For Visma, delivering secure business software is an absolute top priority. High standards must ensure data protection and privacy, so businesses can use cloud software with confidence. These standards are included in the Visma Security Program. We spoke about the program with Chief Information Security Officer of Visma Benelux, Cindy Wubben.
The Visma Security Program was once created to make accounting, administration and wholesale systems more secure. “We want to enable companies under the Visma umbrella to be able to make the best security decisions,” Wubben said. This makes a centralized program that provides dozens Visma brands with tools to build security into the product and guarantee it at all sorts of levels.
Wubben indicates that the Visma Security Program is the oldest program within the security strategy. Based on the risks seen, the security experts started formulating and setting up services to mitigate the risks. As time goes on, the program is also regularly updated and expanded with other components that fit within Visma’s security strategy.
To place Visma’s security story, it’s good to know that most software solutions once came under the parent company through acquisitions. To determine whether a company is actually interesting for Visma to acquire, it also takes into account how secure the software already is. Visma thus assesses in advance the degree of security of a product. If the product complies with sufficient standards, then the acquisition is given a ‘go’ by the security department. In theory, that could also mean that a product is not secure enough and therefore the acquisition does not go through.
Visma always assesses its own software, using a grading system. On the basis of an assessment, which includes questions but also code tests, it is determined how mature the security of the software is. Based on the risk, the software is rated as bronze, silver, gold or platinum. Often it is a managing director who, together with Wubben, assesses at which level the product is finally graded. For example, they look at what data it contains, which raises the security requirements, as well as whether it is on-premises software or a SaaS product. Wubben explains that SaaS is gold or platinum by definition because it offers the right level of security.
Once the security level of a product is identified, a target tier is also determined. For example, a product may be labeled gold, but certain software components may need to be rebuilt to further increase the security level. Generally, six months are given to meet the new target tier, with Wubben and her team providing support.
With services on the way to new heights
In principle, that work proceeds as much as possible via an index, on which a Visma company can see how far it is with the implementation of security components of the Visma Security Program. These components are often described as services. Collectively, the services cover a large part of everything related to software security. For example, a basic discipline such as Static Application Security Testing (SAST) is part of the program, which scans source code for security flaws. Software developers can deliver secure code by default using SAST.
In addition, the Visma Security Program features Dynamic Application Security Testing. This simulates cyber attacks, so to speak, so that a security expert can analyze and resolve any vulnerability. Complementing this is a bug bounty service that challenges ethical hackers to track down bugs. An ethical hacker who reports a bug will also receive a reward from Visma. The amount of the reward depends on how critical a vulnerability is.
Another way for Visma to ensure software security is by monitoring in a variety of ways. For example, Visma has an in-house team of security experts dedicated to threat intelligence. Through research and monitoring, the security experts stumble upon events that pose a potential threat to software. These may include, for example, state hackers who find a completely new way to attack organizations.
The advantage of mass
What Wubben notices is that bringing the services together on the dashboard at Visma companies leads to active involvement in raising security levels. She often sees Visma brands eager to achieve and maintain platinum status. Companies also want to help each other achieve a higher level of security. It happens more than once that a Visma brand with platinum status helps and encourages a new Visma member to move up to a higher level. Ultimately, every Visma product benefits from good security from other products. Wubben indicates that it is part of the security culture: together, Visma employees ensure that customer data is protected in the best possible way.
Wubben also indicates that the Visma Security Program can really be a reason for a software vendor to want to join the club. Before an acquisition, a software vendor often has much less knowledge about and resources for security in-house. When they join Visma, they gain access to a professional security program and quite a few employees who can provide support.
Employees must enjoy it
A big challenge is to make and keep security interesting. As Wubben pointed out, employees are willing to help each other, which can certainly contribute to the continuous improvement of security. However, it is true that in a Visma company, often one or two people are primarily responsible for security, and the other security tasks are divided among various employees, from software developers to privacy specialists. It is then important to involve all those employees in the process of continuous security improvement.
This is where the dashboard plays a prominent role. In this dashboard, a manager can see how far everyone is in implementing the security components. There is also prioritization so the manager knows what to focus on. In turn, the person responsible for a security issue can also consult the dashboard, in this case to determine which issues to focus on. In this way, Visma aims to provide the right guidance for different roles.
As an additional step to keep security interesting, gamification has also been introduced into the Visma Security Program. This means that the program has implemented a point system. Employees thus see in the dashboard what they need to pay attention to. When they do, it affects their point score. This allows them to become the team’s security champion, so to speak. It’s a playful approach, of course, but with the goal of raising the bar for software security.
And that bar has to be high, because ultimately a lot of sensitive data is processed in Visma software. Think payroll and billing information: such data must be absolutely secure. By taking application security seriously, at least the foundation is laid. Thus, users of Visma software should be able to do whatever they want within the system with peace of mind.