|
 |
|
|
|
Interview with Smart-Cities Luxembourg, translation by itrust consulting.
If digital transformation is a synonym of great opportunities, it also presents important security risks for all companies. Industries, banks, institutions or administrations, whatever their size, must protect themselves from potential cyber attacks. To discuss this topic, we met Carlo Harpes, founder and managing director of itrust consulting, a cybersecurity expert in Luxembourg since 2007.
Can you present us the company, its activity, its customers?
itrust consulting is a Luxembourg company founded 15 years ago, whose activities cover all aspects of what is known as information security, cybersecurity included. In other words, we help our customers to ensure the confidentiality, integrity and availability of their data, and thus the sustainability of their activities. We have methodologies and tools for risk analysis, document templates, requirements and standard processes that are easy to integrate into a corporate culture. Our solutions enable, among other things, the implementation of a certifiable security management system, the improvement of the security organization and the identification of technical vulnerabilities.
Our business area has gradually shifted from the banking sector to industrial companies and essential service providers, particularly in the energy sector. The public sector, in particular Luxembourg and European administrations, is also one of our most important clients. Since the General Data Protection Regulation (GDPR), we also assist many small companies, often as DPO, in setting up an effective information security governance.
What makes itrust consulting different from its competitors?
We are probably the most active private company in the field of applied research. We are involved in research projects on a European scale. While the demands and deadlines of our customers are a driving force for development, our employees carry out independent R&D work that allows them to deepen and refresh their knowledge. This is essential in a sector like ours that is constantly changing.
Where do we stand in terms of cybersecurity at the Luxembourg level?
Officially, it is a major topic of interest, but its complexity means that it is too often overlooked when decisions are made. As cybersecurity providers and tools are very present in Luxembourg, decision makers often achieve a higher level of security than in other countries. But, on the other hand, we sometimes see gaps and misunderstanding in governance and organization, in risk analysis or in security audits.
What advice do you have for decision makers and entrepreneurs?
Dare to delegate your decisions to experts in the field and arbitrate in case of conflict of interest between different professions within the company. If this happens, take care to listen carefully to the arguments on both sides before you decide. In this way, you will avoid vulnerabilities that are ignored at the time becoming the target of attacks later on.
Be aware of the dependencies that attacks may cause in the supply chain. For example, when the war in Ukraine broke out, cyber attacks targeted a module of the satellite that provided communication between wind turbines in Europe and their owners. Thus, a single attack had an effect on all European wind power production, as operators often decided to shut down their infrastructure due to lack of visibility.
itrust consulting recently celebrated its fifteenth anniversary at an event, how do you look back on the road travelled?
It’s a look full of joy and pride, of course. The ‘startup of the year’ that we were in 2008 has grown up a lot. In recent years, we have written security governance for more than 20 clients, many of whom have achieved 27001 certification. We have applied our risk analysis tools and methodologies to five major players in the energy sector among others. Despite many economic and human challenges and increasing technical complexity, we remain in a continuous acceleration movement.
The evening was also an opportunity to thank our staff, customers and partners. We took the opportunity to announce some future prospects, notably the creation of a new company, ‘itrust Abstractions Lab’, dedicated to cryptography, quantum computers, secure development methods, and software verification and certification.
Among the perspectives mentioned during the event, can we come back to CyFORT?
IPCIE-CIS is a European initiative to encourage companies to invest in cloud technologies. Luxembourg has chosen to focus on Cloud cybersecurity and has encouraged the Luxembourg market to propose its ideas, in a spirit of openness and sharing with the whole sector.
In this context, itrust consulting has developed the Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience (CyFORT) project. In this national project supported by the Ministry of Economy, we will create six tools: one related to intrusion detection and prevention, another dedicated to semantically enriched threats, one for the creation of secure and certifiable software, an application for “smart contracts”, a doctoral research programme against quantum attacks and, finally, a set of tools providing governance functionalities for Cloud security.
So the next fifteen years are going to be busy for itrust consulting!
Yes, there will be no shortage of projects! We really want to make security governance more efficient and encourage exchanges between the players in the market. This is the key to success in the face of an extremely well-organized cybercrime environment. In this respect, preference should be given to local players, who operate in an open manner and create local expertise, rather than investing in products from global leaders. The initial financial gain of these products is too often translated into additional dependencies, price increases, and loss of in-house knowledge. Our open source products will provide an incentive to move in a direction of increased internal competence and control.
On 27 October 2022 itrust consulting celebrated its 15th anniversary, in the beautiful Lalux auditorium in Leudelange.
The first part of the event was dedicated to a technical workshop, where the current research projects Eagle-1 and CyFORT were presented.
The second part was an academic symposium with five expert speakers: Mr Gauthier Crommelink from Ministère de l’Économie on the support of his Ministry for research and innovation in cybersecurity, Prof. Dr Peter Y.A. Ryan, full Professor at the University of Luxembourg on the need of verification in Securing Elections, Mr Alan Kuresevic, CEO of SES Techcom, on how they bring Quantum Key Distribution to Space.
In his birthday speech, Dr Carlo Harpes, Managing Director and founder of itrust consulting showed extracts of policies and procedures that itrust consulting has written in the last years for more than 20 customers, many of which have achieved a 27001 certification, thanks to documents and risk assessments by itrust consulting. He particularly thanked his R&D team for tailoring the risk assessment tool TRICK Service to specific requirements by ILR. At the end of his presentation, Dr Harpes announced the creation of a spin-off company to consolidate the research and development activities to enable a more autonomous and focused approach.
Finally, Dr Arash Atashpendar, the head of Research and Development at itrust consulting provided a presentation of the spin-off company, called “itrust Abstractions Lab”.
The academic symposium was enhanced by the young musical talents of the ‘JazzFellas’ and by the presentation of a painting of Martine Zehren for this anniversary. It was followed by a walking dinner fostering useful conversations.
We would like to thank all participants for contributing to the great atmosphere and for allowing us to share this moment with you!
ILNAS organised an afterwork "Cybersecurity standardisation: meet the international experts".
As part of selected experts from industry and academia, Dr Carlo Harpes, Managing Director and founder of itrust consulting informed on new trends in Information Security, Cybersecurity and Supply Chain Attacks at the conference covering ‘digital logistics’, organized by the ‘Luxembourg Centre for Logistics and Supply Chain Management’ (LCL), together with ‘Cluster for Logistics Luxembourg’ (C4L) in the Luxembourg Chamber of Commerce, celebrating LCL’s 5-year anniversary.
Inspired by the reporter.lu 2021 review, I have adapted a quote by the investigative journalist Hans Leyendecker to my role as Chief Information Security Officer (CISO) in my New Year’s greeting: ‘A good CISO is an unsatisfied CISO. No one who is completely satisfied is capable of implementing security’.
This sentence has comforted many internal and external CISOs I have worked with in 2021: Guillaume, Ingo, Laura, Marc, Matthieu, Patrick, Yannick…
We often feel like a troublemaker when we point out procedures that are not followed, common security practices that are considered too complicated, good reflexes that have been abandoned due to lack of time. We confess our uncertainty about risk analysis or our pessimism if we survive without our advice being followed…
But we have all learned that to succeed, we need a positive spirit, openness to new technologies, autonomy, creativity, and above all an year for market changes. This is generally what CISOs do: they follow the latest recognized standards, try to convince, coach, implement artificial intelligence in network supervision…
But their role is also to find vulnerabilities, to set social engineering traps, to insist on good documentation avoid future errors and loss of know-how, to require traceability of decisions and acceptance of risks (without embellishment), thus ensuring sustainable decisions, instead of justifying preconceived ones. The CISO is thus the right ally for a CEO who is looking for the best decisions in the face of new challenges.
It is by disagreeing with an observed security that the CISO stimulates to find better. And his persistence avoids risks: services started without an adequate agreement on responsibility, too fast migration to the cloud creating dependency for a short-term advantage, open doors to cybercrime, resignation in the face of internal negligence. It avoids downtime or costly replacements or fixes.
Fortunately, it is not only CISOs who are holding back. A courageous CEO recently confessed to me that he often finds himself in the position of putting the brakes on projects in which the customer’s view, financial feasibility, security, legal compliance, etc. have been neglected. Enthusiasm does not guarantee success.
For sustainable projects, managers cannot escape from working with CISOs and taking care of security and data protection themselves. And there are often CISOs who come up with interdisciplinary and creative solutions, sometimes simpler than expected and standing in contrast to the flagship products that do everything but work efficiently without qualified personnel.
Let’s not forget that many great ideas and successes have been created by offensive people like Steve Jobs or meticulous people like Bill Gates… Without sweat and rivalry, customers won’t get the secure services they deserve.
Carlo Harpes
itrust consulting
Interview with Lëtzebuerger Gemengen, translation by itrust consulting.
On 28 May 2018, the General Data Protection Regulation (GDPR) came into force in the EU. Three and a half years later, many organisations are slow to comply, considering it too complex. For Carlo Harpes, the situation is worrying. The Managing Director of itrust consulting recommends PIMS, a Privacy Information Management System, helping companies in order to comply with the GDPR requirements.
Explanations.
What is a PIMS?
A ‘privacy information management system’, abbreviated ‘PIMS’ even in French, is an ‘information security management system that manages the protection of privacy as potentially affected by the processing of personal data’. Personally, this is what I would have called a ‘management system to protect personally identifiable information’ and I would present it as a way to comply with the GDPR. To implement this, there are 1,001 solutions, usually valid for small organisations where data protection is not the primary concern. But for the past 26 months there has been one PIMS, which has been described so precisely that organisation can be certified on this basis, the one documented in ISO/IEC 27701.
Who needs it?
3,5 years was not enough time for most organisations to comply with the GDPR. How many have not appointed a DPO (although this is a legal requirement for any public entity)? How many do not have a register of processing that complies with the requirements? How many cannot prove to the CNPD their compliance with the principles of the GDPR, including the one requiring ‘appropriate technical and organisational measures’? Faced with the difficulty of knowing what is appropriate and how to demonstrate it, leaders (policy makers, mayors, heads of administration, CEOs and manging directors), often give up and hide behind the non-compliance of their neighbours. From my observations, this situation is worrying, and only the CNPD, which has the obligation to sanction, should be aware of this state. All the organisations involved here would have benefited from this PIMS.
Who defined this PIMS?
The Luxembourgish authority ILNAS, which I represented at ISO in multiple expert meetings dedicated to this standard since 2014, was arguing with its European partners for a fast and fully GDPR compatible standard. To support compliance with these requirements, we have made numerous suggestions for improvements to the overly complicated numbering and certain overly cumbersome wording. In France, the CNIL has welcomed its participation and encourages the adoption of this standard while leaving organisations the possibility to opt for other systems to create evidence of accountability.
Who supports PIMS in Luxembourg?
In Luxembourg, unfortunately, the CNPD has not communicated on this standard, which I perceive as a strategic mistake probably due to the absence of CNPD representatives at ISO or a lack of knowledge of management systems at all. This misjudgement also led it to create a national certification framework in 2018, which aimed at a Luxembourg certification that was very expensive to obtain, and I dare say, economically unjustifiable in the absence of international recognition. Given the multiple inaccuracies in the criteria for this certification, the establishment of dedicated certification processes (instead of using the recognised ISO 17065 process that has been practised for decades) the initiative remained an unused flop and the collateral damage remains the lack of support for other more mature and affordable standards and approaches.
So is the CNPD partly responsible for poor compliance?
Absolutely not. Every citizen is accountable to the law, and in no case can the police be held responsible for a crime they have not detected. Criticising the CNPD is a way for some people to look away from their own responsibilities. Of course, the CNPD also has an information and awareness-raising mission. They could have done more, but they have done this at other levels.
Where and how to get PIMS certification?
From any foreign certifier or from the only accredited certifier in Luxembourg, Certi-Trust, which issues certification under internationally recognised accreditation. Due to lack of demand, ISO/IEC 27701 certification is not yet available. In the meantime, a certification against ISO/IEC 27001 with an indication on the certificate of the full implementation of the ISO/IEC 27701 measures is possible. itrust consulting obtained it on 9 June 2020.
What are the advantages of this certification?
In the preparation of this certification, itrust consulting has made extensive use of this standard to draw up a data protection policy which lists all the measures proposed in this standard, the implementation choices and internal guidelines, e.g. references to other security measures, internal documentation or an indication of the responsibilities and processes to be followed by the employees. Thus, this policy, together with a risk analysis report and the register of processing activities, is the cornerstone for demonstrating that data are adequately protected, independently of a certification.
During an external audit by the certifier, the conformity to this policy and the correct application of the measures were verified. Without being able to guarantee 100% that there will be no incidents, this inspires the confidence of our clients, and ultimately of most Luxembourg citizens whose data might be processed by us.
‘3,5 years after the entry into force of the GDPR and 26 months after the definition of a PIMS’
What is the cost of certification and its limits?
The cost of certification (including audit) is on average 4 000 euros per year for an organisation with less than 25 employees but increases logarithmically with this number. An organisation that does not have adequate systems in place could have to spend up to 50 000 euros on consultancy, preparation and implementation of processes and measures. Of course, the cost is theoretically zero for companies that are already managing security and data protection in the right way. The costs of business process-specific security measures can also be substantial. However, these measures are not imposed by certification if this is aligned with the risk appetite and if the residual risk is accepted. In other words, certification does not ensure that there are no risks, nor that there is compliance with the GDPR, but only that all risks and compliance issues have been fully detected, understood and accepted by top management and that the interests of data subjects have been respected.
What is the philosophy behind the PIMS of ISO/IEC 27701?
This PIMS is based on the information security management system, i.e. on specific requirements related to understanding the context, leadership, planning, support (e.g. staff training), day-to-day operation of processes, performance evaluation. In other words, it starts from the idea – often overlooked from a legal perspective – that it is pointless to spend time reviewing the specific rights of a data subject if the processing fails to protect the confidentiality, integrity, and availability of the information (CIA). However, protecting CIA is not sufficient in terms of privacy protection: risks shall be considered from the perspective of the data subjects and the rights of the data subjects under any applicable legislation. These requirements are comprehensively reflected in 48 controls that are set out in the standard with requirements and implementation guidance. It is also guided by pragmatism and the fact that a law is not complied because of penalties, but by upgrading the management of any organisation that must comply with it.
Dr Carlo Harpes to explain the potential of the EU Certification initiative, the role of regulators and public procurement to require certification, the pitfalls in certification such as with the LU CARPA initiative, the need for collaboration among all actors, the need to learn and improve ICT development lifecycle and testing, the danger of dependency after mergers of today's certification authorities and the importance to care about 'high' certification that should stay feasible for innovative company, not only for market leaders.
An SES-driven consortium that seeks to develop a satellite-terrestrial quantum communication infrastructure and the roadmap for wider European integration, setting the path for next-generation cybersecurity.
To design the LuxQCI, Luxembourg has put in place a consortium comprising InCert, itrust consulting, LuxConnect, LuxTrust and the University of Luxembourg (SnT), that is led by SES’s fully owned affiliate SES Techcom.
