Drogaria Araujo

Drogaria Araujo Targets its Cybersecurity Pains; Reduces Costs by 25% with Tenable One

From providing vaccinations and filling prescriptions to ensuring customers have access to necessities under one roof, the employees of Drogaria Araujo are dedicated to helping ease their customers’ pains. When it comes to visibility and understanding risk exposure, CISO Daniel Moreira likens Tenable One to a cybersecurity pharmaceutical hub that helps Drogaria Araugo’s team detect, report on, and ultimately treat the organization’s cyber risk symptoms.

“Tenable One shows me where our pains lie, and using risk-based prioritization helps my team focus on the most critical exposures and accelerate time to remediation across our hybrid environment,” says Moreira.

Drogaria Araujo (Araujo) dominates the retail pharmaceutical market in Minas Gerais, Brazil’s second most populous state, and is one of the largest in the country.

With 118 years of innovation baked into its DNA, Araujo was the first pharmaceutical company in Brazil to implement digital technology into its sales model, including tele-delivery and WhatsApp. From inventory logistics to online sales and its customer-loyalty application, technology is a key enabler across Araujo’s value chain. It’s no surprise that exposure management is an important topic for Moreira and the InfoSec team and supports their mission to detect and mitigate exposures across the company’s growing attack surface.

Using Tenable One, Araujo has streamlined investment decisions for the board of directors while reducing costs by 25% and ensuring the InfoSec team has new opportunities and meaningful work. Recently, Drogaria Araujo earned the Security Leaders Award 2023 supported by its use of the Tenable One Exposure Management Platform.

CISO focuses on risk-based areas of concern

The challenges of protecting the data and assets of a large organization are not lost on Moreira. With more than 300 stores in 50 cities, exposure coverage to avoid costly business interruptions is paramount.

Sensitive customer data must also be protected. As a pharmaceutical retail company Araujo collects and stores private customer data related to medical tests, various medications and vaccinations performed at its retail locations, which must be reported to the Brazilian Ministry of Health. It also collects data connected to its loyalty program and insurance discounts.

With hundreds of servers, Araujo operates a hybrid environment, with the majority of its legacy environment running on-prem. Driven by digital transformation, Araujo’s cloud environment supports the new digital sales channels, the website, and WhatsApp functionality.

Exposure Management across this hybrid environment, where legacy assets cycle through everything from frequent patches and equipment repairs to software and hardware that reach their eventual end of life, is an expensive and complex endeavor. The company’s cloud footprint is also expanding. Loose ends are inevitable, begging the question for CISOs across many industries, “How do you minimize risk and not just manage vulnerabilities?”.

Moreira is candid about Araujo’s risk exposure prior to implementing Tenable One, noting that Araujo wasn’t set up to identify all assets and exposures across its attack surface.

“If you look at organizations that suffer cyber attacks, most of them don’t use an efficient exposure management approach,” says Moreira. “Before implementing Tenable One, we had no platform to manage vulnerabilities. As a CISO, I can’t fix the pains I can’t see, let alone prioritize corrective actions based on risk exposure.”

With a vision for complete visibility and exposure management in mind, Moreira and the InfoSec team set out to find a solution that would identify and prioritize exposures. After due diligence, Araujo selected Tenable One to gain visibility across its growing, hybrid attack surface and enable Moreira to deliver a unified, risk-based assessment to the board of directors.

Tenable One combines the broadest exposure coverage spanning IT and OT assets, cloud resources, containers, web apps and identity systems. It identifies assets, enables unified visibility, quantifies risks, and using comprehensive analytics, prioritizes and validates remediation efforts.

Araujo launched Tenable One for visibility, identification and cloud prioritization and now covers around 7,600 assets. Using the exposure management results from Tenable One, the InfoSec team performs quick analysis and implements mitigation plans.

“Tenable One does the risk prioritization for me, which is fantastic because it helps us anticipate the consequences of a cyber attack and defines our remediation focus,” says Moreira. “It translates all of the technical asset, exposure and threat data into meaningful business insights and actionable intelligence, so we can focus on the risk-based areas of concern.”

Araujo is also saving money by consolidating costly point tools under Tenable One’s unified platform while ensuring comprehensive visibility across the attack surface. “We’ve saved 25% on the cost of identity management alone,” says Moreira.

Focus on risk exposure simplifies investment decisions

Quantifying risk can be a challenge, especially when sharing insights with non-technical executives and board members who have no reason to understand the business relevance of thousands of exposures. What resonates, and unlocks investment support, says Moreira, is knowing the answer to the questions – “How secure are we and how are we mitigating the issues?”.

Tenable One provides a unified and business-aligned view of cyber risk with clear KPIs to show progress over time and benchmarking to compare against external peers and within the organization. By applying advanced risk-based analytics to data gathered from multiple sources, Tenable One delivers a unified Cyber Exposure Score provided via Tenable Lumin Exposure View to prioritize areas of concern and hold teams accountable for risk mitigation.

Of course, not every exposure is at risk for external attack, and Moreira is pleased that Tenable One helps board members see beyond the exposure numbers and concentrate on the overall risk exposure. After all, as a CISO, Moreira has the opportunity to influence investment decisions, but he’s also cognizant of budget restraints and the CFO’s responsibility to spend wisely.

“What is the greatest risk of exposure and where are the main threats? Certainly, an insider can be a big threat, but compared to external threats, the insider becomes a low risk,” says Moreira. ”This is why the prioritization and remediation guidance offered by Tenable One is fundamental. I’m able to demonstrate how new processes and staff will enable my team to move critical risks down the scale. Board members can decide for themselves their level of risk tolerance and allocate budget accordingly.”

Equally important is the board’s concern about damage to the Araujo brand.This why Moreira incorporated Araujo’s mission to protect its customers' personal information into the company’s security policy.

“When we combined everything – this vision, our mission, our value, along with the value of the business – the concern that we have for our customers became a target for the entire board,” says Moreira. “The board understands how the risk exposure pains uncovered by Tenable One will impact Araujo’s business and what investments must be made to help my InfoSec team solve the problems.”

The Araujo board appreciates the new focus on risk exposure and welcomes the topic of exposure management to its regular agenda. Ahead of the most recent budget cycle Moreira presented the risk assessment provided by Tenable One, and the board was proactive in its investment recommendations.

“Araujo's mission is to delight and satisfy the needs of our customers, so the moment you manage to make security and the business work together, it works.” says Moreira. “Tenable One is more than a security solution. It’s a business solution that helps me understand our attack surface, eliminate blind spots and build a baseline for effective exposure management.”

Automation helps uplevel important work and increase employee satisfaction

Like many organizations, Araujo operates with a lean security team. In a recent report from Forrester Consulting commissioned by Tenable, 60% of cybersecurity leaders say their InfoSec teams are too busy fighting critical incidents than working to reduce exposure, an issue reflected within Araujo, as well.

Prior to implementing Tenable One, vulnerabilities were treated as ticket management, an issue that Moreira says required a large number of full-time employees (FTEs) and contributed to burnout and boredom among the team members.

Tenable’s exposure management platform helps security teams operate more efficiently by reducing the time and resources it takes to identify, mitigate and manage exposures and misconfigurations. The more you automate the process, the fewer FTEs are needed for exposure management. Moreira estimates a 25% savings in this area because Tenable One serves as a virtual team member and carries that load.

But these efficiencies also mean giving his staff new opportunities to focus on critical remediation projects that increase team member satisfaction even while keeping the headcount lean.

“At Araujo, we all enjoy solving problems that have meaningful impact for the business,” says Moreira. “Exposure management is exciting, and by revealing and prioritizing our pains, Tenable One allows our team members to direct their knowledge and skills toward critical projects that keep business interruptions at bay and protect Araujo’s customers.”

Fostering a partnership in people and technology

Kinship, trust and taking care of people are the cornerstones of Araujo. Moreira is pleased with his experience with the Tenable team.

“When faced with a security incident you need to have people you can count on,” says Moreira. “The closeness that the people at Tenable have with us is exceptional and is a differentiator that I haven’t experienced with other software providers. Who will be by our side in difficult situations? I can tell you that we have no doubt that Tenable is a partner that we can count on in those moments.”

As for Tenable One, the CISO again ties everything back to Araujo’s mission and most important assets – its customers.

“Our customers depend on Araujo to help them understand and treat their symptoms,” says Moreira. “In the same way, Tenable is my pharmaceutical hub, showing me our critical cybersecurity pains, the risk exposure, and what I need to do to treat them.”

“Exposure management is challenging for any CISO trying to protect an expanding threat landscape,” says Moreira. “Risks are inevitable, so a focus on reducing risk exposure is critical, but you can’t manage this alone. You need a tool like Tenable One to help you gather the data and connect the dots in an automated way so you focus on exposures that pose the greatest risk to your business.”