INDUSTRY WATCH
How scalable is the solution?
Another value to EDP is communicating key
indicators to the board and demonstrate
improvement over time as a result of the
remediation activities guided by its security
rating performance.
Executive Reporting
EDP’s Sustainability Report provides the main
trends in each of its sectors, the strategy
adopted and the results achieved in relation
to its sustainability goals. The report is a key
channel through which the board shares its
vision and values in innovation, sustainability
and humanisation. The adoption of BitSight
Security Ratings, defined as the group’s KPI,
highlights the external value to its third-
party stakeholders and its importance to the
company’s internal mission statement
Plans for the future
While the current focus for the organisation
is on Security Performance Management,
the next step will be the evolution towards
third-party risk management, specifically
vendor risk. This would include expanding
EDP’s current use of BitSight to apply
ratings to specific vendors alongside its
own monitoring solutions. This will help
avoid ‘blind spots’ across its vendors and
provide much needed visibility of security
performance across its entire vendor lifecycle.
Also, working with its vendors and BitSight
to quickly and collectively reduce cyber-risk
by sharing BitSight Security Ratings data
will enable EDP to have intelligent, data-
driven conversations with key stakeholders
including vendors, board members and
investors about its security risks.
Intelligent CIO caught up with Paulo
Moniz, Chief Information Security Officer,
EDP, to find out more about the solution.
As an operator of critical national
infrastructure, how important is
having a reliable security solution?
EDP has established information security as
a competitive factor, not only because we
recognise that it generates confidence from
stakeholders, but also because we have a
critical responsibility in the social context.
As a result, we have identified two major
crown jewels: one resulting from managing
large volumes of personal data of clients
and employees; and the other because we
operate critical infrastructures.
76
INTELLIGENTCIO
Taking advantage of the flexibility of
BitSight’s platform enables us to create
our own customised asset groups and sub
companies. This enables the company to
grow its security operations horizontally,
while bearing in mind the different
operational contexts, especially with
regard to the clear boundaries between
IT and OT environments.
Paulo Moniz, CISO, EDP
In order to implement our strategic
vision for information security, we
established end-to-end security as a
guiding principle, which implies a holistic
approach permeating the organisation.
This avoids the need for a siloed
approach, incorporating security from the
development of services and applications,
to activities carried out by service providers,
within a logic of Security by Design.
A reliable security solution such as the
BitSight rating has the strong merit of
uniting the entire organisation around a
common objective, which is recognised by
external entities. This is also a strong internal
tool to mitigate cybersecurity risk, helping to
break the silos that have a negative impact
on the organisation.
How does the solution improve
operability for the end-user?
The solution has a direct impact for
cybersecurity teams – it provides us with
objective security metrics that enable our
security and operational teams to focus
on clearly defined objectives. In turn,
this enables us to decrease the global
cybersecurity risk of the organisation.
Being a common goal communicated to
all within the company, BitSight’s Security
Ratings also establishes guidelines for those
who aren’t within security teams, on what
they are permitted to do with company
IT resources, decreasing resistance and
improving the overall security of IT
resource usage.
There are two major examples where
we can escalate the solution easily with
enormous value. The first is when EDP
is evaluating the risk from a mergers
and acquisition perspective. The second
is when we want to create a vendor
risk management program, since the
supply chain is a critical aspect for EDP’s
overall cybersecurity posture. In both
cases, the solution can be easily scaled
to incorporate other companies in the
digital footprint risk evaluation.
How far has it future-
proofed operations?
Cybersecurity is a constantly-changing
area with new threats emerging almost
every day. No one with cybersecurity
responsibilities can say with a completely
clear conscience, that their company’s
operations, or the tools that support
them, are completely future-proofed.
However, we can say that by always
keeping up to date with information
security best practices and continuously
improving detection and response
mechanisms, BitSight has allowed EDP
to keep tabs with newly-discovered
vulnerabilities. This ensures that our
security controls are keeping pace with
ever-evolving threats.
Aligning with the proposed
recommendations by BitSight enables
our security team to preview pain points
and shifts when dealing with large-
scale IT risk, maintaining a bird’s-eye
view without being lost in technical
details that could potentially lead to
us being blindsided by technological
improvements. Nonetheless, it’s
important to track these when designing
and implementing long-term IT solutions
for the company. n
www.intelligentcio.com