Ernst & Young Security Testing Centre Evolves With Industry

Jose Granado is the America’s practice leader for information security services within Ernst & Young. He was also tasked with building the Advanced Security Centre. “It is based on a mock Air Force environment”, Granado explained. And he would know – he served as a federal agent computer crime investigator at the Air Force information warfare centre for seven years.

The funding for the centre was approved in 2002 and Granado began a strict recruitment process, ensuring he hired only the very best. “We recruited from the military and internally within Ernst & Young”, he explained. “We were looking for deep technology security testing ability – cutting edge staff who could push boundaries”. The team is today made up of 225 people who fit this description.

This focus on people is what led to the firm’s acquisition of Hacktics, an Israeli based infosec company with deep R&D capability. “The acquisition has created a security buzz, which Ernst & Young previously did not have”, he said, explaining that many associate the firm only with auditing.

“There is a shortage of skills in the US. The security mindset in Israel gives them the edge, and they find vulnerabilities that no-one else can. It’s fun for them”, exclaimed Granado.

The Advanced Security Centre is what separates Ernst & Young from its competitors, Granado told Infosecurity. “None of our competitors have invested in a true facility, specific to security response testing. Our customers want a comprehensive view of their security, testing both their technology and their people”, he said, insisting that the Centre does just that.

Granado explained that their testing capabilities have had to evolve alongside the industry, “which is changing faster than security can keep up”. Their facilities have expanded to test smartphones and tablet computers “in a borderless environment”.

Grady Summers, information security leader at Ernst & Young, explains that IT saying ‘no’ to tablet computers is just not realistic. “Defense organizations may be able to say no, and perhaps even finance companies, but moving away from that, good luck saying ‘no’”, he said, explaining that when the CEO turns up with his/her iPad, “IT have to find a way to make it work”.

The dynamics of the cloud will change the face of computing, according to Granado. “According to a global survey, 46% are putting data in the cloud within the next year, so we need to jump on that”, he insisted. “As more moves into the cloud, what device is being used becomes less important – in fact, soon organisations will give employees a budget and ask them to choose their own computer”.

Summers and Granado shared their top tips for safeguarding data in the cloud with Infosecurity:

  1. Test your environment on a regular basis – remember that security is dynamic, and ever-changing
  2. Classify your data
  3. Set policies and programs around the classified data
  4. Educate users – security is everyone’s responsibility
  5. Deploy DLP products
  6. Train developers –Teach them to code and educate them on coding standards. “We are going to see more accountability for code in the future”.


What’s hot on Infosecurity Magazine?