Interview

Security in retail software with CISO Magnus Sparf

Coming from the armed forces and large global companies like William Hill and Mr Green, Magnus knows it's vital to keep our systems secure.

  • Topic
    Store operations

Security has, and always will be, our number one priority. Everything we do is based on trust. That’s why it’s absolutely vital that we do everything within our power to keep our systems and software secure.

To this end, in June 2022, Magnus Sparf, joined the team as our Chief Information Security Officer with a view to take our already robust security protocols to the next level. With a background working in the armed forces and for large global companies like William Hill and Mr Green, Magnus has already had a huge impact on Sitoo – chiefly securing ISO 27001 certification.

We caught up with Magnus to find out more about what this means, how it benefits our customers, and why security in retail software is so important.

Magnus, we’ve just received our ISO 27001 certification which you’ve been instrumental in. Can you tell us more about it?

ISO 27001 is the world’s best-known standard for information security management systems (ISMS), and defines the requirements an ISMS must meet. The ISO 27001 standard provides companies with guidance for establishing, implementing, maintaining and continually improving an information security management system.

Conformity with ISO 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the company, and that this system respects all the best practices and principles enshrined in this International Standard. To pass your ISO 27001 certification audit, all of these controls need to be proven to an external auditor, and it can be a lot to take on. Sitoo chose Prescient Security, a global top 20 independent audit and penetration testing company, as auditor.

With already robust security technology and processes in place, we were able to pass our independent review and receive our ISO 27001:2022 certification within 7 months – In my experience a very good result!

Why did we want to get ISO 27001 certified?

We pursued ISO 27001:2022 to demonstrate and show independent evidence of the strength of our security practices to potential customers. We know firsthand that it’s important to be able to, without discussion, show existing and potential customers that we have things in order when it comes to security.

Now we have this certification, what do we need to do to maintain it?

Sitoo being a cloud-native SaaS made it possible to use another SaaS service, Vanta, to reach and continuously assess our security compliance goals in an automated way. For us, this has never been about a one-off yearly thing to just pass an audit. With Vanta this is done continuously and you can follow our security posture live here: trust.sitoo.com

Vanta prompts us for the evidence that is required, supports onboarding of new people and integrates with our AWS infrastructure to continuously verify that we have the correct security configurations and services in place.

How do we protect our service from a ransomware attack?

Besides following general best practice with security testing of our products, Sitoo POS is only available on iOS and Android that are less prone platforms for ransomware attacks. Sitoo also uses the official app stores from Apple and Google, App Store and Google Play, for the distribution of the client POS app. Apps are digitally signed by Sitoo for Sitoo POS and then each new version is reviewed by Apple and Google before release. Like I mentioned,  Customers must of course do their part and make sure that they continuously work with updating the operating systems and the Sitoo POS app.

Our backend in AWS is continuously running backups and is running on an “serverless” infrastructure provided by AWS that also reduces the likelihood of ransomware affecting our services.

What should our customers be doing to keep themselves protected?

The most basic and straightforward way to stay secure is to always keep everything up to date … the best thing our customers can be doing on a daily basis is ensuring they are running the most up to date versions of the software they use.

So, every single company is a target for ransomware attacks. The most basic and straightforward way to stay secure is to always keep everything up to date. For example, old software and old hardware – like Windows-based PCs acting as a POS in a store – are prone to being attacked. Theoretically, this is where a piece of software like Sitoo is different because we are on a modern tech stack. Being cloud-native means we’re not prone to ransomware attacks. We don’t run on traditional servers, we run on managed services provided by AWS who look after the majority of patching and updating. But, to go back to the question, the best thing our customers can be doing on a daily basis is ensuring they are running the most up to date versions of the software they use.

What do you love about your job and what excites you about the future of security?

I love working with the latest technology and an environment like Sitoo is the perfect place to do it. We’ve come a long way in a relatively short space of time and I’m excited about where we go next, especially with regards to the security services we offer our customers – and I think this is one of the key things that differentiates us from our competitors. 

For more information about Sitoo and security visit trust.sitoo.com

Let's talk

Find out what makes Sitoo a game-changer.

Related resources