Digital transformation radically changes business risk

With over 160,000 members, teachers are one of the largest and most trusted professional groups in New Zealand. The Teaching Council is an Independent Statutory Body funded by teachers which has a number of functions, including registering new teachers and renewing the 3-year practicing certificates of around 40,000 teachers per annum.

In 2020 the Teaching Council launched a new digital services platform to allow teachers to apply online 24/7, replacing a previous legacy process that was almost entirely paper based.

With this change, information security and privacy risks moved to the forefront of Board risk management discussions. Although the Teaching Council regularly commissions independent expert security reviews and audits, it was difficult for the Council’s small IT team to undertake continuous assessments of risks in their external attack surface.

For Deputy Chief Executive – Operational Services, Clive Jones, managing the security and privacy of teacher data is an obligation he takes seriously. Knowing that the Teaching Council’s cyber risk profile had increased with digitization, Clive needed to find a way to identify vulnerabilities in its ever-changing external attack surface efficiently. His busy IT team didn’thave time to search for risks without direction.


Automating finding vulnerabilities frees up time to manage risk

When the Teaching Council started working with Glasstrail, Clive was relieved. He had previously worked with Glasstrail's parent company Theta on several projects and knew their people and their ability to deliver outcomes first hand.

Glasstrail made life much easier for Clive's small IT team.

By finding the vulnerabilities for them and presenting the results in easy-to-use and understandable dashboards, the team could focus time on resolving the highest priority issues in a highly targeted way.

Anything that is flagged high priority by Glasstrail gets immediate attention from the IT Manager and his team. Lower priority issues are resolved progressively as part of BAU tasks. The very lowest priority issues are addressed usually via supplier renegotiation as contracts roll over, as these risks are often due to limitations in third-party tools.

What Clive particularly likes about Glasstrail is that it does the hard work of finding their risks and vulnerabilities. This frees up his team to get on with resolving any newly discovered issues.

Clive comments:

"Previously, we didn’t have the whole picture of our information security risks. With Glasstrail, we have a tool that locates vulnerabilities, tells us whether it's a high-priority risk, and allows us to protect our data and systems. It’s a very efficient way to find risks as the intelligence built into Glasstrail does all the work."


Dynamic attack surface prompts continuous usage

Before subscribing to Glasstrail, Clive completed a free trial. The trial unearthed a small number of risks and vulnerabilities previously unknown to the Teaching Council, which are now resolved.

Being impressed with what Glasstrail discovered, Clive then started a monthly subscription. He was sceptical at the outset that there would be enough change in the Teaching Council attack surface each week to make it worthwhile to continue to invest in Glasstrail. But he wanted to test it out.

Glasstrail proved otherwise.

Frequent changes in the Teaching Council’s attack surface demonstrated to Clive how important ongoing monitoring of external attack surfaces' is. Glasstrail’s weekly scans often identify new issues that need to be addressed – and this early indicator allows the Teaching Council to reduce their risk window far more quickly than through periodic external audits and reviews.

Clive comments:

"The value in the free Glasstrail trial is enormous. At the outset, I wondered whether we would find enough additional value to continue with a subscription. But we have – I've been surprised by what Glasstrail continues to discover in our dynamic attack surface. I'm now a firm convert to continuous external attack surface monitoring!"