Industry Report

Involta Makes Cybersecurity an IT Priority

YOUNGSTOWN, Ohio — Discussions on cybersecurity have moved from the IT strategy room to the board room as CEOs and other executives take security breaches more seriously, and seek partners to enhance their security profile.

To meet those needs, Involta, an IT service provider and consulting firm,  has ramped up its cybersecurity offerings, says CEO Bruce Lehrman. Along with hiring chief information security officer, Annalea Ilg, in August 2018, the Iowa-based company – which acquired the Youngstown-based Data Recovery Services in 2015 – has made a “sizable investment in people and tools” for cybersecurity, Lehrman says.

“Security is first and foremost. It’s the first thing we think about with the services we offer,” Lehrman says. “The threats are becoming bigger and more intrusive. And our clients are being affected by it.”

Increasing its investment into cybersecurity offerings come as Involta expanded its footprint over the last few years. Lehrman reports annual year-over-year revenue growth to the tune of 15% to 20%, as well as increased assets through acquisition. In 2017, Involta acquired two business data centers in Cortland and Pittsburgh, as well as Dallas-based Kadium. Last year, the acquisition of Iowa-based BluPrairie allowed Involta to expand its services for hybrid-cloud technology, managed services and cloud consulting, the CEO says.

To maintain its commitment to security, Involta hired Ilg to help expand that department. Until that point, Involta maintained a small security team that monitored alerts for clients. Since the addition of Ilg, the company has added two 24/7 security-operations centers and increased its security staff to 16.

“We’ve expanded our capabilities and what we can offer to our clients, and continue to build out new services to our clients to make them more secure,” Lehrman says. “You have to make a large investment in people, processes and tools if you want to stay ahead.”

Involta also underwent a culture change, he says. The first thing Ilg did when she joined the company was train and educate the entire staff about current security threats and how employees can work to put security first.

“The way I look at cybersecurity is you have to build it up from the foundation,” Ilg says. “I wanted to enhance the security posture of the company as well as build additional compliance and security products for the customers.”

Because cybersecurity was treated as an afterthought for so long, many companies have legacy designs and processes in place that haven’t been reviewed in years, she says. They are unaware of all their systems that contain sensitive information and haven’t identified potential points of entry into a network from external places, she says.

“A lot of companies don’t know what they’re securing,” Ilg says. “It’s a real problem in the industry overall.”

In the last five years, awareness has heightened and executives are willing to be proactive in preventing cyberattacks. It’s a complete change from before when companies would say, “We’re fine. Nothing has happened to us yet,” she says. 

The reality is companies are exposed to thousands of threats daily, Ilg continues, from hackers attacking devices and websites to those targeting the employees of a company. Many attacks target several areas until the attacker gets what he wants, she says.

“All they need is the weakest puzzle piece to make an attack successful,” Ilg says.

One way to address issues of vulnerability is to hire a dedicated security team. “In the next couple years, I think we’re going to see a lot more investment,” Ilg says. “Companies know that it’s a real threat and it can really hurt their business.”

While constant warnings from IT professionals and stories of high-profile breaches in the news have helped with awareness, “It’s still a struggle for many companies to get the appropriate budget to have more than one person who manages security or to invest in the tools that are needed,” Ilg says. 

She acknowledges the amount of needed investment is “a bit of a moving target,” and says companies that don’t fall under specific regulations like HIPAA and the Payment Card Industry Security Standard – which require a certain level of cybersecurity – can have a difficult time quantifying the exact amount needed to invest.

Depending on the industry, Ilg recommends companies spend 4% to 7% of their annual revenues. However, most companies typically don’t spend more than 2%, “if they’re spending anything at all,” she says.

Rather than make the investment, companies can contract with Involta to manage their cybersecurity infrastructures. Ilg and her team implement any new program in the same way she did for Involta, she says.

The process begins with a comprehensive assessment of a company to identify its controls and weaknesses, she says. From there, she works with company leadership to develop a governance program that includes policies, procedures and enhanced processes, as well as updated tool sets.

The security staff at Involta receives continuing education and training to “prepare them for any kind of compromise response” and vulnerability management, and the company has added more certifications to its portfolio, Ilg says.

In addition to monitoring each client’s security systems, Ilg works with employees and executives to ensure everyone is on the same page, creating a culture that makes security a priority, she says. The goal is to change the behavior of an organization. While tool sets are important, clients need to understand that successful cybersecurity is a continuous cycle of managing and responding to threats.

“It’s important to understand the tools sets that are there to help prevent these types of attacks, but also to invest in the education of the organization on cybersecurity, the preparation and response for vulnerability, build your team and build cybersecurity as part of the mission and the foundation of the company,” she says. “Threats are always evolving. It’s a continuous thing. And as threats evolve, we must evolve as well.”

Pictured: Annalea Ilg reviews a client’s cybersecurity network with Sean Williams, security director, and Valerie Hiatt, security administrator. Involta’s security team has increased to 16 since Ilg took over as chief information security officer.

Copyright 2019 The Business Journal, Youngstown, Ohio.