ChallengeOperating within a heavily regulated industry, Monese needed full visibility into its AWS environment.
Monese needed a solution that could help the security team prioritize their security tasks and gain visibility of misconfiguration against industry best practice.
Monese was looking for an agentless tool that could provide comprehensive security posture information to various teams within the organization, eliminating the need to rely solely on the security team.
SolutionMonese gained a full view of its AWS environment, enabling the security team to find vulnerabilities, pinpoint their exact locations, and assign them to the responsible business owners.
Monese’s small security team was able to manage their tasks effectively by identifying and tracking vulnerabilities with the help of the Wiz platform.
Monese was able to create a more collaborative security culture by enabling a broader set of users (including developers and product leads) to use the platform to understand and reduce risks – and to mitigate them proactively, protecting the company from possible downtime.
Seeking full visibility with a tool for multiple teams Monese is a digital retail financial services company that provides mobile-only accounts in a selection of currencies countries across the European Economic Area. As a cloud-native company, Monese is committed to strong security measures that won't hinder business operations. Aneel Sandhu, CISO at Monese, says, “our security strategy gets refreshed every year. There are four pillars. One of the key pillars is the ability to secure at speed. Other than that, it's more traditional things like making sure that there's transparency for people at all levels; that's from people who may be developers or working as product leads or even the Board. And then being able to make sure that we're compliant with any regulations that apply to us or our clients.”
Monese lacked complete visibility into its AWS environment, which was of particular concern due to its small security team and the fast-paced nature of the organisation. With earlier tools, teams often lacked context around vulnerabilities and were unable to prioritize their security needs effectively. Sandhu reflects, “because the company has a complex cloud environment, our primary issue has always been visibility.” Needing to delegate security work, Monese sought a tool that could provide necessary risk information to members across various teams.
Furthermore, Monese operates in a highly regulated industry and region, making compliance a crucial aspect of its operations, particularly 27001 (Information Security) compliance and regulations across Europe. Monese needed a solution that would help them achieve regulatory compliance and allow them to be more transparent with customers and enhance their business. Sandhu notes that a key pillar of Monese’s security program is to ensure that the company is compliant with any relevant regulations that apply to it or its clients in all jurisdictions.
Setting goals for a better fit Before implementing Wiz, Sandhu was reliant on manual scripting to understand the components of Monese’s environment, which was time-consuming and did not offer a comprehensive view. Monese was also using traditional security scanners that were not suitable for cloud-native environments and needed a better way to share risk mitigation across its small security team.
I need a view of what our estate looks like. As the CISO, it's nearly impossible to understand all the components that make up our environment. We weren’t blind to issues, but we had to place a lot of trust in certain individuals to be on top of security findings.
Aneel Sandhu, CISO, Monese
Monese wanted a security solution that would enhance total visibility and strengthen regulatory compliance preparedness, while also making security tasks easier to delegate, thus reducing reliance on their small security team. Its aim was to build a security practice with wide positive impacts on the business.
The search for a comprehensive cloud security platform Sandhu recalls that his security team initially looked for a vulnerability scanner to meet the demands of their banking clients and regulatory requirements. However:
When we went out and looked at what tooling was available, we were looking for a vulnerability scanner and quickly realized they were not fit for cloud native environments... we came to the realization that AWS and other CSPs generate a lot of data. We didn't need a vulnerability scanner; we needed a configuration vulnerability management solution.
Aneel Sandhu, CISO, Monese
After breaking down their technological requirements and conducting a Request for Proposal (RFP) process, they considered a few solutions. Sandhu recalls that they chose Wiz because it was able to capture substantial amounts of data and provide his team with a very concise view.
Increasing visibility and prioritization with Wiz Sandhu’s team was able to get started with Wiz easily. He recalls: “We were able to get Wiz up and running very quickly just because of its cloud-native connectivity .” During Monese’s trial period with Wiz, the Log4j vulnerability showed them the power of Wiz's capabilities. Sandhu says they “were particularly lucky that log4j happened during the trial with Wiz. Not only were we plugged in up and running, but it gave us an instant understanding of where we had vulnerabilities related to Log4j as well… all during the evaluation period."
Monese implemented Wiz quickly. The process was straightforward, with Wiz connecting directly into Monese’s AWS environment and immediately providing visibility into its systems. Next, they focused on identifying and mitigating potential vulnerabilities early, and preventing potential downtime. Sandhu notes: “By using Wiz in our development pipelines, we are able to pick up things, do code reviews, and understand third party libraries.” This sets up Monese's developers to identify and resolve issues during development, instead of at the end of the process. Sandhu adds, “not only is Wiz checking to see what's running in the cloud; it also has a view of everything that's going to end up being pushed into our production environment.”
Sharing responsibility, shifting left Sandhu also reflects that with Wiz, it’s easy to provide product leads with a live view of the vulnerabilities that are assigned to them, and how old those vulnerabilities are. "That gives a lot more traction to getting security fixes prioritized,” he says. “Because the developers’ work is driven by whatever requirements a product lead or project manager throws at them, now vulnerabilities can be assigned to the product leads.” This has helped Monese to delegate security work across more team members, increasing accountability.
With Wiz providing the ability to assign vulnerabilities to business owners and share the work of mitigating risk, Monese can track and prioritize security fixes more effectively.
Wiz allowed us to pinpoint exactly where we had issues. If we had tried to figure out everything that was affected by log4J without Wiz, it would have taken at least seven or eight days to pinpoint everywhere that we needed to fix something. Wiz allowed us to pinpoint those areas immediately.
Aneel Sandhu, CISO, Monese
Increasing agility and accelerating deployments Monese has also seen the great benefit of a maturing and more effective development organization. Its development and security teams can work together, and faster, to resolve security issues; this improves not only its security posture, but also builds collaboration across the organization. This creates more agile development and security collaboration, speeds deployment, and enables developers to do their best work.
Sometimes it's not just about being able to say, ‘there's a problem; go sort it out.’ What it's allowed us to do is have a very clear understanding of what that problem is and how to go about fixing things. So Wiz has helped us trigger a lot of work while maturing our development as a whole, just because that understanding of foundational issues allows us to build a lot more. That understanding helps us progress our security practice.
Aneel Sandhu, CISO, Monese
Meeting compliance requirements with easeWiz supported Monese’s gap analysis, and this ability to assess and address compliance gaps is a key aspect of Monese’s compliance strategy. Wiz also helped Monese meet client and regulatory requirements more effectively — and document their compliance status with automated evidence to share with various partners.
Wiz allowed us to give solid proof to the regulator auditors, clients, and investors, proving that we actually are as good as we say we are. We can illustrate that we meet requirements around security.
Aneel Sandhu, CISO, Monese
Moving forward, always learning About his position as CISO, and security practices in general, Sandhu points out, “I get to learn something new every day. I have to understand what the business is doing and how it takes steps to apply security. I have to understand how technology works to make sure it's sufficiently secured, so I always have to be learning."
With the successful implementation of Wiz, Monese is planning for a future where security is integrated and streamlined into every aspect of their business operations. Improved visibility, vulnerability management, and compliance reporting will continue to benefit Monese as they evolve. They can now confidently show auditors, regulators, clients, and investors that they meet security requirements, which is critical in any highly regulated industry. And with more agile, shared security practices, and better collaboration between development and security teams, Monese can focus more time and effort on delivering superior banking services to their customers.