Beltug

Never waste a good incident: Security by Design. Takeaways from the N-sight of 23 May 2019


Date:23/05/2019


The return on investment is very high for hackers, so securing our digital world has become a constant effort. Embedding security measures into our ICT environment from the very start – the design – can be key to a successful approach. 

 

During this session, we zoomed in on the importance of 'security by design' and how to achieve it. And in real-life cases, we learned from Securitas, Johnson & Johnson and CapitalatWork how they embed indispensable security measures within their digital world. Presentations are available to Beltug members (after log-in):

 

 

More security, less obstruction

 

Keeping control over your cyber situation… That was the message of the story Talitha Papelard, Lecturer at Antwerp Management School and author of the book ‘Critical Success Factors of effective Business Information Security', shared with us.  Back in the 1990s, people were convinced mobile phones were a waste of time and money.  Now, our smartphones solve many issues.  Healthcare, environmental and social problems are also solved by technology today.  But even with all these opportunities, threats lurk right around the corner.

 

Shipping company Maersk, for instance, lost a year of revenue due to the Petya attack in 2017, because they couldn't operate for an entire week.

 

In our car, we have seatbelts to protect us during large and small accidents.  On a boat, we turn to buoys and lifejackets in case someone goes overboard. But in the world of technology, we often don't have such (really quite simple) security measures.

 

Talitha emphasised how important it therefore is to make sure to have your ISMS (information security management system) and your PDCA process (plan-do-check-act) in place.  Your ISMS should be risk-driven - not compliance-driven!  Getting the buy-in of your board is one of the most important steps when setting up your ISMS. This ensures that everyone from the top-down is involved, committed and on-board with the security mindset.

 

“Never waste a good incident”, says Talitha, when making sure your board is fully aware of potential risks in business, behaviour and technology.  It's not about complete safety, but rather detecting and responding as quickly as possible. The faster, the better, after all.

 

To wrap up, Talitha listed the benefits of a proper ISMS:

  • Reduces risks
  • Compliance
  • Supports business needs
  • Confidence for customers & suppliers

 

 

Security and global performance applications: it shouldn’t be a dilemma

 

Next on the agenda was Patrick Sichien, Director Sales Engineers at GTT.  Patrick also provided his overview of the challenges that come with protecting a company's infrastructure: devices, users, compliances, threats, espionage, etc.  However, even when you try to cover all these challenges, there is a good chance you will still, like Maersk, end up losing revenue because of a cyber attack.

 

Protecting your company with many tools raises budgetary challenges, as well, explained Patrick. So, as a start, keep the helicopter view, he recommends.

  • Work with a trusted advisor and think of future applications and developments.  Map the scenarios properly, avoiding as many 'exceptions' for the situation as possible.
  • When talking budget, make sure to reserve it and to take changes into account. Have a committee on board that decides on the design of your security and on any potential changes.
  • And when designing your Network security, balance the proper solutions and possibilities: in-bound, cloud and on premise.  A hybrid solution is often the right way to go - balance this against your needs.

 

 

Case: 'Security by design' at Securitas

 

Wim Bartsoen, Chief Digital Security Officer at Securitas, then took us from the theory to real life and practice.  He began with the definition of 'Security by Design' according to Wikipedia.  Based on that definition, one might wonder if it is really about software after all.  And in fact, when looking at real data breaches, you can indeed conclude that it is rarely about software alone.

 

Securitas was in the headlines in May 2019 for a potential data breach:  a client raised the alert about possible vulnerabilities in Securitas' own alarm app.  Wim described the weaknesses related to the app:

  • Legacy: the app has existed for a few years, but isn't tested regularly
  • Interdependence
  • Governance
  • Knowledge & expertise
  • Cost constraints

 

So the conclusion is definitely that security by design must be about more than secure code.

 

The key is to rephrase things and frame them differently: focus on the system rather than the software.  (Slide 8 summarises the key assumptions and the key objective Wim works with.)

 

Next, you need to realise that the system is not a remote island (slide 9). You need to take into account the system, but also the organisation, and the ecology of suppliers and partners.

 

Finally, optimism, stamina and stoicism: three qualities a good CISO needs to have.

 

 

Case: Wealth management in a secure environment

 

Next case on the agenda came from Filip Vandorpe, Head of IT at CapitalatWork Foyer Group.  He started with an overview of his general security principles, from IT security governance, infrastructure and monitoring, to user access management and incident management (slides 4 and 5).

 

Filip explained that, as an organisation, CapitalAtWork has a very trust-sensitive bond with its clients.  So should a major data breach occur, the organisation risks failure.

 

A major security challenge occurred when management decided that staff needs anytime, anywhere access to company data.  They chose mobco as a trusted partner to guide the company. The 'mobile at work' project has three stages:

  • increase mobility: e-mail, agenda & contacts
  • increase efficiency: meeting, presentation, pm tools
  • own apps (KPI Dashboards, e-Onboarding, etc.)

 

Enhanced security measures are also now in place (slide 9).

 

 

Case: How to marry security by design with privacy by design in the real world

 

Our final talk took on the synergy between 'Privacy by Design' and 'Security by Design':  how different or similar are these concepts?  Willy Van Buggenhout, (former) Chief Privacy Officer at Johnson & Johnson International, and Mathijs Rogiers, Senior Consultant at Deloitte, guided us.

 

Willy explained, based on his experience at Johnson & Johnson, that these two concepts go hand-in-hand. This has been enabled and accelerated by the introduction of GDPR, by the way, as the latter includes 'by design' as a legal requirement.  Yet at the same time, it remains a vague concept (more like a best practice).

 

For starters, you need to grasp both the concepts of 'by design' and 'by default' (slide 5).  The key characteristics and principles of 'Privacy by Design' place it in the realm of accountability, and it is part of the general obligations of the data controller (slide 6).  One last but not least principle is that the integration with 'security by design' is a must.

 

Keep in mind these practical considerations, though:

  • Principles leave room for judgment (risks, impact)
  • Dynamic over time (state of art, cost)
  • Dynamic if processing changes
  • Need for a consistent approach
  • Technology neutral, but encourages investments in technology
  • Requires thinking about organisational measures on how to ‘capture’ privacy requirements when new processing activities are put in place

 

The presenters gave a few examples of organisational measures to implement the concept of 'Privacy by Design' (slide 9).  One element that is often forgotten or seen as difficult, is document retention: what to do at the end of life of a document?

 

As a bridge to 'Security by Design', Mathijs shared the data breach story of Equifox in 2017, which demonstrates that the two 'by Design' concepts closely intersect. In their overview of a secure Software Development Lifecycle Management (SSDLC), the word 'secure' can easily be replaced by the word 'privacy' in all the elements (slide 12).

 

Secure software is not only about coding and not only about requirements, Mathijs emphasised. It calls for a combined approach:  from IT, from Risk & Compliance and from the business and the organisation.

 

When protecting your ICT landscape, make sure to run different kinds of tests: from vulnerability scanning to constant monitoring, both dynamic and static analyses, even in the coding phase of your solution (slide 15).

 

Even as IT organisations began embracing agile development practices over the last decade, many continued to approach security issues in the same incremental, siloed way they had with waterfall. As a solution, and to enhance their approaches to cyber and other risks, organisations are embedding security, privacy, policy and controls into their DevOps culture and processes, enabling the entire IT organisation to share responsibility for security.

 

People, Process, Technology and Governance are the 4 pillars of DevSecOps concluded Willy's and Mathijs’s presentation (slide 21), and they shared their main takeaways (slides 23, 24).

 

 

 

 



 

Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login




>>> Back to overview