Beltug

Security: the business enabler. Takeaways from the X-change of 17 Dec 2018


Date:17/12/2018


Security must be the foundation of our decisions and operations, as we digitise our organisations and world. But this is easier said than done, and there are many questions and challenges along our path.

 

  • New challenges arise at the speed of light: how can we strategise the security approach?
  • Is it better to keep security in-house, or to use Managed Services or Security-as-a-Service?
  • How can security dashboards help us maintain an overview on risks, incidents and measures?

 

In this session, we gained insights on these questions, both from a theoretical and practical angle. And we heard from the National Bank of Belgium, AZ Alma and BNP Paribas Fortis about their best practices. The presentations from the event are available for Beltug members (after log-in):

 

How to build a long-term, strategic security roadmap

 

How can a company build a long-term security roadmap? That was the question Stefaan Hinderyckx, Senior Director Security Europe at Dimension Data, took on in his talk.  A CISO needs to perform a true balancing act, between challenges including operational efforts, lower costs, best-of-breed solutions, risk management, effectiveness, cyber-attacks, and so on.

 

When building this roadmap, many elements need to be catered for in many architectural layers:

  • Contextual
  • Conceptual
  • Logical
  • Physical
  • Component
  • Operational.

 

And companies must zoom in on both the as-is situation and the to-be situation.

 

To start, all stakeholders must agree on the as-is context, on the current maturity level of their security.  Next, that same team must agree on the to-be situation. Ultimately, a timeline needs to be defined for the to-be assessment - when to start which project, what are the interdependencies between projects, what budget would be required, etc.

 

Stefaan explained that, through using a standardised approach/tool for this process, companies can benchmark themselves within their industry or within a specific segment of companies. Next, he demonstrated the possible process.

 

A key advantage of this approach, Stefaan concluded, is the structured, consensus-based discussion with all the stakeholders involved.

 

Security-as-a-Service

 

Our second speaker for the day was Christophe Crous, Head of Security Solutions at Proximus. He started off with an overview of the 'threat landscape' in 2018 - which has a major impact on the business and on the economy. The approach that he recommends is quite straightforward, he explained: to think 'security' from the foundation upwards.

 

The discussions should include the service aspect: what does the provider actually do for its customers. When choosing a security partner, it’s a good idea to have a service catalogue, in which you choose the building blocks according to your organisation's needs (Slides 12 to 16 show potential approaches.)  Don't buy a product and then figure out what to do with it - buy a service, based on the needs of your company and your IT organisation.

 

Case: Security as a business enabler

 

Next up was Jan De Blauwe, Chief Information Security Officer at BNP Paribas Fortis, a customer of XPLUS Consulting.  XPLUS Consulting architectures and counsels BNP Paribas Fortis for several security programs.

 

Security is a business enabler, Jan started. Without security there is no trust, and without digital trust there is no digital economy.  Jan distinguishes five value creation levers; you need people in your staff to:

  • Control
  • Support
  • Service
  • Enable
  • Grow.

 

He then zoomed in on some of these levers:

 

  • Control: mainly focused on detecting problems. You absolutely need people to keep an eye on risks and to build awareness
  • These people influence decision making (re-orient / block / avoid) and may often perceived as ‘Mr/Mrs No’
  • Support: here we talk about security in a partnership. The people involved go beyond problem detection, into a more co-creation mode
  • Service: the security team becomes the end-to-end owner of complex value chains.  In this service-mindset, they deliver a valuable service.

 

Yet, the question remains: are we tackling the right problem?  Cybercrime represents a high cost worldwide ($500Bn).  But the worldwide spend on cybersecurity is only $100Bn.  On average, 4 - 5% of total business IT spend goes to security.  In terms of the 'opportunity cost', however, the imbalance is even higher due to the slow adoption of cloud services, to mobile internet and services, and to the automation of knowledge work (see slide 12 for more details).

 

To conclude, Jan recommended:

 

  • Determine what is right for your organisation
  • Think 'maturity'
  • Make sure to have a mix of skills within your security team
  • Position your security team within the company (don't stick them in the basement, literally or metaphorically).

 

Case: In the eye of the beholder

 

After the break, we continued with the real-life cases. Wim Barthier, Security Officer at National Bank of Belgium, shared his best practices on security dashboards.  To Wim, a dashboard is the visualisation of data, in an interpretative way.  When talking about risks and risk ownership, it's important to know your users (C-levels, functional users, business owners and technical owners), their contexts and their respective 'risk appetites'. Business owners have different expectations than technical owners (KPIs, KRIs and Critical Success Factors).  With a user-focussed approach, you can define the various thresholds, objectives and KPIs/KRIs/CSFs.

 

The design of the dashboard’s user interface is critical: Wim went briefly over the principles (slide 13). In any case, he emphasised, keep it simple.  But don’t stick to poor charts: visualise the comparative risks in an easy-to-interpret way (slides 23 and 24).

 

And finally, make sure the input in your dashboard is of a high quality.

 

For Wim, the user-centric approach is key, as it's showing the evolution over time.  (For more takeaways, check slide 29.)

 

Case: Prevention is better than a cure - How AZ Alma & its MSS provider take care of the hospital’s most pressing needs

 

Our final case came from Fritz Defloor, COO at mid-sized hospital AZ Alma. Fritz described the situation against the backdrop of many challenges: financial pressures, the move towards knowledge exchange between hospitals, accreditation, legislation (GDPR, NIS), digitisation, retention obligations, etc. At the same time, the patient experience is increasingly important.

 

At AZ Alma, security is outsourced to specialised partners, including SecureLink.  The internal security team can then focus on internal processes and on supporting doctors and staff.  (Slide 16)

 

The result:

  • More focussed ICT team
  • Performance and stability
  • Better follow-up of incidents
  • Peace and quiet in the organisation
  • A good collaboration that leads to trust.

 

Have your checklist ready though, Fritz emphasised:

  • Your service provider needs to match your company's DNA.
  • Be transparent towards the ICT staff
  • Co-creation - don't operate as 2 separate companies. Work in a true partnership (he gave the example of an application chart, to be built in dialogue with the provider)
  • Communicate with your provider, make sure the provider documents the solution/service
  • Systematically analyse your P1 incidents: by speaking with your users, you gain massive insights on existing processes (and potentially how to adjust them).  And discuss these incidents at board level.
  • Communicate with your end-users
  • And last but not least: remain critical towards your provider.

 

You can read more about this case here.

 

 

 



 

Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login




>>> Back to overview