CIONET recently revisited the remarkable setting of Martin's Patershof in Mechelen, for a roundtable orchestrated with our partner Zscaler. The mission: delve with a select group of digital leaders into the crucial topic of data control as a cornerstone of a robust cybersecurity strategy. Joachim Claeys, Security Manager at DPG Media; Philip Dumortier, CIO at the Ministry of Foreign Affairs; and Stefan Van Gansbeke, CISO at Christelijke Mutualiteit – Mutualité Chrétienne, acted as ‘conversation starters’ by sharing their narratives on navigating the path to security and data control.

Using the data to increase the value of services

Stefan Van Gansbeke outlined how the Data Intelligence Group at CM-MC is embodying the organisation's vision as a health fund by crafting and providing tailored support and value-added services to its members. "Data sources are plentiful and varied, stemming from numerous entities within the CM-MC group," he noted. Handling such sensitive data — medical, personal, and social — demands rigorous management and governance, honouring all regulatory and ethical standards concerning privacy and member welfare. CM-MC has, therefore, implemented stringent data governance and usage protocols, alongside shifting from traditional VPNs to a Zero Trust Platform that regulates all user access to data. The latter exercise – defining who has access to which data and for what specific purpose - is done in close collaboration with the business. The ownership of the data and its use lies ultimately in their hands. The next step, according to Stefan, is the large-scale migration of the data to a sovereign cloud. This ensures that the data is stored and managed within a Belgian legal jurisdiction and regulatory framework. CM-MC is currently also exploring the concept of the use of personal data vaults, as introduced by Athumi, the Flemish data utility organisation. 

“We are in a similar situation as CM-MC”, added Geert Leekens, enterprise architect at Engie Belgium. “Engie’s mission has recently evolved towards accompanying its customers through the energy transition. In this context, we need to offer our clients personalised added-value counselling. This is only possible on the basis of accurate insights and the use of data from a diversity of sources. The challenge is therefore to set up a well-structured and strictly governed way to map the data, assure (correct) access and use of these data by the right people and all this in strict accordance with all rules and regulations.  

In fact, this storyline showed quite common to most participants: the need for value added services, based on the data and therefore the need for mapping, inventorying, governance, control and securing. The latter leading them towards Zero Trust models that require continuous authentication and monitoring of every access attempt to network resources, whether inside or outside the private network, challenging the traditional model that relies on protected network perimeters. 

A Ministry that is guiding the way

Philip Dumortier’s revelations about the Belgian Ministry of Foreign Affairs' comprehensive overhaul captivated everyone. The Ministry has achieved a significant transformation in protecting its often highly confidential or geopolitically sensitive information, while providing an appealing working method for its global staff, including diplomats and consulate employees, to access and utilize data. “The best way to eliminate shadow IT and parallel usage of tools and devices is to offer a solution that better responds to the users' needs in their day-to-day jobs. In our context, that meant meeting their demands in terms of mobility, security, and ease of use. After a major incident, the Ministry indeed decided to undergo a complete makeover of its entire architecture. The infrastructure was rebuilt from scratch in the cloud, all users were migrated, and a strict zero-trust platform now controls access to data and application usage by the users. This, of course, requires well-defined roles and responsibilities, agreed upon with the ‘business’ users, and a governance handbook,” according to Philip. Next, Philip is looking into self-controlling and protecting applications (regarding RASP). This major leap forward has not only brought the Ministry into a leading position within the public sector but has also placed it ahead of many corporate organisations.

A tour de force in three years

Equally impressive is the transformation of DPG Media, as outlined by Joachim. This major media company rapidly enhanced its security from basic levels to industry norms for leading media companies within three years.

In 2017, the group maintained a traditional IT setup with large, in-house developed applications and a limited security team. DPG Media faced significant market shifts, such as the change from linear to on-demand TV viewing, prompting a substantial digital transformation. Agile methodologies (Spotify model) and DevOps were adopted. The IT capacities expanded into a highly decentralised structure with multiple IT departments, over 80 teams, over 300 cloud accounts and a wide array of tools and applications. This environment was dynamic and encouraged entrepreneurial spirit, freedom, and agility. However, security soon emerged as a weak point. In response, the company hired a CISO who conducted an organisation-wide security assessment. A decision was made to establish a centralised security team and initiate a programme to significantly enhance security standards within three years.

Now, the security team is operational. A Security Service Edge platform ensures comprehensive security for internet, cloud services, and application access. The Secure Web Gateway secures internet access by blocking harmful web traffic, enforcing company policies, and filtering unwanted content. A zero-trust approach is applied, verifying each access request as potentially unsafe, regardless of the user’s location. Furthermore, to accommodate the company's complex network of diverse entities, an additional security layer, a ‘dome’ as Joachim termed it, was implemented across the organisation. 

The whole setup has provided unexpected benefits: all users now employ multi-factor authentication (MFA), and with applications behind the platform, the attack surface has been significantly reduced, outperforming traditional VPNs in overall performance. Managing security for newly integrated entities has become simpler. Each DevSecOps team has a dashboard showing security vulnerabilities and actions taken. An important aspect, as highlighted by Joachim, is also the implementation of digital experience monitoring. It tracks application and network service performance, identifying any latency or issues, thus avoiding prolonged discussions and unnecessary blame.

Today, DPG Media effectively manages its decentralised operations and diverse application landscape. With essential security measures in place, the company has taken a further step by forming a specialised team to progress towards a decentralised data infrastructure

Three learnings:

James Tucker, Head of Field CISO EMEA at Zscaler, summarised the session by highlighting three key learnings of the evening:

1. Firstly, the stories showed the importance of having visibility on the data as a fundamental step for establishing security and data control. Look into funnelling it through a centralised place.
2. Secondly, all participants acknowledged the significance of strong governance and adherence within the organisation. James advises adopting a pragmatic approach. This involves selecting a governance model and then progressively refining it, rather than spending excessive time seeking the perfect one.
3. Thirdly, the testimonials clearly showed the crucial role of people in the success of any security and data control programme. Prioritising excellent user experience pays off well. And data control and security measures need to be bolstered with effective change management.

CIONET extends its gratitude to Zscaler, James and Jelle, and to the speakers Joachim, Stefan, and Philip, and finally to all participants for this fruitful and enlightening exchange of experiences and views.

--