Gabor Varjas, CISO, Group Information Security, MOL GROUP, a leading integrated oil and gas corporation, talks about the cybersecurity challenges of Digital Transformation and how the company is leveraging RSA Security solutions to help keep cyberthreats at bay.
MOL Group is a leading integrated Central and East European oil and gas corporation headquartered in Budapest, Hungary.
It has operations in more than 30 countries and employs 26,000 people worldwide.
MOL’s exploration and production activities are supported by 80 years’ experience in the hydrocarbon field.
We spoke to the company’s CISO, Gabor Varjas, to find out more about some of the some of the key industry talking points and how the business worked with RSA Security to reduce its risk exposure.
What are the unique cyberthreats your business faces?
I would say is that, in general, we are not facing anything too different from the usual IT threats but what I would distinguish is that we do have some certain unique risks coming in the form of industrial risk.
But overall, fortunately, we don’t really have any kind of strange issues which are just for the oil and gas sector.
What kind of new threats/challenges has Digital Transformation posed to your business?
The organisation is going through a digitalisation effort. We have a roadmap that makes sure all the elements of the business are operating within specific cybersecurity frameworks. And when any of the various parts of the business are looking to install new technologies, they have to be covered by the cybersecurity standards.
How are you approaching the security of Operational Technology (OT)?
The core business – and traditional business – is OT. The technicians and business managers have been running this area for a while, so having them think about cybersecurity is a challenge.
We are conducting cybersecurity awareness meetings, presentations and also ensuring employees undergo regular cybersecurity training to understand and manage cyber-risks.
There are also technical standards we need to comply with. We lead and conduct cybersecurity multi-year programmes. To manage it efficiently the respective stakeholders and departments are involved, making sure the full supply chain is covered from the project initiation until the project goes live, during the maintenance phase etc.
This is what I feel we should be proud about. We have created a process for cybersecurity in a way that works together with all the business areas and ensures all cybersecurity business requirements are kept.
How important is training and education?
Each and every year we are conducting cybersecurity awareness programmes. We have a full week of cybersecurity awareness for everybody in the organisation and my team are conducting training to make sure the message goes through.
We also have a calendar for cybersecurity awareness especially focusing on a certain area and offer advice on that.
Every new employee has an induction day and cybersecurity is included in that. So, if somebody joining the team, he or she will not just get the standard package but cybersecurity is built in very early on.
It is important to keep our colleagues’ engagement high, this year we are going to organise a new cybersecurity event as a new element within our awareness portfolio.
Where do you source new employees?
It depends on the role but usually we start with the university. In Budapest we have a very good collaboration with multiple universities and they are growing talented people who come over for internships and then don’t want to leave, which is a good sign.
At the same time, we are also attracting people from further afield, from close countries like Slovakia and Croatia, and from the wider region like Portugal, Spain, Italy and other places. We even have employees from Mexico.
I am very keen to ensure we have a diverse workforce (male/female). I think that the more diverse the workforce, the more value offered to the company.
What kind of data does the company need to secure?
We are an oil and gas company so we are working on downstream, upstream as well as consumer related data.
What about the role of a CISO? How has that changed?
Even during my period [as CISO], I can feel changes. While my previous bosses were technology focused, what I feel is that I now need to be more business agile, more understanding of the business and how it works and how can I find the right solution for the business people that is important to in the group.
At the same time, I need to be a good people manager, making sure my team is growing, getting the training and appropriate engagements needed.
How do you approach talking to the board – proving ROI is a challenge, how do you deal with that?
At board level, you should find the best time to give the message. Sometimes for cybersecurity there’s limited resources and time for giving presentations.
One of the key challenges is that I need to have a crisp message in a very short format. If it goes well, then it will open up longer discussions.
It means that there is a real importance on grabbing their attention while you have the chance to push forward a wider discussion.
For ROI, one of the good examples is cyberawareness. How can you make sure that awareness is something which makes a long-term difference and make an impact?
If you have an investment for checking certain cybersecurity measurements you should prove that it is getting better and I think that, for all CISOs, is a big challenge.
Communication is very important for CISOs but what other advice would you give to people who would like to be in your position?
I think the most important advice is that the CISO role is there to support the business and so you really do need to understand the business requirements.
Secondly, try not to threaten people. Try not to show that it is going to be the end of the world. You should find the business need and then deep dive into the cyber issue.
What in your view are the big threats right now?
Cybersecurity intrusions like ransomware activities. Then, a huge challenge not just for us but for everyone, are the phishing related threats. Also, making sure all PII and consumer and business data is protected.
Can you talk about any recent technology deployments or how you’ve worked with RSA Security for example?
RSA is one of the main vendors within our organisation, supporting cybersecurity detection response capabilities. We leveraged RSA’s technical, as well as procedural expertise, concerning IT and OT cybersecurity. Together we developed multiple MOL specific, tailored frameworks which enables us to bring our MOL environment to the next level, making sure that we protect and cover the important risk areas.
How important is collaboration in cybersecurity?
I think everybody has the urge to collaborate with each other. We are in a good place and have certain connections and we should support each other. Even if people might think somebody is losing some competitive advantage because of sharing information, if you do it in a proper collaborative way you will only see the benefit.