Zekelman Industries

Securing business-critical manufacturing infrastructure

Zekelman Industries’ manufacturing infrastructure includes a combination of leading-edge technologies and specialized operational technology (OT) and machinery. Many of these systems are supported by, or even directly managed by, third-party vendors. Given the criticality of these systems to Zekelman’s business success, the company’s security team must assess vendors’ security practices thoroughly during the onboarding process and on an ongoing basis.

Recognizing that manual assessment workflows would not scale to meet their needs, the company implemented Bitsight Vendor Risk Management (VRM) to orchestrate its cyber risk assessment program. “Downtime is lost money in manufacturing, so it’s crucial that our operations are protected from disruption,” said David Kehoe, Information Security Manager at Zekelman Industries. “Our vendors play an integral role in this, and Bitsight helps us make sure they are following through on their security commitments to keep our business running efficiently.”

Reducing manual effort during vendor risk assessments

While Kehoe has developed custom vendor assessment tools in the past, assessing a single vendor would often take him up to an entire workday. With Bitsight, he can thoroughly evaluate new vendors in about one hour, dramatically accelerating the vendor approval and onboarding process. He was also able to customize his Bitsight implementation based on best practices he has developed over the years, while gaining the efficiency that comes with a more systematic approach.

“I know what’s important to me and what risks I’ve seen throughout the years,” Kehoe said. “I like the fact that I was able to bring my own assessments into the platform and capture the important things I need to know right off the bat from the relationship owner.” Bitsight brings the company’s complete set of questionnaires, responses, and supporting documentation together in one instance, eliminating unnecessary manual effort for both Kehoe and the vendors he’s assessing.

Validating vendor-reported security practices

While questionnaires and self-assessments are valuable, vendors typically present an optimistic view of their security posture in their responses. Leveraging Bitsight’s extensive, external data surfaced in Continuous Monitoring, Zekelman can verify vendor claims against vendor responses for a complete, confident view of risk.

When discrepancies do arise, Kehoe can initiate evidence-based discussions about actual security measures and necessary improvements. “It gives me evidence to back up what my gut is telling me about a vendor’s security practices,” Kehoe said. “When I see vulnerabilities or other data points that contradict what a vendor has told us, we can have a real conversation about their security posture and get honest answers.” This is particularly important for vendors who don’t provide visibility into the inner workings of their technology. “Some vendors operate as a closed box, where they install their own software, hardware, and networking gear,” Kehoe noted. “Bitsight helps us ensure that they’re doing what they need to do to protect us.”

Increasing collaboration with business stakeholders

The fact that the Zekelman Industries security team can run vendor cybersecurity assessments earlier and more quickly has also enabled more collaborative relationships with internal stakeholders. With Bitsight VRM, the security team can get immediate access to risk and exposure insights even before running a complete assessment, saving time for everyone involved. As a result, key business teams like marketing and HR now proactively engage with security early in the vendor selection process, knowing that they’ll quickly receive initial feedback on whether a potential vendor will be a good fit.

These collaborative efforts lead to better outcomes for the business teams as well, by identifying vendors who may or may not have risk issues early on.. This has changed the perception of the security team in meaningful ways. “I’ve never been able to achieve that kind of stakeholder engagement before,” Kehoe said. “They see me as a resource who can help them rather than a roadblock in their way.”

Prioritizing internal security investments for maximum impact

In addition to being the foundation of Zekelman Industries’ third-party risk management program, Bitsight also plays an important role in the company’s internal security efforts. The view that Bitsight provides of the company’s external attack surface helps the security team identify the most likely targets for threat actors and proactively mitigate the highest-priority risks.

“Bitsight helps us understand what makes us a target and where we need to focus our security efforts,” Kehoe said. He cited the company’s recent implementation of a new security information and event management (SIEM) system as a notable example. “Bitsight’s insights helped us prioritize monitoring for the systems that were most likely to attract unwanted attention,” he noted.