Fabrice Wynants boasts a solid track record in cyber security, with 25 years of experience in management positions at Ubizen and Verizon. At the start of January 2020, just before the world went into lockdown, he joined Cegeka as the Global Director of Cyber Security & IAM Services. A little over a year after his unusual start, we sat down with him for an interim assessment.
The conversation took in the unavoidable topic of coronavirus and its impact on us all, but also the changing role of the CISO, the increasing alignment between IT and OT/IoT and last but not least – the end-to-end security programme that Wynants and his team have been working on for the past year, “The Road to Resilience”. Wynants tells us more ...
I'll get straight to the point: the COVID crisis erupted immediately after you started working at Cegeka. What has changed since the pandemic?
Fabrice Wynants: “I don't need to explain that working remotely had an immediate impact which is still being felt today. With so many people working from home, we suddenly had an army of unmanaged endpoints that were connected through potentially insecure internet connections, not only to on-premises corporate systems but also to cloud-hosted data and SaaS applications. Not all companies were using VPN technology, and in any case VPN-based access does not provide sufficient protection for every scenario.”
“Many companies were left scrambling, and many of them really had to go through a forced digital transformation. Getting everything organized required a number of actions, and while these were wins, not all of them were quick wins. The first thing they had to do was to provide proper security for both managed and unmanaged endpoints with, for example, patching. Secondly, they had to introduce a strong form of authentication, such as two-factor. And thirdly, all endpoints had to be monitored via Endpoint Detection & Response, so that anomalies were immediately detected and dealt with. It is essential to have the capacity to manage all devices remotely and, if necessary, isolate them. Many organizations were, and still are, unable to do this.”
“In addition, we saw a worldwide increase in social engineering activities, such as phishing. This is a very regrettable development, but it's here to stay. It has been said many times, but it needs repeating: raising awareness among every end user is and remains crucial.”
Haven't we seen enough 'awareness' campaigns by now?
Wynants: “Yes, but they are still necessary. Awareness has to be considered from two angles. On the one hand, you have awareness among the managers: to what extent does the C-suite see cyber security as an investment, and not as a cost? We have noticed more and more managers undergoing this change of mentality year after year, not least because there is a growing awareness that any company, large or small, can be impacted and, most importantly, in any sector. Manufacturing companies used to ask me, ‘Why would a hacker target us? There is nothing for them here.' Yet now that cybercriminals have found their way to the shop floor through the ‘gates’ of OT (Operational Technology) and IIoT (Industrial Internet of Things) devices, and can hold an entire company hostage with a targeted ransomware attack, things have changed.”
Manufacturing companies used to ask me, “Why would a hacker target us? There is nothing for them here.” Yet now that cybercriminals have found their way to the shop floor through OT and IIoT devices, and can hold an entire company hostage with a targeted ransomware attack, things have changed.
“Then of course there is the awareness on the part of the end users. Whichever way you look at it, most incidents can be traced back to human error. The traditional approach of raising awareness with a poster on the wall no longer works. Most people literally look past them. One of the things we do at Cegeka, both internally and for customers, is organizing phishing simulations. Every Cegeka employee also has a report phishing button in their email client. The good thing about this is that you can measure how big the problem is, and where it is located within the company, which allows you to adapt your awareness training accordingly. Many companies already do this, but only once a year, for example, and for all their employees. While you get much better results if you repeat this regularly, and specifically target certain groups.”
Has the pandemic put new pressure on the CISOs?
Wynants: “In an IT landscape where the perimeter is always disappearing from view, they already had their hands full (laughing). But the pandemic has certainly made some aspects more challenging. Priorities were redefined, and CISOs had to be able to deal with them quickly and intelligently. I do see the role being upgraded. Now that management boards have realised that critical business processes can be impacted, CISOs are more often given the opportunity to contribute on a strategic level and focus on corporate risks.”
“Today's CISOs are offered a 'seat at the table' much more often than in the past, when it was more of a technical role. But it also creates more pressure: they have to report to the management on a regular basis. We are well aware of this, and our way of working is also geared towards assisting and unburdening the CISO as much as possible.”
I do see the role of CISO being upgraded. Now that management boards have realised that critical business processes can be impacted, CISOs are more often given the opportunity to contribute on a strategic level and focus on corporate risks.
You mentioned the gates of OT and IIoT. Is that where the real danger lies?
Wynants: “Ransomware has wreaked havoc in industrial environments in recent years and will continue to do so. Increasing automation, the introduction of robotics and IoT are causing IT and OT to become increasingly intertwined, allowing malicious code in IT to penetrate OT environments. Cybercriminals know this, and it’s a great opportunity for them to force companies to buy their way out of hostage situations. It's big business.”
“As a result, cyber security and resilience also have to be implemented on the shop floor, and the same actions – assess, prevent, detect, respond, recover – apply as for IT. With OT, companies also need to map out which connected devices are critical to business processes, what their vulnerabilities are, how we can authenticate them in a network, etc. Unlike in IT, the main goals in OT are the safety of people, and the availability of production processes and machines. This means that it is less obvious and sometimes even impossible to run agent software in an OT environment, for example. That takes some cleverness on our part, but we do have solutions for this in our end-to-end security offering.”
Cegeka's security offering is part of “The Road to Resilience”. Can you tell us more about that?
Wynants: “We are developing a roadmap that enables companies to work as safely as possible and ¬– more importantly – to be resilient if something goes wrong, because no solution can offer complete protection. In other words: do everything possible to avoid any incidents, and if they should occur, have the ability to bounce back very quickly. Resilience is, in fact, the sum of all security measures – assessment, prevention, detection, response, recovery – plus a business continuity or recoverability plan. Together they make up a programme that is adjusted on an ongoing basis through continuous improvement.”
We are developing a roadmap that enables companies to work as safely as possible and - more importantly - to be resilient if something goes wrong, because no solution can offer complete protection. In other words: do everything possible to avoid any incidents, and if they should occur, have the ability to bounce back very quickly.
“In that programme, an important approach is ‘Zero Trust’. In the past, the IT landscape was divided into trusted and untrusted zones, and everything inside the perimeter was usually considered as trusted. So once you were inside, there were no more barriers. ‘Zero trust’ is based on the ‘never trust, always verify’ and the ‘least privilege’ model, where users are only given the minimum amount of rights they need to do their job.”
“We also want to help prepare companies in the event of a breach, and ensure that they can detect and respond quickly to what is often referred to as an ‘Assume Breach’. Not all business processes are equally critical. What we learned from the COVID crisis is that a lot of companies do not really know which processes are most critical for business continuity. That too, is something we can help them with.”
What are Cegeka's priorities for 2021?
Wynants: “This year we are focusing in particular on a number of services that we offer in an “as-a-service” model, delivered from our Security Operations Centre (SOC), such as Managed Detection & Response, Endpoint Detection & Response, Privileged Access Management, and others. The fact that we can deliver them as a service from our own SOC makes these services very interesting in terms of cost, manageability and also knowledge. Take PAM solutions for instance: they are usually complex and expensive, yet you can no longer do without them as a company. By purchasing this solution ‘as a service’, it becomes affordable and you no longer have to worry about the complexity.”
“In addition, we are in the process of opening up our entire range of security services to our customer engagement portal, CGK-Horizon. Horizon acts as a ‘single pane of glass’ on top of the customer's security posture, with unified data on firewall policies, vulnerability & compliance information and end-to-end security monitoring for all mobile endpoints, digital workstations, servers, applications, IT/OT and so on. But Horizon is much more than that -it is a unique gateway for every Cegeka customer who purchases a service from us.”
Finally, why Cegeka?
Wynants: “When I joined Cegeka in early 2020, one of my responsibilities was to bring the considerable number of activities in the field of security together in one place. What struck me then is how modest we were, and still are, when it comes to positioning ourselves in the market. To some extent, that reflects Cegeka's culture, which is very no-nonsense and pragmatic.”
“What I like about Cegeka – not only when it comes to security - is that we have the capabilities of a corporate enterprise, but we still work very closely to the customer and remain accessible. This ‘best of both worlds’ combination makes us quite unique and allows us to be close to our customers in the field of security when it really matters.”