AVEVA

Harness Data to Measure, Communicate, and Reduce Risk

Organizations are experiencing an expansion of their digital footprint, and AVEVA is no exception. Over 20,000 customers in 100 countries rely on the company’s secure cloud platform and applications to harness the power of information and improve collaboration. AVEVA supports these customers with solutions and expertise of more than 6,400 partners.

AVEVA

As a leader in industrial software, AVEVA is an attractive target for threat actors focused on critical infrastructure. Understanding their attack surface and focusing security investments where they can have the greatest impact is critical.

In parallel, their security team must also navigate ever-evolving regulations and standards, mergers and acquisitions, and growing third-party risks. To manage this, AVEVA has partnered with Bitsight to bring a systematic, data-driven approach to AVEVA’s security efforts, empowering the security team to continuously improve the organization’s risk posture. AVEVA seeks to address these following challenges:

  • Prioritizing risk reduction investments
  • Elevating security to a board-level priority
  • Staying ahead of fast-evolving regulations
  • Securing M&A integration efforts
  • Understanding and mitigating third-party risks

“Our attention to security is a huge differentiator for us,” said Tim Grieveson, AVEVA’s Chief Security Officer and SVP of Information Security. “It’s crucial to our reputation, market credentials, ESG framework, and ability to attract top talent and Bitsight has helped us make substantial progress in managing cyber risk.”

But a critical piece in AVEVA’s security performance management toolkit was missing.

Tim Grieveson
Chief Security Officer and SVP of Information Security, AVEVA

"To properly assess cyber risk and have meaningful conversations with senior executives about its impact, we needed a data-driven framework for quantifying risk in business terms."

As the executive responsible for security strategy, Tim Grieveson, AVEVA’s Chief Information Security Officer & SVP Information Security, needed a more precise view of AVEVA’s attack surface. “It was important for us to prioritize the vulnerabilities, events, and configurations that we needed to tackle first,” Grieveson said. It was also critical to balance short-term impact with longer-term goals like alignment with Level 4 of the NIST Cyber-Security Framework.

When AVEVA merged with Schneider Electric’s software business, Grieveson saw an opportunity to build on Schneider Electric’s existing use of Bitsight Security Performance Management (SPM) to:

  • Better understand AVEVA’s attack surface
     
  • Make data-driven security investment decisions

After a short implementation process, the impact was nearly immediate. “Bitsight gave us a new lens to really question if we were spending money in the right place and the impacts of those investments on our security posture,” Grieveson said. “In only four or five months, we moved ourselves from a basic level of security to an advanced level of external posture.”

Financial Quantification Hero-v2

Now that security is a board-level issue, clear, fact-based conversations with senior-level stakeholders are critical for securing necessary investments. Building on his team’s success with Bitsight SPM, Grieveson added Bitsight Cyber Risk Quantification (CRQ) to guide strategy and investment discussions with AVEVA’s leadership team and board.

He used SPM and CQR to drive efficient and productive conversations about risk, plan necessary investments, and measure the impact of those investments on the business.

“Bitsight helps explain and quantify to our executive committee exactly where we are in terms of our external-facing posture,” Grieveson said. “We now have a common taxonomy to quantify cyber risk exposure in a language that everyone understands, tell a cohesive story about what that risk means to our business, and guide decisions about security investments.”

The benefits extended beyond leadership discussions to impact the whole organization. “People are now building security into the ecosystem and their ways of working, so we’ve built a culture of security rather than having it be an afterthought,” Grieveson said.

Tim Grieveson
Chief Security Officer and SVP of Information Security, AVEVA

Bitsight gave us a new lens to really question if we were spending money in the right place and the impacts of those investments on our security posture"

Demonstrating security rigor to regulators and insurers

Given its role in critical infrastructure, AVEVA must comply with a wide range of regulations and standards, including the NIS2, Cyber Resilience Act, SOC2, ISO 270001, and more. AVEVA’s customers also regularly audit the company’s security capabilities.

“We have a significant number of external audits every year,” Grieveson said. “Bitsight gives us data, reports, and visibility to show that we are managing security well and that the controls we have in place are robust.”

This evidence of security rigor also helps with AVEVA’s insurers, who often seek to increase premiums based on companies’ risk posture. “We were able to justify our current posture and minimize any increases to our insurance costs,” Grieveson said.

Understanding and managing third-party risks

Recognizing the risks posed by their supply chain partners, AVEVA also incorporated Bitsight Continuous Monitoring to help with third-party risk management.

“Like many organizations, we use quite a few third parties to help deliver the capabilities of our services,” Grieveson said. “We’re making sure we understand the posture of our third parties — and even our fourth parties — and that we have a remediation path.” This is critical to AVEVA’s growth plans, particularly as cloud platforms and third-party capabilities like AI begin to play a larger role.

The ability to assess third-party security posture also de-risks AVEVA’s merger and acquisition activities. “It helps us understand the posture of any prospective acquisitions, and assess third parties thoroughly before we bring them on,” Grieveson said.