COVER STORY
achieved in relation to its sustainability
goals. The report is a key channel
through which the board shares
its vision and values in innovation,
sustainability and humanisation. The
adoption of BitSight Security Ratings,
defined as the group’s KPI, highlights
the external value to its third-party
stakeholders and its importance to the
company’s internal mission statement.
Plans for the future
While the current focus for the
organisation is on Security Performance
Management, the next step will be
the evolution towards third-party risk
management, specifically vendor risk.
This would include expanding EDP’s
current use of BitSight to apply ratings
to specific vendors alongside its own
monitoring solutions. This will help
avoid ‘blind spots’ across its vendors
and provide much needed visibility of
security performance across its entire
vendor lifecycle. Also, working with
its vendors and BitSight to quickly
and collectively reduce cyber-risk by
sharing BitSight Security Ratings data
will enable EDP to have intelligent,
data-driven conversations with key
stakeholders including vendors, board
members and investors about its
security risks.
Intelligent CISO caught up with Paulo
Moniz, Chief Information Security Officer,
EDP, to find out more about the solution.
As an operator of critical
national infrastructure, how
important is having a reliable
security solution?
EDP has established information
security as a competitive factor, not only
because we recognise that it generates
confidence from stakeholders, but also
because we have a critical responsibility
in the social context. As a result, we
have identified two major crown jewels:
one resulting from managing large
volumes of personal data of clients and
employees; and the other because we
operate critical infrastructures.
In order to implement our strategic
vision for information security, we
www.intelligentciso.com
|
Issue 21
established end-to-end security as
a guiding principle, which implies
a holistic approach permeating the
organisation. This avoids the need for a
siloed approach, incorporating security
from the development of services and
applications, to activities carried out
by service providers, within a logic of
Security by Design.
A reliable security solution such as the
BitSight rating has the strong merit of
uniting the entire organisation around a
common objective, which is recognised
by external entities. This is also a strong
internal tool to mitigate cybersecurity
risk, helping to break the silos that have
a negative impact on the organisation.
How does the solution improve
operability for the end-user?
The solution has a direct impact for
cybersecurity teams – it provides us
with objective security metrics that
enable our security and operational
teams to focus on clearly defined
objectives. In turn, this enables us to
decrease the global cybersecurity risk
of the organisation.
Being a common goal communicated
to all within the company, BitSight’s
Security Ratings also establishes
guidelines for those who aren’t
within security teams, on what they
are permitted to do with company IT
resources, decreasing resistance and
improving the overall security of IT
resource usage.
How scalable is the solution?
Taking advantage of the flexibility of
BitSight’s platform enables us to create
our own customised asset groups
and sub companies. This enables the
company to grow its security operations
horizontally, while bearing in mind the
different operational contexts, especially
with regard to the clear boundaries
between IT and OT environments.
There are two major examples where
we can escalate the solution easily with
enormous value. The first is when EDP is
evaluating the risk from a mergers and
acquisition perspective. The second is
A reliable security
solution such as the
BitSight rating has
the strong merit of
uniting the entire
organisation around
a common objective.
when we want to create a vendor risk
management program, since the supply
chain is a critical aspect for EDP’s
overall cybersecurity posture. In both
cases, the solution can be easily scaled
to incorporate other companies in the
digital footprint risk evaluation.
How far has it future-
proofed operations?
Cybersecurity is a constantly-changing
area with new threats emerging almost
every day. No one with cybersecurity
responsibilities can say with a completely
clear conscience that their company’s
operations, or the tools that support
them, are completely future-proofed.
However, we can say that by always
keeping up-to-date with information
security best practices and continuously
improving detection and response
mechanisms, BitSight has allowed EDP
to keep tabs with newly-discovered
vulnerabilities. This ensures that our
security controls are keeping pace with
ever-evolving threats.
Aligning with the proposed
recommendations by BitSight enables
our security team to preview pain
points and shifts when dealing with
large-scale IT risk, maintaining a
bird’s-eye view without being lost in
technical details that could potentially
lead to us being blindsided by
technological improvements.
Nonetheless, it’s important to track these
when designing and implementing long-
term IT solutions for the company. u
53