“Business leaders are becoming more interested and willing to get objective information, to define what their risk appetite is”
Jose Maria Labernia is CISO for the EMEA region at LafargeHolcim, one of Europe’s biggest supplier of concrete and other building materials.
Based in Madrid, he is responsible for a team of 500 IT professionals spread across 50 countries, and has been in what he describes as a “happy relationship” with the Swiss multinational for the last 11 years, fulfilling various roles in the business.
He joined Computer Business Review to talk cyber security, the evolving threat of ransomware and the potential problems that could be caused by deep fake technology.
Hi Jose. How bad do you find the threat environment?
The reality is all organisations are suffering attacks, whether they’re automated, APT, or smaller cyber security incidents, and we’re no different.
My team’s job is to try and ensure they don’t happen or, if they do, to try and keep any disruption to a minimum.
What’s your approach – do you swear by a particular technique or vendor?
Every CISO will take a different approach, but I like to deal with multi-layer protection.
We are data and segment agnostic, so we don’t care about any particular product because you never know when an infection will occur or how that infection will move laterally and compromise your network or critical infrastructure, the ‘crown jewels’ of your business.
What we do is tackle cyber security at every level of the IT chain, so our job starts every time we take on a new project or initiative, or deploy a new product. We need to work hand-in-hand with business stakeholders to define the risks and then find the best security mechanisms to mitigate those risks.
For example, if we’re going to put in place a new IT procurement tool, some people might say that’s a web application, so we need to protect it as such.
We don’t stop there, we work with the procurement team, we ask them for specific application-level type of risks, then we may ask other people from the organisation who have a different mindset, such as programmers, to look at it and try and spot other risks. Four sets of eyes can see much more than one.
Are there any tips you would give to other organisations looking to improve the security of their systems?
It’s important to iterate and evolve in the way hackers do. Security is not a picture, it’s a video topic, so you really need to evolve over time and be at the edge of the latest innovation, and be aware of how to protect against the latest threats.
What we usually do is get together with the security team and try and think like hackers. Hackers are very smart, and often come up with techniques you would never normally think of. So we have several techniques to put ourselves in the mind of attackers and try and spot different vectors of attack.
It’s not enough just to run a simple pen test.
Ransomware attacks are an increasingly big problem – how do you deal with the threat?
Ransomware attacks have evolved into a really amazing degree of sophistication. In a lot of countries you go to the police and they will tell you if you want your information; pay it. It’s because they can’t go after the attacker, because they’re in another country or there’s some kind of regulation issue, or it’s too complex.
At the beginning it was more individuals being impacted, but now hackers can see the impact it can have and the profits there are to be made when the core of a company’s business is attacked.
This is what happened when Garmin was attacked a couple of weeks ago – they stopped production for a couple of days and it led to millions of IoT devices not working. You need to be very well protected with different layers of protection and back-ups, as well as a response strategy.
Interpol has launched a new initiative, No More Ransomware, to provide free tools to make sure you don’t have to pay the ransom. It demonstrates nicely how these kind of attacks have grown over the last few years, because there are hundreds of tools available there ready to deal with hundreds of different attacks.
How do you balance the risk presented by IT and operational technology in your business?
Cement plants are super operational technology dependent – they are big sites with a lot of automated and low-level programming systems.
We include this in our analysis and tend to provide the business units with specific KPIs about their area and the risks they face, so they can evaluate their exposure and make a decision about the kind of risks they are prepared to take.
It sounds like your department is closely aligned with the rest of the business…
It is. For me cyber security is not an IT topic, it’s a business topic that IT can support and drive, and as such business units need to own it.
People are more aware of these issues now, they see attacks like the recent one that compromised the Twitter accounts of celebrities and politicians, and I think this helps them realise it can be a reality for them too.
Business leaders are becoming more interested and willing to find out more so they can get objective information and define what their risk appetite is. Given that the top management is already aware of cyber security, this message is going down through organisations and people are very conscious and aware of the situation.
Looking to the future, what are the emerging threats businesses should be aware of? Is there anything that keeps you up at night?
I am quite concerned about deep fake technologies, which I think are going to make an extremely disruptive move in cyber security. Whenever you are able to impersonate someone – by video or voice control – you will see growth of phishing attacks, people impersonating CEOs and senior leaders, that sort of thing.
The other problem I foresee is around Covid-19, specifically home working and remote IT support. Many companies out there were not so well-prepared, and their employees may face attacks from people purporting to be from the helpdesk, asking to take control of their system so they can implant a route key that allows them to jump internally into the rest of the system.