Interview with our Chief Information Security Officer

Many people find IT security an tiresome and difficult topic. What does IT security mean to you personally? What fascinates you about this topic?

I actually find it a very exciting topic because it is constantly evolving and on the move. In general, IT security has recently become more important in the EU and also in Switzerland. This can be seen, for example, in the fact that security certifications are also becoming more important for medium-sized companies. Even small companies are realizing that they need to take care of IT security and are facing up to the challenges. As a company, we may not specialize in security issues, but we are still affected by them. It helps us a lot to set up structures that support us in the best possible way and I really enjoy this challenging task.

You have been Chief Information Security Officer at Consor since 2023. What does this role entail? How is it practiced at Consor?

In principle, I am responsible for all security issues and must ensure that they are practiced accordingly in day-to-day operations. Security is not a one-off action, but must be anchored in the corporate culture, which is a constant process. My role therefore not only has an impact on software development, but also on all areas of the company. That’s a very interesting aspect of my job as CISO: it’s very diverse – from software components to management and HR, you have contact and insights everywhere.

As we were already very well positioned as a company before our ISO 27001 certification, the changes for employees were minimal. The aim was not to make day-to-day work in the company more difficult while at the same time enforcing the necessary regulations and standards. Finding a good way to do this was a challenge.

How important are data protection and information security at Consor?

These topics are very important to us, as you can see from how much we have already implemented. Our management is completely behind my mission and is itself interested in constantly improving and developing Consor in the area of IT security. We have literally spared no expense or effort here in order to position ourselves in the best possible way.

Consor has been ISO 27001 certified since 2023. How did this come about? How did this project and the certification go? Who are your partners in this area?

As we offer Universal as a Service and thus become a software operator, we are responsible for our customers’ data. Nowadays, the ISO 27001 standard is considered the gold standard for IT data security, even for SMEs. Our customers are also asking more and more about this topic, as it is becoming increasingly important to them. We were already very well positioned before the certification, so that nothing stood in the way of an official certification process.

The project started in March 2023. We quickly realized that we could not manage the extensive certification alone and therefore looked for a professional partner on an equal footing to provide support. Secfix is a startup that aims to make the certification process as lean and automated as possible. This was very much in line with our way of working and our values, which is why we chose this partner. The framework and project plan for certification was very well defined by Secfix and saved us a lot of time and work. We were able to complete the certification within six months. The effective certification body at the end was Certivation. The collaboration with them was also very constructive and efficient.

Consor Universal is also offered in the Software as a Service model. Is this a big step for Consor? What impact does this have on security and processes?

This was a very big step for Consor – not necessarily technologically, but due to the fact that we are becoming a software operator and thus taking responsibility for the data and systems. Our internal infrastructure has already been in the cloud for years. However, our customers have traditionally operated Consor Universal “on premises” or in a cloud themselves – also due to their increased need for security when it comes to data. The entire operational aspect and also access to the data (keyword: authorization concepts) has been revised and redesigned from a security perspective.

In general, the switch to Software as a Service means more standardized processes and greater security. The certification and the ISO 27001 standard raise awareness within the company for the operation of such a platform. We are now even more aware than before of the areas in which we need to pay particular attention.

What are the benefits for your customers?

We can prove to our customers that we implement IT security professionally, correctly and holistically. Large insurance companies in particular have high security requirements and can therefore meet their compliance obligations more easily and quickly. In addition, customers now have a dedicated contact person at Consor for security issues.

You are never “finished” with security. What are the next upcoming and planned steps and improvements? Where will the journey take us in the future?

That’s absolutely right – you’re never finished. Our roadmap still has many points that we want to tackle. We are currently implementing a single sign-on authorization concept for internal applications. The experience we gain here will then benefit our customers. In the area of software development, we activated a so-called Renovate Bot just a few weeks ago, which automatically updates libraries from third parties, and have already had very good experiences here too. We have been able to significantly improve and expand our regular automated vulnerability scans.

Overall, we can say that when it comes to IT security, we can no longer act reactively, but proactively. We recognize problems at an early stage and can take active action against them. Certification is not a one-off action, but a constant improvement process that is practiced in the company.

The interview was conducted by Barbara Jonietz.