During this session, we zoomed in on the importance of 'security by design' and how to achieve it. And in real-life cases, we learned from Securitas, Johnson & Johnson and CapitalatWork how they embed indispensable security measures within their digital world. Presentations are available to Beltug members (after log-in):
More security, less obstruction
Keeping control over your cyber situation… That was the message of the story Talitha Papelard, Lecturer at Antwerp Management School and author of the book ‘Critical Success Factors of effective Business Information Security', shared with us. Back in the 1990s, people were convinced mobile phones were a waste of time and money. Now, our smartphones solve many issues. Healthcare, environmental and social problems are also solved by technology today. But even with all these opportunities, threats lurk right around the corner.
Shipping company Maersk, for instance, lost a year of revenue due to the Petya attack in 2017, because they couldn't operate for an entire week.
In our car, we have seatbelts to protect us during large and small accidents. On a boat, we turn to buoys and lifejackets in case someone goes overboard. But in the world of technology, we often don't have such (really quite simple) security measures.
Talitha emphasised how important it therefore is to make sure to have your ISMS (information security management system) and your PDCA process (plan-do-check-act) in place. Your ISMS should be risk-driven - not compliance-driven! Getting the buy-in of your board is one of the most important steps when setting up your ISMS. This ensures that everyone from the top-down is involved, committed and on-board with the security mindset.
“Never waste a good incident”, says Talitha, when making sure your board is fully aware of potential risks in business, behaviour and technology. It's not about complete safety, but rather detecting and responding as quickly as possible. The faster, the better, after all.
To wrap up, Talitha listed the benefits of a proper ISMS:
Security and global performance applications: it shouldn’t be a dilemma
Next on the agenda was Patrick Sichien, Director Sales Engineers at GTT. Patrick also provided his overview of the challenges that come with protecting a company's infrastructure: devices, users, compliances, threats, espionage, etc. However, even when you try to cover all these challenges, there is a good chance you will still, like Maersk, end up losing revenue because of a cyber attack.
Protecting your company with many tools raises budgetary challenges, as well, explained Patrick. So, as a start, keep the helicopter view, he recommends.
Case: 'Security by design' at Securitas
Wim Bartsoen, Chief Digital Security Officer at Securitas, then took us from the theory to real life and practice. He began with the definition of 'Security by Design' according to Wikipedia. Based on that definition, one might wonder if it is really about software after all. And in fact, when looking at real data breaches, you can indeed conclude that it is rarely about software alone.
Securitas was in the headlines in May 2019 for a potential data breach: a client raised the alert about possible vulnerabilities in Securitas' own alarm app. Wim described the weaknesses related to the app:
So the conclusion is definitely that security by design must be about more than secure code.
The key is to rephrase things and frame them differently: focus on the system rather than the software. (Slide 8 summarises the key assumptions and the key objective Wim works with.)
Next, you need to realise that the system is not a remote island (slide 9). You need to take into account the system, but also the organisation, and the ecology of suppliers and partners.
Finally, optimism, stamina and stoicism: three qualities a good CISO needs to have.
Case: Wealth management in a secure environment
Next case on the agenda came from Filip Vandorpe, Head of IT at CapitalatWork Foyer Group. He started with an overview of his general security principles, from IT security governance, infrastructure and monitoring, to user access management and incident management (slides 4 and 5).
Filip explained that, as an organisation, CapitalAtWork has a very trust-sensitive bond with its clients. So should a major data breach occur, the organisation risks failure.
A major security challenge occurred when management decided that staff needs anytime, anywhere access to company data. They chose mobco as a trusted partner to guide the company. The 'mobile at work' project has three stages:
Enhanced security measures are also now in place (slide 9).
Case: How to marry security by design with privacy by design in the real world
Our final talk took on the synergy between 'Privacy by Design' and 'Security by Design': how different or similar are these concepts? Willy Van Buggenhout, (former) Chief Privacy Officer at Johnson & Johnson International, and Mathijs Rogiers, Senior Consultant at Deloitte, guided us.
Willy explained, based on his experience at Johnson & Johnson, that these two concepts go hand-in-hand. This has been enabled and accelerated by the introduction of GDPR, by the way, as the latter includes 'by design' as a legal requirement. Yet at the same time, it remains a vague concept (more like a best practice).
For starters, you need to grasp both the concepts of 'by design' and 'by default' (slide 5). The key characteristics and principles of 'Privacy by Design' place it in the realm of accountability, and it is part of the general obligations of the data controller (slide 6). One last but not least principle is that the integration with 'security by design' is a must.
Keep in mind these practical considerations, though:
The presenters gave a few examples of organisational measures to implement the concept of 'Privacy by Design' (slide 9). One element that is often forgotten or seen as difficult, is document retention: what to do at the end of life of a document?
As a bridge to 'Security by Design', Mathijs shared the data breach story of Equifox in 2017, which demonstrates that the two 'by Design' concepts closely intersect. In their overview of a secure Software Development Lifecycle Management (SSDLC), the word 'secure' can easily be replaced by the word 'privacy' in all the elements (slide 12).
Secure software is not only about coding and not only about requirements, Mathijs emphasised. It calls for a combined approach: from IT, from Risk & Compliance and from the business and the organisation.
When protecting your ICT landscape, make sure to run different kinds of tests: from vulnerability scanning to constant monitoring, both dynamic and static analyses, even in the coding phase of your solution (slide 15).
Even as IT organisations began embracing agile development practices over the last decade, many continued to approach security issues in the same incremental, siloed way they had with waterfall. As a solution, and to enhance their approaches to cyber and other risks, organisations are embedding security, privacy, policy and controls into their DevOps culture and processes, enabling the entire IT organisation to share responsibility for security.
People, Process, Technology and Governance are the 4 pillars of DevSecOps concluded Willy's and Mathijs’s presentation (slide 21), and they shared their main takeaways (slides 23, 24).
Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).
Beltug gathers a lot of information. Here you find the advantages of Beltug membership
The Beltug Team
Click here to login