Trace Id is missing
November 15, 2023

WTW raises certainty in an uncertain world with AI-driven Microsoft Security solutions

Customers from around the world rely on professional services organization WTW for its innovative risk strategies, insurance placement, HR consulting, and compensation and benefits planning. All of these services depend on enormous volumes of data that engender the clarity and perspective organizations need to make the best possible decisions in a world that guarantees only uncertainty. So, protecting client data and intellectual property are a WTW hallmark. Over the years, the company had built up a raft of unrelated, legacy security solutions that were increasingly difficult to maintain. Its vision for a more streamlined, productivity-first security posture called for a tightly coordinated tool set. WTW found what it needed with the full suite of Microsoft Security solutions, including Microsoft Entra ID, Microsoft Purview, and Azure. It’s excited to use the latest security innovation, AI-driven Microsoft Security Copilot.

WTW

“I envision Microsoft Security Copilot as a change accelerator. The ability to do threat hunting at pace will mean that I’m able to reduce my mean time to investigate, and the faster I can do that, the better my security posture will become.”

Paul Haywood, Chief Information Security Officer, WTW

Illuminating perspective from a trove of information

WTW is an industry leader in the professional services and insurance space that helps clients achieve intangible but powerful benefits. Along with its health, wealth and career lines of business, organizations turn to WTW for actuarial and risk mitigation strategies that build resilience. But the company doesn’t rely on hunches or crystal balls: it has data and highly skilled analysts who apply advanced data science techniques and contextual judgment to reveal opportunity. WTW depends on vast stores of data and cutting-edge information technology to produce clear and actionable outcomes for its clients. And with everything that WTW holds dear riding on that data—client trust, regulatory requirements around privacy and its reputation for integrity—the company chooses its information technology with great care.

When Paul Haywood, now Group Chief Information Security Officer at WTW, assumed the helm in late 2022, he brought a vision for a unified, end-to-end security posture. “Our strategy is to grow, simplify, and transform,” he says. “We need a threat-led, agile security team. That calls for a consolidated security tool set.” But Haywood found a collection of disparate security solutions that inflated licensing costs, pulled his invaluable small team in multiple directions to stay on top of varied technologies, and created security data duplication—all of which led to higher security costs. Most importantly, Haywood worried that the resulting complexity would cost precious time in the event of an attack. Happily, he soon discovered that WTW’s technology investments included Microsoft security capability that hadn’t been fully activated. The pathway to a simplified, consolidated environment was beginning to appear.

Rapidly consolidating for elevated security

With operations in about 120 countries, WTW maintains a sizable estate: 55,000 workstation devices and more than 300 subscriptions in its major tenant. The company had moved about 90 percent of its technology, estate, and application footprint into Microsoft Azure prior to Haywood’s arrival—about 17,000 workloads’ worth of data. “Our Azure adoption reduced the complexity of managing and running our applications,” says Haywood. “That cloud transformation gives us more and better controls, as well as a smarter way to use resources.” 

Although WTW had the Microsoft 365 E5 productivity suite, the company hadn’t yet fully deployed the E5 security tool set. Yet much of the company’s information collateral now lies in its Azure estate, with devices under Microsoft 365. Haywood’s team worked with BlueVoyant, a Microsoft Cloud Partner Program member and managed service provider, to better cover the attack surfaces in the organization, activating Microsoft 365 E5 Security solutions, such as Microsoft Defender for Endpoint. BlueVoyant successfully supported WTW's SecOps modernization, replacing the team's costly SIEM with a twenty-four-hour, seven day a week managed XDR and SIEM solution. Leveraging WTW's existing Microsoft investment, BlueVoyant accelerated their time to value and secured 76,000 endpoints. “We maximized our endpoint defense across Azure when we deployed Defender for Endpoint,” says Haywood. “Using its built-in additional controls around web content filtering greatly improved vulnerability management.”

Converting from a legacy security information and event management (SIEM) system to Microsoft Sentinel was a multifaceted win for WTW. “We reduced the data going into our SIEM from almost 15 terabytes of data to less than 3 terabytes, saving about 5 to 6 million dollars a year in our telemetry and monitoring ecosystem,” explains Haywood. Microsoft Sentinel aggregates threat data not only from Azure, but from its Oracle cloud. WTW also deployed Microsoft Defender for Cloud to further protect its cloud workloads and gain extended detection and response (XDR) capability by using it in concert with Microsoft Sentinel. “Rolling out Microsoft Defender for Cloud across all of our workloads and subscriptions and coordinating it with Microsoft Sentinel gives us full-scale XDR capability from 55,000 endpoints and throughout the estate,” he adds. 

Connecting Microsoft identity solutions for proactive protection

WTW prioritizes identity as part of its Zero Trust strategy; a single compromised employee identity can jeopardize the organization. WTW adopted Microsoft Defender for Identity for insight into the abuse of administrative privileges. Haywood plans to extend the journey with Microsoft Entra ID to fully manage the identities of both individuals and devices. “Devices are a really important aspect of identities,” Haywood says. “We’ll use Entra ID tools to manage identities and complement our other Microsoft identity solutions.”

The company is rolling out Microsoft Purview, prioritizing its data loss prevention (DLP) and information governance tools. The combination of Microsoft Intune to manage devices with Purview security policies is a powerful tool set. “We’re greatly simplifying the way we manage and deploy devices around the world by using DLP policies to control features we need on our devices,” says Haywood. “And we can continually update control policies through Intune cloud management.”

Consolidating tools, enhancing value

Creating a unified security framework ladders up to one overarching goal: visibility. “We need full visibility into our IT estate, especially as we embrace Zero Trust,” Haywood explains. “The consistency in the Microsoft tooling delivers that visibility across endpoints, identities, and multicloud.” 

That visibility also hastens ongoing improvement in a fast-changing world. “We use threat intelligence and threat hunting to inform the changes that we need to make across the security footprint,” Haywood says. “That’s how our security organization can best enable the business and help it grow—we’re agile enough to respond to emerging threats. And we can demonstrate that resilience to our clients, which reinforces their confidence in us.”

Simplicity is key to sustaining that strong defense. “By adding more resilience controls from the cloud with the security tools within Azure and across the entire Microsoft ecosystem, we are reducing complexity,” explains Haywood. “That means better, more, and simpler security coupled with smarter, more effective ways of using our resources.” The transformation rests on collaboration throughout WTW and with two key external players. “Microsoft product leaders worked with us to shape some of the solutions that are very pertinent to WTW,” continues Haywood. “Without our partnerships with Microsoft and BlueVoyant, we wouldn’t have been able to deliver our security redesign at pace.”

Says Holly Steele, Senior Vice President of Sales in UK and EMEA at BlueVoyant, "We helped WTW save about $5 to 6 million a year in telemetry and monitoring ecosystem by reducing their SIEM data from nearly 15 terabytes to less than three. Meeting their tight deadlines, we delivered a comprehensive solution, mapped to the Mitre Att@ck Framework, in under 45 days."

Looking forward with Microsoft Security Copilot

The next frontier: AI-driven Microsoft Security Copilot.

“I’ll be honest. I’m fascinated by Microsoft Security Copilot,” says Haywood. His team has been using the generative AI–powered security solution in private preview, further increasing WTW’s productivity and security edge. The WTW security operation center (SOC) is the culmination of a new era in the company’s security practices. “The threat hunting capabilities in Security Copilot will greatly accelerate the way that our internal threat hunting team develops and understands incidents as they unfold,” he explains. 

“We look forward to working with WTW on their continued journey using Microsoft Security Copilot to accelerate threat hunting and more," says Steele.

And in this age of high demand for SOC analysts, Haywood sees opportunity for the company and for aspiring threat hunters, because until now analysts needed Kusto Query Language (KQL) skills to delve into threats. “The ability for our teams to ask questions in natural language in Security Copilot, rather than using KQL queries, allows a different type of SOC analyst to mature,” says Haywood. “That’s a game-changer in an industry where security skills are scarce.” The benefits are profound. “I envision Microsoft Security Copilot as a change accelerator,” adds Haywood. “The ability to do threat hunting at pace will mean that I’m able to reduce my mean time to investigate, and the faster I can do that, the better my security posture will become.”

“We’re embedding security practices and principles in everything we do,” concludes Haywood. “And that, for me, is success because if I can get the whole organization thinking that they need to think securely how to protect data, then actually… we’ve won the battle.”

Find out more about WTW on LinkedIn, Twitter, and Facebook.

“The ability for our teams to ask questions in natural language in Security Copilot, rather than using KQL queries, allows a different type of SOC analyst to mature. That’s a game-changer in an industry where security skills are scarce.”

Paul Haywood, Chief Information Security Officer, WTW

Take the next step

Fuel innovation with Microsoft

Talk to an expert about custom solutions

Let us help you create customized solutions and achieve your unique business goals.

Drive results with proven solutions

Achieve more with the products and solutions that helped our customers reach their goals.

Follow Microsoft