Inside view: How Trimble approaches privacy and security
Ville Rousu shares his thoughts on Trimble’s digital evolution, including the company’s work with GDPR and ISO 27001. Ville is a Senior Director leading our Strategic Portfolio Engineering group.
I’ve been working with Trimble’s Tekla software products for 26 years. During this time I’ve seen first-hand how the company’s approach to privacy and security has evolved as times change. Having trusted policies and processes towards customers and in our own operations is now more critical than ever.
Remote working really took off along with Covid restrictions, often changing the way companies must manage access to their data assets. Digitization is now exploding, with various tools and data flows increasing the complexity of managing security processes. Traditional manual to-do list approaches are just not enough anymore.
Our main focus used to be on establishing excellent processes – particularly in streamlining our development work – but over the past five years or so we’ve started seeing a big impact from the privacy legislation coming out of Europe. The EU’s General Data Protection Regulation (GDPR) has really forced companies to start looking at information differently. I was part of the steering committee we appointed to establish how we would comply with these new privacy rules.
A solid base for privacy
Trimble has always had good policies for how we handle information – specifically personally identifiable information – but GDPR really elevated the importance of this.
We brought in external consultants to help with the GDPR compliance process, as that’s often recommended, and we worked with them to identify assets and define company policies. This included specifying the nature of any information we should store, where it’s located, who can access it, and what our customer-facing policies are towards handling it.
GDPR compliance basically comes down to assigning responsibilities in your organization; i.e. defining who the data custodians are and the processes they follow, then delivering the right message to the whole company. These regulations make complete sense and are good ‘digital hygiene’.
After my early work looking at Trimble’s internal process automation, dealing with GDPR compliance was a good second phase of my privacy and security journey. The work increased my general understanding of what digital maturity means in today’s world, and it set me up for the third wave of my expanding cybersecurity responsibilities.
It can be hard to believe, but every organization is a cyber-attack target. We’re subject to lightweight or heavyweight attacks all the time. Data breaches or cybersecurity attacks do not necessarily directly hit your core processes. They can hit you on the edges, where you can still lose information in a way that’s very harmful to your company.
It’s a never-ending race with the dark side of digitization, so for a long time, Trimble has also been developing stricter and stricter policies as to how we operate.
We primarily do this through our Trimble Secure Development Life Cycle framework. I’ve also been part of the team responsible for following how these controls are adopted, and how they are part of the ISO certification process for our product portfolio. Here I’ve been helping to establish the business-continuity-planning committees required for each business division in order to achieve ISO certification.
Our foundation for this work comes from widely adopted industry best practices. This large group of controls falls into 10 main categories, including everything from controlling assets to performing various analyses. Most of these analyses can be done by third-party software designed for these purposes. We also do external audits of our development processes, policies and incident responses, and have a wide range of guidelines for different roles.
Privacy and security at the core
At Trimble, a large portion of our security framework controls are aligned with ISO 27001 certification requirements – the international standard for managing information security. Getting certification requires the collection of evidence that the required cybersecurity processes and controls are in place. Our security framework defines those controls, and ISO certification validates that we follow industry best practices.
One of the ISO 27001 requirements is that you address security through a top-level team that covers all the functions of an organization. In mid-size companies, this team would typically include the CEO and any direct reports. In a larger company, such as Trimble, we cover this responsibility through committees at different levels.
These committees have, among other responsibilities, disaster-recovery plans that include the core elements on what to do when a cybersecurity attack happens. Such a recovery plan is not only about cybersecurity. It can cover other types of disasters as well, such as if the office burns down and you cannot access some critical services. You should always have a plan for how your company survives these kinds of situations, as survival cannot be taken for granted.
All in all, I believe that streamlining processes, ensuring compliance and maintaining a good cybersecurity posture together lead to a well-functioning, mature and trusted organization. This is also why you need to make privacy and security central to your company culture and brand. Both your employees and your customers need to see that you take these issues seriously.
We’re working very hard on all these things so everyone understands Trimble is a company that can be trusted.
For more detail on privacy and security in Tekla products, please visit the Tekla Trust Center and see our Tekla security white papers.