Vincent Meijer, CISO at Ordina, explains why security should be built in, not bolted on...
“We are a local player,” says Vincent Meijer, CISO and Head of Information Security at Ordina. The Netherlands-based IT solutions company is heavily focused on the Benelux market, perhaps surprisingly in a world of globalised solutions. But for Meijer it is key to delivering value.
“We talk about areas of expertise, but we get even more value because we are a local player. We understand Dutch, Belgian and Luxembourgisch culture and how things work out there and we focus on building expertise and knowledge of certain branches – sectors – in these countries.
“We have a deep understanding of those kinds of businesses which, added to our expertise, can really move them forward and put them a step ahead. You can have just the expertise and fold it into a context you don’t understand, but you will only bring the company forward in a technical way. We look at it a little bit more holistically and see how we can deliver a total concept or solution by combining expertise from all our company.”
Meijer talks about holistic security enthusiastically, and calls his work ‘security transformation’. “I don’t think security is a goal in itself,” he says. “It’s just a piece which needs to be there as a standard way of working. So it needs to be built in, and to build it in you need to look at it in a more holistic way – and look at where you can adjust it or apply it in your value stream process. If you do that, you can move and anticipate change really quickly because it’s just the way you work. But if you keep on addressing it as an add-on or an afterthought, that’s going to be really, really difficult.”
Why? “It was already difficult, but it’s going to be impossible to grow in this digital transformation everybody’s into. And the risks are growing.”
Meijer explains that new legislation passed in the Netherlands puts the duty of care on suppliers for security matters. It’s “a big topic at the moment” because although many suppliers wanted to put security at the heart of their solutions, it adds costs and clients were reticent about paying the perceived mark-up.
“That was always a difficult discussion, because if the supplier thinks their competitor is going to propose a solution without [security] and I’m going to propose one with it, I’m going to lose the offer. So it’s a big step from both sides to increase security, and that’s a good thing, I think.”
Hybrid working and security
Covid-19 has also accelerated security concerns as working patterns change and an increasing number of employees engage with their work via personal devices. “A lot of companies designed their programs on the office network, not just their IP networks but also the people networking in the office and in the office space. So, for example, the awareness programmes – there are posters all over the company, in the toilets, in the coffee bar, but no one’s going there so the question arises: how do I reach my people?”
At a more technical level, Meijer also points to home networks that lack the enhanced security of corporate network monitoring solutions. “A lot of companies I speak with have a huge blind spot there, so they need to anticipate it to increase visibility again. And again, we are continuously looking at what value we can create. So the way we create value for our customers hasn’t changed, only the context of the environment where, when and how we create that value did change.”
The problem for companies who haven’t previously consolidated their security arrangements are struggling in managing and maintaining all their security controls and it almost becomes a goal on itself. “Hopefully a lot of people are going to take a little step back instead of rushing forward,” says Meijer. “A better goal should be to make it simpler instead of adding more complexity to it. So we help companies to remove complexity and make their security arrangements more effective and better to manage in order to become more resilient.
Zero trust: no hero?
“I keep hearing about a ‘zero trust’ philosophy during Covid conditions, and this is where you don’t trust anything and therefore might think you have to check everything. Using this approach might end you up in a never ending and unmanageable situation, I think, because that’s going to be too much and really complex. Yet if I look at this change, I can actually remove complexity because I can look at the office environment at the same level as the home environment. I don’t trust them, but I only have one scenario to manage. We’re not ever going back, I think, to the old situation. We’re going to a hybrid kind of model, and then the office becomes a more public environment with a different function – to connect, to socialise, to find each other in person – and that’s why my office network is going to look more like my home network.”
Meijer’s mantra of building security in, rather than bolting it on, is part of this simplified approach to holistic security. But organisational hierarchies play a role in whether the customer can be sold on the argument. Difficulties arise when security officers are still traditional somewhere in IT and not positioned within the business itself. It’s an easier sell when, as at Ordina, the CISO is also an executive position. This important transition to really integrate into the business could take up to five years, he says.
Finding a partner
Internally, Ordina wants to create value but the same is true of its partnerships. “You have to seek for partners to be able to offer a total solution for the problem in the market. You have to find a partner who is really excellent at what they do, so we can join forces and increase the value of something we deliver together to the customer.
ESET, an antivirus company, is one such partner. They are happy with their product but didn’t have the expertise to follow up on alerts within the customers context. “They realised that that wasn’t actually their cup of tea, so they needed to find a partner who was good at that, and can bring customer and business context to the product. So that’s why we joined forces, because we design it within the context of the organisation and we can follow up in case of an incident.
“It’s important to realise that as a good security services provider you need to work with partners in order to deliver end-to-end solutions.
You can’t do everything by yourself, especially all the security. It’s just too broad. It’s too much, it’s too intense. And a partnership has to be a two-way street, otherwise it’s more like a supplier-client relationship. It needs to be from both of you, and if you can solve something for customers which can only be solved with these combined services then you’re in really good condition.”
Risk Ownership & Accountability
Finally, Meijer wants to impress about the importance of risk ownership. “A big job is to help the organisation understand, and organise that accountability in the right places in your organisation. We need to see security as more of a shared responsibility for everybody in the company and organise it so everyone can take his piece of accountability.
“Otherwise we’re going to end up being at a loss, or running behind it forever.”