Eneco, part of the vital infrastructure since June this year, takes cybersecurity very seriously. The next few years will, therefore, be marked by the adoption of zero-trust practices and architecture. We spoke about this with CISO Justin Broeders. “Zero trust is something you set up not only from a technology perspective but also from a risk governance perspective to embed it in the organization.”
Eneco is now European-oriented; the group has a growing customer base in the Netherlands, Belgium, and Germany. Well-known brands are Eneco, Oxxio, WoonEnergie, Agro Energy, and, in Germany, LichtBlick. The energy supplier has a fairly decentralized organization. Justin Broeders: “How do you set up zero trust from a fairly decentralized organization? Not only from a technical point of view – although very complex – but also from a governance point of view, to embed zero trust in the organization.”
Trends
Justin Broeders sees several trends in the digital field that demand a response from Eneco. A general trend is that the number of cyber attacks is increasing worldwide, and those attacks are becoming more sophisticated. The image of a castle with walls has long since ceased to satisfy, especially now that hybrid working has taken hold. It is now much more about agility, standardizing, and automating measures.
Moreover, techniques such as IT, IoT, and OT are becoming increasingly mixed, with all three still having their characteristics. “Point solutions are not enough,” Broeders argues, “We are looking much more at platforms. This also applies to cloud adoption, where standardization is the norm, with an eye on scalability and speed.”
Compliance has a significant and growing impact on the company. Since June 1, Eneco has been part of our country’s critical infrastructure. Justin Broeders comments, “We are hoping for a regulator that will also come along and enter into dialogue with Eneco, thus providing a push towards compliance and security. On the other hand, it remains to be seen how laws and regulations will develop in the coming years.”
Proactive
To meet cybersecurity challenges and developments, a more proactive approach was desired. “How can we now include security in everything we do instead of taking security only from a technology perspective – and thus sometimes hooking up later in the process?” summed up Broeders, “I went to the Board of Directors with this ambitious message.”
“In my story, I contrasted the risks – how can we mitigate them and how do we have security under control – with the value – how can security help achieve strategic goals and how can we achieve digital trust with our partners and customers? In other words, protecting what you have versus enabling digital transformation. That trust, by the way, is not something you want to achieve only from compliance but also to underpin your right to exist.”
Risk and value
Entering into the discussion about risks and value is very important, according to the CISO: “At the board level, there may be the idea that security is about technology, but it is certainly also about governance. After all, as a board and also as management, you have to make the right decisions. You can take measures, accept a risk, or take out cyber insurance.”
The ideas of bi-modal IT inspire the security operating model that Eneco has adopted. It addresses the need for basic security and the need for the business to innovate and transform securely.
Justin Broeders: “We offer the baseline for IT and OT within Eneco as a more dynamic defense against cyber-attacks and security that focuses on innovation and digital transformation. On top of that, we have added a ‘layer,’ the ‘business-aligned security strategy & governance model,’ which focuses on risk management for the entire organization and its partners.”
Security board
“This does require us to work and think differently, less focused on technology as the primary angle and more concerned with advising the business and understanding what is going on within the company, Broeders continued.
To this end, Eneco has set up a security board directly under the Board of Directors, with senior managers such as the CIO, the COO, and the Director of Operations. “Here, we can start the dialogue about security as the only topic and not a secondary topic. It is really good to have such a specialized board now that we are making such great strides in the security field. We focus on centrally developing policy, frameworks, and direction, but we are also committed to empowering the local business and IT teams.”
Defensive lines
Eneco has structured the governance around cybersecurity according to a model with three lines of defense: the departments, then risk and compliance management, and as the third line, the board and audit committee. “With this model with three lines, we also try to guarantee board involvement in security and fill in the right roles and responsibilities.”
“How can we incorporate security into everything we do?”
“I do think you shouldn’t be too dogmatic about this,” notes Justin Broeders, “The activities regularly spill over from one line to another. Sometimes, you have to put your shoulders to the wheel in the first line, for example, because you want to avoid standing alone to point out what needs to be improved… After all, you want to keep the motivation of the teams and the involvement of suppliers good.”
Course
The route to a zero trust ecosystem – in which security services are offered by default to make secure working easy – has a phased approach, Broeders explains: “First get the basics right, then (further) develop a sufficient degree of security maturity in the organization. The period after that will focus on developing advanced security capabilities and reusable security services for the business.”
“In laying the groundwork, we scrutinized our risk framework and security architecture, also in light of our internationalization. That was sometimes back to the drawing board. Incidentally, this is a work in progress, not a one-time action. Increasing maturity is about resilience, or cyber resilience, in addition to prevention and detection.”
Not one-time
More concretely, the coming period at Eneco will mainly be about further developing a dynamic defense against cyber attacks. After that, supporting innovation and digital transformation will come more into the picture.
Justin Broeders: “This does not mean we see such developments as one-time activities. You do want to make changes sustainable. We work adaptively and adjust metrics and policies where necessary, work on awareness via roadshows, for example, et cetera. We have long been working on awareness, also from a compliance perspective, but now, since the COVID era, we are considering a different approach, for example, with more interactivity. We are also exploring options like gamification in this regard.”
Ecosystem
The goal of all activities is to achieve a zero-trust ecosystem, together with partners and customers, in 2025. It will be hard work and a long road, agrees Justin Broeders: “I see the necessary dilemmas. For example, how do you invest responsibility for security in the line organization? After all, security is not just a technology issue.”
“This also applies to assessing risk. And further, how do you maintain your agility? Often, you are remodeling with the store open, and sometimes you have to accept that you address some issues a little later.”
“It is a journey toward zero trust: there is no blueprint,” Broeders concludes.