Eduardo di Monte (Agbar Group): Rating gives us the necessary tranquility

We continue today with the section named #ratingenthusiasts in which we include the opinion of relevant people we have talked to in relation with #securityrating.

In today post, we have Eduardo di Monte. Eduardo is Cybersecurity and Business Continuity Chief of Agbar Group (Suez Spain), for Spain and Chile. Eduardo is Telecommunications Engineer and MBA by EuroMBA Consortium, he is specialist on industrial cybersecurity (IoT) and business continuity. With more than 13 years of experiencie, he has spent the last 8 years working hard on cybersecurity aspects of automatization and industrial control systems, specially on processes soported by critical infrastructures. He has combined this dedication with crisis coordination and implementation of resilience and business continuity models for critical process in industrial environments.

1. Is it typical the outsourcing of services in your organization?

Besides that every IT department has limited resources, there many knowledge areas in the technical sector that makes difficult for an organization to cover all of them in depth and with the demand and security required. For that reason, outsourcing is, obviously, needed. Both, human and technical resources of outsourcing, together with services received, are controlled and managed to reach required service levels according to our needs.

2. From a security perspective, do you think is important to manage the risk of ICT value chain?

Roundly, yes. Our services could have various breakpoints, but the ones that causes more uncertainty to our organization are those on which we do not have direct control, and our response cabapibility depends on thrid parties. How we manage those risks is the only way to sleep in calm, without having to cross our fingers.

3. Until now, what mechanisms do you apply in your organization to manage that risk?

Whenever we look for a new service provider, further than technological benefits we are offered, we think in the relationship in mid and long term that we are going to establish. Define service management rules and legal framework is the foundation to keep some level of control.

When building up the contractual relationship, we include clauses oriented to assure the right performance of those services (management and operation, incident response and resolution times, periodic reporting and service levels, outsourcing, confidentiality, security controls, compliance, etc.).

Change control, review and management of outsourcing service provision was our pending subject, because we were reactive in front of incidents that had direct implication with providers. We expected the right response from the provider, so these issues could not be planned.

From this starting point, we have included two elements that provides us with more proactivity and planification. These elements provide us with real value to the service, measure the relationship maturity with the provider and improves the resilience of our service:

• On the one hand, we perform cyberincident tests that assess the right service provision, besides letting us to learn from those tests to improve the service.
• And, on the other, the right to audit and test the service provider, we can asses that security measures are appropiate.

4. How do you consider the possibility that services offered to your organization were rated by and indepent third party?

The right to perform audits and compliance tests is key, and if it is done by an independent third party, besides free our resources, let us to keep a friendly relationship with our service providers, as we are not the ones who "invade their intimacy".

Impartial and sound technical rating by LEET Security, give us the required tranquility, and assure us that we can keep trusting on our service provider because she/he keeps the required security level.