Ensuring security in a fast-evolving technology world means constant work and improvement. And guess what? On every floor of our building, we do work continuously on every layer of our approach to ensure secure access to Industrial Control System. This team effort requires a super master to meticulously coordinate it. Meet in all simplicity our Security Manager, Geoffrey Gobert to lift a veil on eWON security.
Who are you?
I am a 35 years old friendly guy. I am married to a wonderful woman. In fact, we've just got married a few days ago! No children but someday... Anyway, I am approachable and I think it is very important in such a role. It will not help anyone if people are afraid of talking to me. On the other side, I am rigorous and conscientious which is an absolute match with such a security position.
Tell us about your background?
I have a Master degree in computer science along with several well-known certifications like CISSP, GPEN, ISO27032 lead cybersecurity manager, ISO27001 lead implementer… I worked around 10 years for Orange Belgium, a telecom operator. First as Web Security System Engineer, then as IT Security specialist. Then I changed for TechMahindra, an IT services company, where I worked as IT Security Officer for 2 years. Finally, I started to work for HMS as Security Manager in May 2016.
Did you wake up one day and decide "I am going to be a cyber security expert"?
Well, not really. When I started studying computer science, I realized that security was a very important and sensitive matter, and I could feel it would be even more in a very near future. It was 15 years ago. When ISPs started to provide broadband connections to users (ADSL in Belgium). Basically, the sunrise of the Internet accessible to everyone. Companies then started to provide Internet services. A revolution!
Quickly, it also became an opportunity for cybercrime. Bad guys started to make money by hacking servers, stealing credit card numbers, password, private data, etc. Naturally, security became the next big thing and I must admit that I was also very interested to dig into the subject: how hackers were proceeding? How far could they go? Even if the temptation of crossing the line was there, I stayed on the right side… [laughing]
What do you like about your job?
Security is a challenging and transversal activity, there are so many things to do! I have to enforce security at every level, so I meet and collaborate with a lot of interesting people! I'm doing half management/governance, half technical activities. So, it is very diversified and I like it. Last but not least, I can hack things without being sent to jail [laughing]
What are the biggest challenges of you position?
They are many but if I had to choose 2, I would say first, users’ awareness and then rules enforcement without being a show stopper. It's all about balance... make it stronger and harder but smoothly so that users do not stay with a negative image of security preventing them from quickly doing what they want. Otherwise, they will even try to bypass security rules just to ease their job. This is also where awareness enters back in the game.
Think about what happen at the NIST, the US institute of standards & technology. In 2003, they were recommending the use of complex and strong passwords, and to renew it frequently. They strongly regretted this advice and realized it is not efficient at all. Indeed, users were just incrementing their password or even writing it down on a paper, thereby weakening the security posture of companies.
The NIST have just adapted their standard. They now recommend using a long easy to remember password (but hard to guess, of course), also to use a password manager to securely store it and to renew it only if you suspect compromise. It will drastically change things!
Can you describe a typical working day for you?
Security is transversal and fast-evolving, so you can imagine that every day is different. When I connect to my PC in the morning, I first check the Internet eventual raising vulnerabilities on software we use, as well as browsing security news to detect any potential issue or evolving threat. Then I verify different security controls and logs to check that everything is going well. The rest of the day depends on projects and events. I can work on building security, one hour later on our firmware security, and then a HR hiring process improvement. That's very diversified.
3 advices in the matter of Industrial Cyber Security?
Number one would be A-W-A-R-N-E-S-S! Around 85% of hacks start with a phishing or social engineering attack. The user is thus the first layer of protection AND the weakest link. So, make sure your employees know about the most common tricks. If you don't have a Security Officer to train them, I strongly recommend to hire a consultant to help you organizing such activities. It's worth it!
My second advice is use hard to guess but easy to remember passwords, and use the 2 factors authentication mechanism if possible. Passwords is often the first and only rampart against hackers. It's 70% of their job in fact! That's why operators and administrators should choose their password very carefully. Never use the same you use for your private accounts or personal email at work. It is not rare to see those websites being hacked and so your passwords are being disclosed on the internet underground, to people who will use it to get access to your factory. 2 factors authentication system is really making the life of hackers very hard. People should always use it when available. Also, keep and check logs of a system on a regular basis to detect any intrusion!
There was supposed to be three, right? Because I could give hundreds but why not summarize it like this: prepare yourself to the worst! Human kind is naturally avoiding to think about the worst, we keep that in a distance. Well, try and get prepared. You could save lives, time and money! Start with what would you do in case of an attack? What if my production chain stops? What is the most important asset for me? This kind of questions can be addressed into a business continuity plan including responses and recovery procedures that will help you to quickly react without panicking.
What make eWON products and solutions secure? What makes eWON approach special?
Well, if people want to know about our security approach in details, I invite them to check our security section on our website. One thing I would like to emphasize here is that eWON develops and manufactures its products within its building. I mean, we know them by heart. We can thus quickly react no matter what the problem is. Also, when I arrived in the company, I was very surprised how trained and aware the teams were, how security was already deeply integrated. It's nice to take a position and immediately start discussing the higher levels.
Well, Geoffrey, thank you very much for your time. We'll let you go back to work. What's your program today?
You are welcome! Just after this, I have an introduction to security presentation for newly hired employee.