , we then decide which level of authentication is required to allow this request . Once the user completed the authentication , or the risk is calculated as being ‘ acceptable ’, the user is allowed to access the requested business application .
52 www . intelligentciso . com