Case Study by Carl Rowley - Cyber Security Manager, ENGIE
The Background
ENGIE is the largest independent power producer in the world, operating in over 70 countries on 5 continents with more than 160,000 employees worldwide.
We are a global energy and services company operating in the three key business sectors of:
- Low-carbon electricity generation: we design, build and operate power generating plants that produce energy from natural gas and renewables, accompanied by low CO2 emissions
- Energy infrastructures: we design, build and operate major gas and electricity assets to supply energy
- Customer solutions: we offer our personal, business, government and community customers a broad range of solutions for energy and beyond
ENGIE came to Australia in 1996, and we’re now part of communities all over Australia and New Zealand.
We own and operate about 1,000 MW (gross) of renewable (wind turbine) and gas-fired generating plants in Victoria, South Australia and Western Australia, with many more renewable projects in the development pipeline. Our retail business, Simply Energy, serves markets in Victoria, South Australia, Western Australia, New South Wales, the Australian Capital Territory and Queensland.
The Goal
When it comes to cyber security, our goal is to minimise the risk of attack across all aspects of our business. From ensuring our domestic customers' personal information is secure to protecting sensitive information of our commercial/industrial customers and continuing to maintain the security and integrity of industrial control systems.
Protecting this information is critical – both to maintain our customer's confidentiality and that of our business. It’s critical to our success that we are a trusted provider.
Unfortunately, we live in a time where we continuously hear about cyber security attacks on the news – we want to do everything we can to reduce the risk of an attack on our business.
The Selection Process
We weren’t looking for a cyber security partner when we came across The Missing Link. We’d simply gone to the market to engage a third party to migrate our existing third-party vendor cyber security questionnaire to a SaaS product. Thomas at The Missing Link was one of the companies that approached us as a potential vendor.
We did a high-level assessment to determine whether we wanted to engage them to supply that product, and to be honest, we didn’t go ahead. However, over time I started to learn more about The Missing Link’s reputation in the cyber security space, which made me look more closely at their capabilities.
I didn’t engage The Missing Link without looking at alternatives – I explored the option of working with bigger companies with which our global company had existing relationships. But I found that although the bigger providers were good, we wanted more. As dedicated internal cyber security resources are always limited, I needed a company that would become an external partner. I needed flexibility, attention to detail from a third party and a willingness to provide a bespoke solution to meet my needs.
The more I consulted with The Missing Link, the more I discovered that Thomas, and all the people I engaged with there, had a genuine eagerness to be that provider. Their flexibility was a key to the final decision - this is something I don’t think we’d necessarily get from a larger provider.
Over the past year, they haven’t disappointed. I’m sure we’re a difficult customer to deal with at times – there are occasions we ask for things to happen really quickly – but they always accommodate our needs, and work with us to get a good outcome.
Our Relationship
Every person at The Missing Link that I’ve spoken to – whether they’re in project management or technical resources – has been easy to communicate with and professional.
As our account manager, Thomas has been particularly great to work with – he’s an easy-going guy, and I feel comfortable contacting him at any time. One of the things I really appreciate is that’s he’s not pushy – if we haven’t spoken for a while, he’ll touch base to see how I’m going, and it will be a general conversation rather than a sales pitch.
They are proactive when it comes to identifying, analysing and alerting us to any threats. And when they recommend solutions to problems, they are always well researched and accompanied by options, along with the positives and negatives for each.
Since engaging The Missing Link, we’ve worked on some significant projects, including our annual penetration testing exercise. Working on this with The Missing Link was beneficial because we really broadened the scope to further educate our internal teams about cyber security risks. It’s been a successful process, and while it takes time to build cyber maturity across an organisation we’re already seeing the process resonate with staff members. For example, we’ve seen our Apps development teams integrate more robust cyber security controls into every aspect of their work.
We’ve also engaged The Missing Link to undertake a third-party assessment of our existing cyber security controls to determine steps needed to comply with new Australian Government legislation aimed at securing the future of the Australian energy market. Deliverables will be an objective understanding of where we currently stand and a plan to uplift our maturity if required.
The Difference
As a cyber security professional, I know it’s impossible to know everything I need to know – I simply can’t keep up with the threats emerging around the world. By leveraging the expertise of a company like The Missing Link, I get to benefit from the most current advice on best practice, as well as the experiences of other companies that are similar to us. Having access to what The Missing Link knows helps me in my decision-making and I see them as an extension of our team.