As cybercriminals continue to use more advanced methods to keep up with the pace of technology transformation, enterprises and organisations are constantly seeking to enhance their cybersecurity posture to protect their assets. Building materials company, LafargeHolcim, utilised a Tenable solution to obtain full vulnerability analysis of its networks in order to reduce its risk exposure.
In 2018, LafargeHolcim, a global building construction materials company, deployed a Tenable SecurityCentre solution, now recognised as Tenable.sc, as part of an advanced global vulnerability management infrastructure reaching 80 countries and close to 18,000 assets.
The project has been designed and implemented by MDTEL, a Tenable Gold Partner in Spain. With this deployment, LafargeHolcim has achieved a harmonised, automated global vulnerability management service that has allowed the company to significantly reduce its risk exposure and assure global and regional policy compliance.
LafargeHolcim today is the result of a merger between Lafarge and Holcim in 2015, with the new global company aiming to deliver compelling benefits for all stakeholders.
The new group increased its offer to customers through innovation delivered on an expanded scale, best-in-class R&D and a combined portfolio of solutions and products, contributing to addressing the challenges of urbanisation: affordable housing, urban sprawl and transport.
LafargeHolcim now has an enhanced presence in the global building materials sector and is a global leader across cement, concrete and aggregates with new opportunities to optimise production and commercial networks.
Intelligent CIO Europe spoke to Jose Maria Labernia, Head of IT Security and Internal Control, European IT Services at LafargeHolcim, who discussed why the company was in search of a new security solution and why it selected Tenable:
In my role as Security Head at LafargeHolcim, I take care of implementing the correct security measures to ensure our customers in the countries where we operate, do so securely. Security is our license to operate so we cannot run our business without it. At some point, it’s about risk management – putting the right people around the table and understanding the risks, considering how much we must invest to protect those risks and understanding the business case. We do a lot of risk management to integrate other security aspects into our daily business activities.
What does the solution do on a daily basis and how does this assist with company operations?
Our solution starts by analysing LafargeHolcim networks to discover new systems that are automatically catalogued and afterwards, targeted for a full vulnerability analysis which reports back any security issues present in those systems. Subsequently, an integration with our ticketing tool is launched and a dedicated technician is assigned to solve it.
Once the flaws are fixed and closed in our ticketing tool, the vulnerability scans confirm whether the patches have been correctly applied in all the affected systems to close the loop.
What security measures do you have in place more generally?
It could be, for example; implementing global vulnerability management solutions, it could be jumping to a new technology or setting up firewalls in our web applications – we do this based on risk management – or it could be whenever we have new business demands.
What do you consider are the unique challenges for the construction industry?
The challenges we face differ to those of other industries that may be more dependent on IT such as the banking, insurance and healthcare sectors. Cybersecurity is better understood in such sectors and therefore easier to sell internally. We are in an industrial mindset and the construction industry isn’t a sector to sell security offerings internally within the organisation. We face the same challenges as more exposed companies, so our priorities are the same. We need to work and focus on the same areas, so this is one of the challenges that we find specifically in the construction material sector.
Another challenge is focused on the industrial side and whether there are companies that don’t have industrial IT security, also known as Operational Technology (OT). This is a challenge for us because cement plans have a completely different environment than a retail business or a health insurance business or a bank.
What were the main security concerns during the merger?
Before the merger was executed in July 2015, we were not authorised to talk freely between companies – there were strict rules around communication. We – Lafarge and Holcim – were both competitors in a sector that is strictly controlled. However, we were trying to understand each other’s strengths to plan for the future, but with very little information. The merge was announced in 2014 and executed in July 2015, thus both companies were in this situation for several months.
Another challenge we found was the types of tools and the organisation of tools and policies. The IT aspect of the merge was also a challenge as merging two companies takes years.
What were the key areas of your network that you needed to secure post-merge and why?
Our main focus is on people, processes and technology so our priority was our end-users and ensuring all of our employees (80,000 globally) were trained in cybersecurity awareness.
In terms of tools, we needed to understand the kind of setup that each company had, so that’s one area we needed to tackle. Additionally; productivity management and last; the processes. Two different companies have two different processes in place and we needed to align them. So, we were looking at the whole IT security portfolio and understanding what needed to be in place in terms of the people, processes and technology from an IT security standpoint of both companies and decided what was the best approach moving forward. It was not a cherry-picking exercise, it was a full alignment to make sure we were setting up the right grounds for the new company being built.
What key qualities were you in search of in a vendor?
We look for vendors that are capable of demonstrating the following capacity with real use cases – so the ones that are able to execute, perform and have good capabilities. It is therefore key that the integration capabilities of a vendor comply with other enterprise tools. Also important is the time it takes to implement – this is an important aspect whenever we look into a provider. It is very difficult to sell business cases in two/three-year transformation projects as it is too long-winded, so it is very important to be fast and agile. We also consider cost to ensure we really optimise our investments and make certain there is a good level of ROI.
Can you give our readers an insight into the types of security issues keeping CISOs up at night?
I believe that incidents like WannaCry are the main reason CISOs would dread being woken up during the night. Nowadays, if a company experiences an IT service disruption, the minute you are offline you are losing business, so we need to be very prepared. People can plan ahead but nobody can predict all of the different circumstances that might take place.
How has LafargeHolcim benefited from using Tenable’s products?
We have great visibility, accurate results and we have made a tool to work which is integrated within our internal processes. So, there was a very slight change of management style required from our site since we implemented Tenable’s solution.
How have these benefits enabled progression and improved security?
We are now able to prioritise our resources more efficiently and share our experience across organisations because being such a wide organisation in more than 80 countries, other organisations are able to see what is working well and what isn’t. Bringing those people together in a discussion means that we can understand our successes and others can catch up and allow for improved performance.