In this session, we gained insights on these questions, both from a theoretical and practical angle. And we heard from the National Bank of Belgium, AZ Alma and BNP Paribas Fortis about their best practices. The presentations from the event are available for Beltug members (after log-in):
How to build a long-term, strategic security roadmap
How can a company build a long-term security roadmap? That was the question Stefaan Hinderyckx, Senior Director Security Europe at Dimension Data, took on in his talk. A CISO needs to perform a true balancing act, between challenges including operational efforts, lower costs, best-of-breed solutions, risk management, effectiveness, cyber-attacks, and so on.
When building this roadmap, many elements need to be catered for in many architectural layers:
And companies must zoom in on both the as-is situation and the to-be situation.
To start, all stakeholders must agree on the as-is context, on the current maturity level of their security. Next, that same team must agree on the to-be situation. Ultimately, a timeline needs to be defined for the to-be assessment - when to start which project, what are the interdependencies between projects, what budget would be required, etc.
Stefaan explained that, through using a standardised approach/tool for this process, companies can benchmark themselves within their industry or within a specific segment of companies. Next, he demonstrated the possible process.
A key advantage of this approach, Stefaan concluded, is the structured, consensus-based discussion with all the stakeholders involved.
Our second speaker for the day was Christophe Crous, Head of Security Solutions at Proximus. He started off with an overview of the 'threat landscape' in 2018 - which has a major impact on the business and on the economy. The approach that he recommends is quite straightforward, he explained: to think 'security' from the foundation upwards.
The discussions should include the service aspect: what does the provider actually do for its customers. When choosing a security partner, it’s a good idea to have a service catalogue, in which you choose the building blocks according to your organisation's needs (Slides 12 to 16 show potential approaches.) Don't buy a product and then figure out what to do with it - buy a service, based on the needs of your company and your IT organisation.
Case: Security as a business enabler
Next up was Jan De Blauwe, Chief Information Security Officer at BNP Paribas Fortis, a customer of XPLUS Consulting. XPLUS Consulting architectures and counsels BNP Paribas Fortis for several security programs.
Security is a business enabler, Jan started. Without security there is no trust, and without digital trust there is no digital economy. Jan distinguishes five value creation levers; you need people in your staff to:
He then zoomed in on some of these levers:
Yet, the question remains: are we tackling the right problem? Cybercrime represents a high cost worldwide ($500Bn). But the worldwide spend on cybersecurity is only $100Bn. On average, 4 - 5% of total business IT spend goes to security. In terms of the 'opportunity cost', however, the imbalance is even higher due to the slow adoption of cloud services, to mobile internet and services, and to the automation of knowledge work (see slide 12 for more details).
To conclude, Jan recommended:
Case: In the eye of the beholder
After the break, we continued with the real-life cases. Wim Barthier, Security Officer at National Bank of Belgium, shared his best practices on security dashboards. To Wim, a dashboard is the visualisation of data, in an interpretative way. When talking about risks and risk ownership, it's important to know your users (C-levels, functional users, business owners and technical owners), their contexts and their respective 'risk appetites'. Business owners have different expectations than technical owners (KPIs, KRIs and Critical Success Factors). With a user-focussed approach, you can define the various thresholds, objectives and KPIs/KRIs/CSFs.
The design of the dashboard’s user interface is critical: Wim went briefly over the principles (slide 13). In any case, he emphasised, keep it simple. But don’t stick to poor charts: visualise the comparative risks in an easy-to-interpret way (slides 23 and 24).
And finally, make sure the input in your dashboard is of a high quality.
For Wim, the user-centric approach is key, as it's showing the evolution over time. (For more takeaways, check slide 29.)
Case: Prevention is better than a cure - How AZ Alma & its MSS provider take care of the hospital’s most pressing needs
Our final case came from Fritz Defloor, COO at mid-sized hospital AZ Alma. Fritz described the situation against the backdrop of many challenges: financial pressures, the move towards knowledge exchange between hospitals, accreditation, legislation (GDPR, NIS), digitisation, retention obligations, etc. At the same time, the patient experience is increasingly important.
At AZ Alma, security is outsourced to specialised partners, including SecureLink. The internal security team can then focus on internal processes and on supporting doctors and staff. (Slide 16)
Have your checklist ready though, Fritz emphasised:
You can read more about this case here.
Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).
Beltug gathers a lot of information. Here you find the advantages of Beltug membership
The Beltug Team
Click here to login