In 2019, DBS (Digital Business Solutions)' initiative to improve compliancy and efficiency was sparked by an IAD audit and stakeholder recommendations. DBS set up an Innovation Funnel and a Continuous Awareness Program with a vision statement, frameworks, kick-off workshops, and gamification to reach the goal of becoming more secure, compliant, and efficient. DBS reached out to Xebia to ensure 'a practical, no-nonsense approach.' One year later, DBS is on track with implementing the necessary controls and measures and received compliments from the IAD for the progress realized. The time has come to sustain the current situation and hire an Agile Security Officer/Coach.
Achieve compliancy without slowing down
Increase knowledge and simplify processes
Introduce Maturity Models and gamification
Rotterdam has been an important seaport for hundreds of years, currently creating (in)direct employment for approximately 385,000 people. World Economic Forum recently awarded the port for having the world's best port infrastructure for the seventh time. To ensure efficient use of this infrastructure and realize cost savings among the carriers, digitization is essential. This will also lead to better control and management of the port and its infrastructure, and improved insight into logistic processes.
One of the challenges a successful port faces is how to accommodate growth for its users. After the Port of Rotterdam (PoR) had added Maasvlakte 1 and Maasvlakte 2, more activity led to more waste due to poor data exchange in the port's logistic chains. Instead of building the next Maasvlakte, PoR decided to invest in the set-up of Rotterdam Logistics Lab to facilitate, support, and improve end-to-end-supply chain efficiency.
Gaining insight into compliance, security, and reliability requirements effectively helped PoR comply with the IAD's rules and ensure smooth sailing for all stakeholders.
From managing opportunities to managing products
In 2015, six of the port's employees put their heads together and founded the Rotterdam Logistics Lab (RLL), an external initiative to optimize communication within the chain using real-time data. RLL was allowed to take a greenfield approach, start from scratch, and use the latest cloud technology to support its mission. In 2018, RLL was encapsulated by PoR as a new department named Digital Business Solutions (DBS). Today, DBS employs 80 people and continues to improve collaboration between all parties using the port.
While RLL focused on speed and execution, DBS now aims to improve quality and efficiency by ensuring the security, compliance, and reliability of the systems are on par. To help them do so, DBS approached Dave van Stein, Security Transformation Specialist at Xebia.
When looking for a Security Specialist, DBS consistently saw Dave's name and heard many great stories about him from other organizations. "When we invited him over for an introductory meeting, we were impressed by his broad knowledge. Moreover, we liked his approach. We needed someone who would be able to deal with not having a fixed plan but become part of our Agile team to help us overcome the hurdles we would experience on this journey."
"After our meeting, one colleague said: 'Well, we'll have a hard time beating around the bush with him.' That's when I knew. Dave is our guy." - Bob Madlener, Software Development and Operations Manager, DBS at Port of Rotterdam.
An Innovation Funnel formed the basis of the collaboration. The first step was investigating and assessing opportunities, then validating solutions and potential benefits, and finally, scaling up to a sustainable business model. Together with Dave, DBS' team worked through the extensive field of compliancy frameworks, using the Cloud Security Alliance and its Cloud Control Matrix as a starting point. From there, they filtered out frameworks that were irrelevant or not applicable to DBS. Finally, they created a compliance roadmap and gamified maturity models to accelerate adoption.
We introduced two maturity models to fit the teams' varying requirements and development phases: Site Reliability Engineering and Product Life Cycle. Both models consist of multiple steps the organization needs to take, divided into levels, and visualized in an overview. This overview shows 16 topics, including Audit Assurance & Compliance, Datacenter Security, Governance and Risk Management, Threat and Vulnerability Management, and Human Resources. And this is where gamification came in! Every topic had a Backlog to work through, and whenever the team reached the next level, it would receive a shield, printed by Bob on his 3D printer. Teams had insight into which shields were already attained by others, adding an element of competition.
DBS had a specific goal in mind; boosting efficiency and compliancy without slowing down ongoing development processes. In June 2019, Xebia's Security Transformation Specialist started working with DBS to achieve this goal by optimizing and simplifying processes, integrating security and compliancy with maturity models, and using Threat Modeling to help teams identify risks.
Overview of the results:
The fast deployment of products and services is key to running a successful business. For innovation to flourish, security needs to be covered from the start, instantly, and continuously.
Today’s changing world requires the critical and aware customer to put security high on the agenda. Xebia Security offers security services to top companies that accelerate and innovate by using modern secure software development methods.