One of Europe's Largest Cloud Transformations
O3 Cyber helped Storebrand's security team prepare for tomorrow's threats.
IT security in the financial industry is rapidly evolving. Artificial intelligence and machine learning have become an arms race between banks' security systems and attacks from criminal groups. One year after ChatGPT was launched in 2022, significant changes in attacks:
"The phishing attempts that come in have become more sophisticated. Now, the Norwegian language in the phishing emails is almost perfect, and the sender appears to be the right person at Storebrand. However, these are not authentic emails, says Øyvind Bergerud, Head of Security Operations at Storebrand.
Storebrand chose to revamp its security system for future security threats. Initially, Storebrand's security was organized into silos, including a security team in one team manually addressing threats and developers in another team having to request firewall changes from an external provider. The latter could take a month:
"In the financial sector, there are a lot of regulations from the EU and the Financial Supervisory Authority that we must follow. Therefore, we have a great need for a system where these regulations are embedded in the design. For example, we wanted a system that makes it impossible for our developers to create services where data is stored in insecure locations," says Øyvind Bergerud.
The solution was to move from an outsourced operational model with a traditional data center to insourcing and cloud-based solutions.
Guardrails for IT Security
Storebrand brought in cloud specialists O3 Cyber (O3C) in 2022 to help migrate securely to the cloud.
"O3C was a natural choice because they were the best in cloud security as a niche and had a unique position in the market. We also wanted to work closely with O3C because Storebrand has a broad portfolio of services, requiring one of the more complex IT environments in the financial sector. Our IT security must protect everything from pensions, banking, corporate and consumer markets," says Øyvind Bergerud.
O3C worked closely with Storebrand for a year to develop processes tailored to cloud-based solutions. By insourcing most of the cyber security, Storebrand and O3C could design a "guardrail" security system where developers work rather than submitting requests for each security change to a new service. This has resulted in significant time savings, partly because several security tasks are automated, and developers can launch new services more quickly.
"Following the transition to cloud-based services, developers have launched several new services while the security team works more proactively on security intelligence. If we had done this without transitioning to the cloud, we would have had to hire many new co-workers," says Øyvind Bergerud.
Øyvind Bergerud estimates that a cultural change among his co-workers is the biggest gain from the cloud-based security model.
"Now, the development teams are responsible for security within their areas. They become more independent and are not dependent on a central security team. Today, they have freedom with responsibility and possess both operational and security expertise," says Øyvind Bergerud.
Storebrand's security team has also undergone a cultural change by automating simple security tasks, such as password recovery and manually investigating security alarms. Today, proactive security is a service they provide in the same way business teams deliver their financial services.
"Today, the security team has more time for operational intelligence work. We investigate threats and probable attackers and look at how we can protect ourselves in advance. It's a new way of working that benefits the entire organization," says Øyvind Bergerud.
Storebrand was O3C's first customer. Does O3C have enough breadth to meet multiple needs despite being a small player?
"Yes, I am satisfied with the good cooperation with O3C; together, we complement each other, and our team has emerged stronger from this collaboration," says Øyvind Bergerud.