Compassion International

Compassion International Gets a Global View of Cyber Risk With Tenable.io

Compassion International works across 25 countries, helping to release 2 million (and counting) children from poverty. The organization focuses on the most impoverished children – many live on less than $2 a day. To ensure Compassion International delivers on this mission and operates effectively, the cybersecurity team must manage a large globally distributed network. They not only protect the sensitive data of the children they serve, but also the personally identifiable information (PII) for more than 1.5 million donors and 30,000 volunteers worldwide. The cybersecurity team is committed to upholding the highest level of security standards and staying onestep ahead of cyber threats.

Challenges

With 25 field offices across the globe, Compassion International requires a comprehensive, flexible solution to take their vulnerability management program to a higher level of maturity and solve the following challenges:

• Bring together siloed information to deliver a global picture of vulnerability footprint

  While Compassion International was effective in protecting against cyber threats, each of the business areas and field offices was responsible for securing their own devices and systems.“Each area was using different processes and tools, resulting in ‘stove pipes’ of information,” says Brian Rhodes, senior director of cybersecurity. “Our organization was seeking to consolidate vulnerability management and get a global picture of our vulnerability footprint in one product.”Compassion International required an efficient solution to reach across a geographically distributed network, and also alleviate any network bandwidth and firewall complexity issues.

• Deliver updates and resource requirements to senior executives

  Rhodes needed a clear, consolidated view of their cyber risk across the enterprise to provide security updates to executives as well as support C-level discussions about resource expenditures for increased business capabilities.He also required intuitive reporting and the ability to quickly filter on criteria to get just the information he needs, such as vulnerability data on particular field offices or types of assets.

• Easily integrate vulnerability data with existing business platforms including ServiceNow

  The cybersecurity team needed to easily surface vulnerability data to ServiceNow to perform their IT Service Management work with remediations. Instead of exporting vulnerability data to PDF or Excel and emailing it to teams, they needed to create remediation tickets automatically for the administrators who can fix the issues.In trying to get the vulnerability data out of their vulnerability management platform and into ServiceNow, the team found the integration with previous assessment tools such as Tripwire IP360 so difficult that it required custom development work, and drove them to recast the net and look for other vulnerability management solutions.

• Efficiently comply with PCI requirements

  Compassion International needed turnkey tools and templates to deliver on quarterly PCI reviews to meet compliance requirements.

• Extend the platform to modern assets such as web apps and cloud services

  As business needs evolve and Compassion International expands the use of technologies such as AWS, the cybersecurity team needs a platform that easily supports these modern assets and systems – all in one product.

Solution

Compassion International was able to consolidate and replace existing tools, including a Qualysguard Scanner and BeyondTrust Retina, and move to a single solution. Rhodes and his team considered several solutions, but Tenable stood out as the best choice to help mature their vulnerability program due to these key capabilities:

• A cloud-managed solution to centralize data across business areas

  After selecting and experiencing success with Tenable.sc, the team decided to migrate to a SaaSbased solution, Tenable.io, to reduce network complexity, meet their expanding global needs and support modern assets.

  Tenable.io’s cloud-based platform enables each office to upload their data to a centralized location, providing a scalable solution that also frees up the network and IT resources for other initiatives. Rhodes says, “Tenable was key in us migrating from a less mature vulnerability management process to the higher level of maturity that we see Illustrative Data: Tenable.io provides unified visibility of assets and vulnerabilities to help you prioritize remediation based on actual cyber risks. today. Our organization underwent a transformation. We were able to break down the silos and move to a more centralized structure.”

• Comprehensive coverage and visibility with active scanners, agents and passive network monitoring

  Tenable provides the widest variety of data collection technologies available, including active scanners, agents and passive listening sensors to help maximize scan coverage across all of Compassion International’s systems, networks and applications. It was essential for Compassion International to gain as much information as possible into their environment through authenticated scans and agents.

  “Tenable was Compassion’s first global solution,” adds Rhodes. “It allowed us to get a comprehensive picture of our vulnerability footprint in one product.”

• Customizable dashboards with specialized views

  Tenable.io’s customizable, actionable dashboard provides Rhodes and his team with easy-to-consume data to help prioritize and fix the most pressing issues.

  Rhodes explains, “With the classic Tenable.io interface, I am able to see the traditional Critical, High, Medium, and Low” vulnerabilities. I am able to toggle between this and Tenable.io’s new interface, which provides deeper context and shows exploitable vulnerabilities. We are able to look at a more real-world picture of the vulnerabilities most likely to be compromised and the ones that have the highest priority.”

  
  Illustrative Data: Tenable.io provides unified visibility of assets and vulnerabilities to help you prioritize remediation based on actual cyber risks.

• Well-documented APIs to seamlessly integrate vulnerability and asset data into existing IT systems

  Tenable.io’s well-documented APIs makes integration with other systems simple, enabling Compassion International’s security team to begin automating the vulnerability management process.

  Rhodes explains, “With this integration, my system administrators will have a much lower time investment in getting vulnerabilities into the hands of people who need to fix them. Tenable has been integral in that process.”

  While he is not an administrator, Rhodes used the API. He says, “I was able to review the API documentation, get the key that I needed and get it all working within a matter of 15 minutes. This is a tremendous improvement over the previous solution where we had to hire an outside developer to integrate the vulnerability data. This solution did not work due to a bug in the API.”

• Efficient, turn-key quarterly PCI reviews

  Compassion International can now easily demonstrate adherence to compliance initiatives using Tenable.io’s pre-defined checks against industry standards and regulatory mandates.

• Comprehensive and accurate web application scanning

  Tenable.io’s Web Application scanning provides Compassion International with the ability to secure all types of assets, including web applications — without adding another point product.

Conclusion

Tenable.io has enabled Compassion International to obtain a comprehensive view of their cyber risk across a globally distributed network, and deliver key insights to leadership.

As their business needs expand, Compassion International is now well positioned for growth, with the ability to secure modern assets such as web apps and cloud surfaces using one product.

Rhodes concludes, “Tenable has allowed us to leapfrog the maturity of our vulnerability management program. It’s better than any other solution that we’ve used. We wouldn’t be where we are today without Tenable.” He views Tenable.io as a key component as the team continues to evolve and mature their Cyber Exposure efforts.

Rhodes is enthusiastic about Tenable.io’s roadmap. Predictive Prioritization and advanced benchmarking capabilities will help Compassion International continue to mature their Cyber Exposure program.