CASE STUDY
It was not a
cherry-picking
exercise, it was a
full alignment to
make sure we were
setting up the
right grounds for
the new company
being built.
completely different environment than
a retail business or a health insurance
business or a bank.
What were the main security
concerns during the merger?
Before the merger was executed in July
2015, we were not authorised to talk
freely between companies; there were
strict rules around communication.
We – Lafarge and Holcim – were both
competitors in a sector that is strictly
controlled. However, we were trying to
understand each other’s strengths to
plan for the future, but with very little
information. The merge was announced
in 2014 and executed in July 2015, thus
both companies were in this situation
for several months. Another challenge
we found was the types of tools and the
organisation of tools and policies. The IT
aspect of the merge was also a challenge
as merging two companies takes years.
What were the key areas of your
network that you needed to
secure post-merge and why?
Cybersecurity is better understood in
such sectors and therefore easier to
sell internally. We are in an industrial
mindset and the construction industry
isn’t a sector to sell security offerings
internally within the organisation. We
face the same challenges as more
exposed companies, so our priorities are
the same. We need to work and focus
on the same areas, so this is one of the
challenges that we find specifically in the
construction material sector.
Another challenge is focused on the
industrial side and whether there are
companies that don’t have industrial
IT security, also known as Operational
Technology (OT). This is a challenge
for us because cement plans have a
www.intelligentciso.com
|
Issue 12
Our main focus is on people, processes
and technology so our priority was
our end-users and ensuring all of our
employees (80,000 globally) were trained
in cybersecurity awareness. In terms
of tools, we needed to understand the
kind of setup that each company had,
so that’s one area we needed to tackle.
Additionally; productivity management
and last; the processes. Two different
companies have two different processes
in place and we needed to align them.
So, we were looking at the whole IT
security portfolio and understanding
what needed to be in place in terms of
the people, processes and technology
from an IT security standpoint of both
companies and decided what was the
best approach moving forward. It was not
a cherry-picking exercise, it was a full
alignment to make sure we were setting
up the right grounds for the new company
being built.
What key qualities were you in
search of in a vendor?
We look for vendors that are capable
of demonstrating the following capacity
with real use cases – so the ones that
are able to execute, perform and have
good capabilities. It is therefore key that
the integration capabilities of a vendor
comply with other enterprise tools.
Also important is the time it takes to
implement – this is an important aspect
whenever we look into a provider. It is
very difficult to sell business cases in
two/three-year transformation projects
as it is too long-winded, so it is very
important to be fast and agile. We
also consider cost to ensure we really
optimise our investments and make
certain there is a good level of ROI.
Can you give our readers
an insight into the types of
security issues keeping CISOs
up at night?
I believe that incidents like WannaCry are
the main reason CISOs would dread being
woken up during the night. Nowadays,
if a company experiences an IT service
disruption, the minute you are offline you
are losing business, so we need to be
very prepared. People can plan ahead
but nobody can predict all of the different
circumstances that might take place.
How has LafargeHolcim
benefited from using
Tenable’s products?
We have great visibility, accurate results
and we have a tool which is integrated
within our internal processes. So, there
was a very slight change of management
style required from our site since we
implemented Tenable’s solution.
How have these benefits
enabled progression and
improved security?
We are now able to prioritise our
resources more efficiently and
share our experience across
organisations because being such
a wide organisation in more than 80
countries, other organisations are able
to see what is working well and what
isn’t. Bringing those people together
in a discussion means that we can
understand our successes and
others can catch up and allow for
improved performance. u
53