Information security is vital for operating in a secure environment, and as one of the largest energy companies in the world, Energias de Portugal (EDP) recognises this. It used a BitSight solution to improve its security performance and build confidence among its stakeholders. Paulo Moniz, CISO, EDP, explains how the solution has future-proofed operations.
EDP is a global company, operating in 16 countries across four continents, specialising in energy generation, transport and distribution of electricity and gas. EDP has 12,000 employees across Europe, United States, Canada, South America and Asia and serves 11 million clients.
EDP recognises that information security is a vital part of its strategic objectives and is one of its key business requirements, representing a core commitment at the top management level. As a result, EDP’s information security policy is approved at Board of Director-level. The policy establishes information security as a competitive differentiator, which generates confidence among EDP’s stakeholders. Also, EDP recognises that it has a heavy responsibility in the societal context, as an operator of critical national infrastructure and manager of large volumes of personal data for clients and employees.
As part of the EDP group’s strategic information security vision, it established a three-year security master plan (2018 – 2021) based on its end-to-end security principle consisting of these objectives:
- Focus on people: Recognising people as a central element of security, not only as the organisation’s first line of defence but also to create the capabilities to architect and implement the security solution to protect the organisation systems and to build a critical incident response and recover capacity
- Compliance: Following external laws and regulations imposed on the relevant sectors and generating trust
- Intelligence: Making security less intrusive, more efficient and empowering business, especially in Digital Transformation
- Resilience: Cyberattacks are ever more common, so the resulting security incidents must be handled by the organisation to assure business continuously deliver despite adverse cyber events
Utilising BitSight Security Ratings
EDP was introduced to BitSight through its threat intelligence company. The BitSight Security Ratings platform provided the necessary external view of its networks that EDP required. Issuing daily ratings that are akin to a credit score for security, BitSight Security Performance Management helped EDP take a risk-based and outcome-driven approach to managing its performance. This included broad measurement tools, continuous monitoring and forecasting. EDP as an organisation values sustainability as one of its biggest corporate objectives, and ensuring cyber-resilience to protect customers and employees is a big part of this. The Security Performance Management tool enabled them to achieve this and reduce its cyber-risk.
EDP’s adoption of a metric based on the BitSight Security Rating helped define the group’s KPI around its overall security performance. The specific metrics included checking aspects such as security of its own website, access to its networks from dangerous locations or communications coming from machines infected by criminal networks. The EDP group has achieved the proposed rating objectives for 2018 and 2019.
Fast and efficient information security
EDP’s dedicated global cybersecurity incident response team (CSIRT) works 24 hours a day and participates in national and international cybersecurity exercises. The company tests its reaction to occurrences of disruptive events, driving awareness and training among employees. This is where EDP saw value through its Security Performance Management tools as not only a reporting tool around its own security posture, but also to credibly communicate to stakeholders and the market. This added value to the organisation’s objectives around sustainability.
The CSIRT team utilises BitSight for Security Performance Management to monitor and receive real time infection alerts to help work on fast remediation within its own network. CSIRT also works closely with the BitSight team to ensure all relevant information, such as details of all risk vectors, are shared and continuous behaviours are monitored.
BitSight’s consistent and transparent rating system on all companies is an important feature that allows EDP to compare its performance to industry peers and identify wider security issues. The platform provides intelligence on compromised systems, security diligence and user behaviour risks that affect EDP and its industry peers. This provides EDP with the ability to see which infections are targeting peer companies for insight into industry-specific threats, as well as understand security diligence standards across its industry.
Another value to EDP is communicating key indicators to the board and demonstrate improvement over time as a result of the remediation activities guided by its security rating performance.
EDP’s Sustainability Report provides the main trends in each of its sectors, the strategy adopted and the results achieved in relation to its sustainability goals. The report is a key channel through which the board shares its vision and values in innovation, sustainability and humanisation. The adoption of BitSight Security Ratings, defined as the group’s KPI, highlights the external value to its third-party stakeholders and its importance to the company’s internal mission statement.
Plans for the future
While the current focus for the organisation is on Security Performance Management, the next step will be the evolution towards third-party risk management, specifically vendor risk. This would include expanding EDP’s current use of BitSight to apply ratings to specific vendors alongside its own monitoring solutions. This will help avoid ‘blind spots’ across its vendors and provide much needed visibility of security performance across its entire vendor lifecycle. Also, working with its vendors and BitSight to quickly and collectively reduce cyber-risk by sharing BitSight Security Ratings data will enable EDP to have intelligent, data-driven conversations with key stakeholders including vendors, board members and investors about its security risks.
Intelligent CIO caught up with Paulo Moniz, Chief Information Security Officer, EDP, to find out more about the solution.
As an operator of critical national infrastructure, how important is having a reliable security solution?
EDP has established information security as a competitive factor, not only because we recognise that it generates confidence from stakeholders, but also because we have a critical responsibility in the social context. As a result, we have identified two major crown jewels: one resulting from managing large volumes of personal data of clients and employees; and the other because we operate critical infrastructures.
In order to implement our strategic vision for information security, we established end-to-end security as a guiding principle, which implies a holistic approach permeating the organisation. This avoids the need for a siloed approach, incorporating security from the development of services and applications, to activities carried out by service providers, within a logic of Security by Design.
A reliable security solution such as the BitSight rating has the strong merit of uniting the entire organisation around a common objective, which is recognised by external entities. This is also a strong internal tool to mitigate cybersecurity risk, helping to break the silos that have a negative impact on the organisation.
How does the solution improve operability for the end-user?
The solution has a direct impact for cybersecurity teams – it provides us with objective security metrics that enable our security and operational teams to focus on clearly defined objectives. In turn, this enables us to decrease the global cybersecurity risk of the organisation.
Being a common goal communicated to all within the company, BitSight’s Security Ratings also establishes guidelines for those who aren’t within security teams, on what they are permitted to do with company IT resources, decreasing resistance and improving the overall security of IT resource usage.
How scalable is the solution?
Taking advantage of the flexibility of BitSight’s platform enables us to create our own customised asset groups and sub companies. This enables the company to grow its security operations horizontally, while bearing in mind the different operational contexts, especially with regard to the clear boundaries between IT and OT environments.
There are two major examples where we can escalate the solution easily with enormous value. The first is when EDP is evaluating the risk from a mergers and acquisition perspective. The second is when we want to create a vendor risk management program, since the supply chain is a critical aspect for EDP’s overall cybersecurity posture. In both cases, the solution can be easily scaled to incorporate other companies in the digital footprint risk evaluation.
How far has it future-proofed operations?
Cybersecurity is a constantly-changing area with new threats emerging almost every day. No one with cybersecurity responsibilities can say with a completely clear conscience, that their company’s operations, or the tools that support them, are completely future-proofed.
However, we can say that by always keeping up to date with information security best practices and continuously improving detection and response mechanisms, BitSight has allowed EDP to keep tabs with newly-discovered vulnerabilities. This ensures that our security controls are keeping pace with ever-evolving threats.
Aligning with the proposed recommendations by BitSight enables our security team to preview pain points and shifts when dealing with large-scale IT risk, maintaining a bird’s-eye view without being lost in technical details that could potentially lead to us being blindsided by technological improvements. Nonetheless, it’s important to track these when designing and implementing long-term IT solutions for the company.