Interview with Smart-Cities Luxembourg, translation by itrust consulting.
If digital transformation is a synonym of great opportunities, it also presents important security risks for all companies. Industries, banks, institutions or administrations, whatever their size, must protect themselves from potential cyber attacks. To discuss this topic, we met Carlo Harpes, founder and managing director of itrust consulting, a cybersecurity expert in Luxembourg since 2007.
Can you present us the company, its activity, its customers?
itrust consulting is a Luxembourg company founded 15 years ago, whose activities cover all aspects of what is known as information security, cybersecurity included. In other words, we help our customers to ensure the confidentiality, integrity and availability of their data, and thus the sustainability of their activities. We have methodologies and tools for risk analysis, document templates, requirements and standard processes that are easy to integrate into a corporate culture. Our solutions enable, among other things, the implementation of a certifiable security management system, the improvement of the security organization and the identification of technical vulnerabilities.
Our business area has gradually shifted from the banking sector to industrial companies and essential service providers, particularly in the energy sector. The public sector, in particular Luxembourg and European administrations, is also one of our most important clients. Since the General Data Protection Regulation (GDPR), we also assist many small companies, often as DPO, in setting up an effective information security governance.
What makes itrust consulting different from its competitors?
We are probably the most active private company in the field of applied research. We are involved in research projects on a European scale. While the demands and deadlines of our customers are a driving force for development, our employees carry out independent R&D work that allows them to deepen and refresh their knowledge. This is essential in a sector like ours that is constantly changing.
Where do we stand in terms of cybersecurity at the Luxembourg level?
Officially, it is a major topic of interest, but its complexity means that it is too often overlooked when decisions are made. As cybersecurity providers and tools are very present in Luxembourg, decision makers often achieve a higher level of security than in other countries. But, on the other hand, we sometimes see gaps and misunderstanding in governance and organization, in risk analysis or in security audits.
What advice do you have for decision makers and entrepreneurs?
Dare to delegate your decisions to experts in the field and arbitrate in case of conflict of interest between different professions within the company. If this happens, take care to listen carefully to the arguments on both sides before you decide. In this way, you will avoid vulnerabilities that are ignored at the time becoming the target of attacks later on.
Be aware of the dependencies that attacks may cause in the supply chain. For example, when the war in Ukraine broke out, cyber attacks targeted a module of the satellite that provided communication between wind turbines in Europe and their owners. Thus, a single attack had an effect on all European wind power production, as operators often decided to shut down their infrastructure due to lack of visibility.
itrust consulting recently celebrated its fifteenth anniversary at an event, how do you look back on the road travelled?
It's a look full of joy and pride, of course. The 'startup of the year' that we were in 2008 has grown up a lot. In recent years, we have written security governance for more than 20 clients, many of whom have achieved 27001 certification. We have applied our risk analysis tools and methodologies to five major players in the energy sector among others. Despite many economic and human challenges and increasing technical complexity, we remain in a continuous acceleration movement.
The evening was also an opportunity to thank our staff, customers and partners. We took the opportunity to announce some future prospects, notably the creation of a new company, 'itrust Abstractions Lab', dedicated to cryptography, quantum computers, secure development methods, and software verification and certification.
Among the perspectives mentioned during the event, can we come back to CyFORT?
IPCIE-CIS is a European initiative to encourage companies to invest in cloud technologies. Luxembourg has chosen to focus on Cloud cybersecurity and has encouraged the Luxembourg market to propose its ideas, in a spirit of openness and sharing with the whole sector.
In this context, itrust consulting has developed the Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience (CyFORT) project. In this national project supported by the Ministry of Economy, we will create six tools: one related to intrusion detection and prevention, another dedicated to semantically enriched threats, one for the creation of secure and certifiable software, an application for "smart contracts", a doctoral research programme against quantum attacks and, finally, a set of tools providing governance functionalities for Cloud security.
So the next fifteen years are going to be busy for itrust consulting!
Yes, there will be no shortage of projects! We really want to make security governance more efficient and encourage exchanges between the players in the market. This is the key to success in the face of an extremely well-organized cybercrime environment. In this respect, preference should be given to local players, who operate in an open manner and create local expertise, rather than investing in products from global leaders. The initial financial gain of these products is too often translated into additional dependencies, price increases, and loss of in-house knowledge. Our open source products will provide an incentive to move in a direction of increased internal competence and control.