Global Atlantic Financial Group

Customer Spotlight

Adrian Vargas

VP, Cyber Threat & Vulnerability at Global Atlantic Financial Group (GAFG)

My journey to GAFG

In 2018, I moved on from a decade-long career as a pen-tester/cybersecurity consultant to join Global Atlantic Financial Group (GAFG), a leading US retirement and life insurance company. At GAFG, I lead our Cyber Threat and Vulnerability team focusing on identifying risks and threats in our environment.

When I started, GAFG’s infosec program was dependent on vendors to pinpoint some of the technical risks that can be more difficult to identify. A review of previous reports from security vendors revealed no significant issues, which I know is quite rare to see over a multi-year period of assessments from having provided the same types of services to hundreds of companies myself. As I began to perform my own assessment of the network, I discovered easily identifiable high-risk issues (passwords in group policy preferences) had not been previously identified despite having been exposed before the other vendors’ pen-tests were performed.

To help improve our security program’s ability to identify and address network and application risks beyond unpatched software, I knew we would need the help of a trustworthy, multifaceted cybersecurity firm to get the job done right.

Why I chose NetSPI

In search of a highly capable proactive security vendor, I began the RFP process with a few of the top companies in the space. Having relied on the security research and tools from NetSPI security experts like Scott Sutherland during my time as a cybersecurity consultant, I felt confident in the technical acumen of their team. Along with the positive brand recognition, I felt NetSPI would be able to deliver the best value for my team at a reasonable price.

My peace of mind

From the start of my team’s partnership with NetSPI, I felt welcomed and valued as a customer. The sales team members I continue to work with are great and extremely responsive – attributes I highly value coming from a professional services role myself.

When NetSPI began performing our external and internal network penetration tests, I immediately saw value delivered in the vulnerabilities discovered early in their assessments. Their testing was very comprehensive compared to other vendors, diving further into our external web properties than others had in the past and uncovering SQL error messages that would make any security leader nervous to leave undetected. They also uncovered some novel findings in our internal network, and one great value-add was the detail they put into proving out each attack chain.

In addition to penetration tests, NetSPI has performed successful phishing campaigns, threat modeling, red team engagements, and breach and attack simulation testing for us. The breach and attack simulation testing was very valuable because it showed us that there are attack venues and kill chains that could potentially go undetected.

Into the future

From working with NetSPI, my team has been able to demonstrate our ability to prevent, detect, and respond to threats more effectively with the investments in our security stack. By better understanding the most likely attack vectors, we have been able to strengthen our detective controls.

The success of our first year working with NetSPI teed off a great second year, where we allocated additional funds to spend on NetSPI’s assessments. As a result of our second-year assessment findings, we built a business case to hire two additional people and form a new adversary emulation and detection team, otherwise known as our purple team.

NetSPI continues to be a truly independent security assessor and advisor for us at GAFG as we continue to grow our own internal capabilities. I look forward to what the future holds working together.