Security is no longer just the concern of the IT department – it is everybody’s business! To find out more about the impact of mobile devices on security, we speak to Raphaël Viard, VP, IT Shared Service Centre, Alstom and Michel Van Den Berghe, Managing Director of Orange CyberDefense.
What significant changes have there been in recent years in the way staff members at your company work?
Raphaël Viard, VP, IT Shared Service Centre, Alstom: Undoubtedly, the main change has been the growth both of mobility and the consumerization of business IT. This change arose from many of our staff members wanting to take full advantage of their work devices which are now mobile. The transformation began with laptop computers becoming available as an alternative to fixed work stations and intensified with the arrival of the first smartphones and tablets on which they can carry out work-related tasks. The rise of social networks and cloud services has also changed the way our employees view their work.
Michel Van Den Berghe, Managing Director of Orange CyberDefense: The digital transformation of most of our jobs over the last few years has resulted in a convergence between our professional and private lives. This is primarily because of smartphones, which just like tablets, thanks to their ergonomic design and connectivity have seen them being adopted as much for work as leisure. This has given rise to new and relatively complex security issues.
Given the risks, what has been your approach regarding the spread of these mobile devices?
R.V.: The first and quite natural approach was to try and hold up the process so that we could have time to perform a security analysis. This, of course, was impossible, as employees would will go under the radar to find the technical solutions they want which the organization has failed to provide. They do not do it to challenge the organization, but to find the solutions they require to do their jobs. The best solution is therefore to support the change rather than obstruct it. This is exactly the approach we have taken for implementing Bring Your Own Device (BYOD). Permission is given on the condition that the same security policy is applied to these devices as the one on the company’s mobile terminals. Today, more than 11,000 of our staff members have joined this program and their satisfaction rate, measured monthly, is over 90%.
M.V.D.B.: Alstom was one of the very first companies to go with BYOD. In particular, our approach has involved defining tools for separating private and professional data. Together, we have worked on authorization rules allowing for secure connections to company networks
These rules also allow us to change what is available in the enterprise app store – i.e. the collection of applications which each staff member can access remotely. The goal is to ensure that the tools which each of them require, in order to carry out the tasks entrusted to them, remain available to them. This offers advantages in terms of security, in that it limits the risk of an unverified program being installed on a device. It also allows us to save on costs because it reduces the number of software licenses required.
Besides security regarding mobile devices, has your security policy developed in other areas?
R.V.: In the past, security was very infrastructure-oriented. Regardless of the type of data which was hosted on devices and systems the level of security was the same. Basically that of the network which allowed them to connect.
Today, this approach has changed and, more and more, we are steering our policy and investments towards data security. Rather than try to protect the enormous amount of data produced or processed by Alstom, which increases every day, we are focusing our efforts on truly sensitive data. One of our tasks, therefore, is to set up a continuous process for classifying our data in order to identify which data must be protected and apply a very strict level of security to it.
Who identifies sensitive data?
R.V.: The solution is not only in the hands of the IT department. The set-up must be reversed. While the company's IT system facilitates matters through the setting up of processes and tools which enable us to classify and secure data, only people who create or handle data are able to measure its level of sensitivity. In this case, security is everybody's business.
Do you also think that IT security is no longer solely the domain of the IT department?
M.V.D.B.: Cyber security is an operational risk and must be treated as such. Like terrorism, we must learn to live with it and accept that we cannot protect everything in the company. We must continuously raise user awareness. You can install the most powerful alarm in the world in your home, but it isn't much use if you forget to close the door when you leave. That is why we support our clients in taking this step which constitutes a real cultural change.
What is the role of Orange Business in your security policy?
R.V.: Orange is a long-standing partner of ours. They have worked with us on practically every major security project that we have launched in the past few years. They let us take advantage of their monitoring of technological development, their ideas and their teams' skills. Their experts do not hesitate to pass their knowledge and expertise on to our staff members. It is a real, long-term partnership.