CASE STUDY
What security measures do you have
in place more generally?
It could be, for example; implementing global
vulnerability management solutions, it could
be jumping to a new technology or setting up
firewalls in our web applications – we do this
based on risk management – or it could be
whenever we have new business demands.
What do you consider are the
unique challenges for the
construction industry?
The challenges we face differ to those of
other industries that may be more dependent
on IT such as the banking, insurance and
healthcare sectors. Cybersecurity is better
understood in such sectors and therefore
easier to sell internally. We are in an industrial
mindset and the construction industry isn’t
a sector to sell security offerings internally
within the organisation. We face the same
challenges as more exposed companies, so
our priorities are the same. We need to work
and focus on the same areas, so this is one of
the challenges that we find specifically in the
construction material sector.
Another challenge is focused on the
industrial side and whether there are
companies that don’t have industrial
IT security, also known as Operational
Technology (OT). This is a challenge for us
because cement plans have a completely
different environment than a retail business
or a health insurance business or a bank.
What were the main security
concerns during the merger?
Before the merger was executed in July 2015,
we were not authorised to talk freely between
companies – there were strict rules around
communication. We – Lafarge and Holcim
– were both competitors in a sector that is
strictly controlled. However, we were trying to
understand each other’s strengths to plan for
the future, but with very little information. The
merge was announced in 2014 and executed
in July 2015, thus both companies were in this
situation for several months.
Another challenge we found was the types
of tools and the organisation of tools and
policies. The IT aspect of the merge was
also a challenge as merging two companies
takes years.
60
INTELLIGENTCIO
What were the key areas of your
network that you needed to secure
post-merge and why?
Our main focus is on people, processes
and technology so our priority was
our end-users and ensuring all of our
employees (80,000 globally) were trained
in cybersecurity awareness.
In terms of tools, we needed to understand
the kind of setup that each company had,
so that’s one area we needed to tackle.
Additionally; productivity management and
last; the processes. Two different companies
have two different processes in place and
we needed to align them. So, we were
looking at the whole IT security portfolio
and understanding what needed to be in
place in terms of the people, processes and
technology from an IT security standpoint
of both companies and decided what was
the best approach moving forward. It was
not a cherry-picking exercise, it was a full
alignment to make sure we were setting
up the right grounds for the new company
being built.
What key qualities were you in
search of in a vendor?
We look for vendors that are capable of
demonstrating the following capacity
with real use cases – so the ones that are
able to execute, perform and have good
capabilities. It is therefore key that the
integration capabilities of a vendor comply
with other enterprise tools. Also important
is the time it takes to implement – this is an
important aspect whenever we look into a
provider. It is very difficult to sell business
cases in two/three-year transformation
projects as it is too long-winded, so it is
very important to be fast and agile. We also
consider cost to ensure we really optimise
our investments and make certain there is a
good level of ROI.
prepared. People can plan ahead but nobody
can predict all of the different circumstances
that might take place.
Can you give our readers an insight
into the types of security issues
keeping CISOs up at night? How has LafargeHolcim benefited
from using Tenable’s products?
I believe that incidents like WannaCry are
the main reason CISOs would dread being
woken up during the night. Nowadays,
if a company experiences an IT service
disruption, the minute you are offline you
are losing business, so we need to be very We have great visibility, accurate results
and we have made a tool to work which is
integrated within our internal processes.
So, there was a very slight change of
management style required from our site
since we implemented Tenable’s solution.
www.intelligentcio.com