magazineOrange: Interview with José Ramón Monleón Martínez

1 June, 2018

JOSÉ RAMÓN MONLEÓN MARTÍNEZ

Corporate IT Security Manager

Corporate CISO (Chief Information Security Officer) at Orange Spain

Telecommunications Engineer, Polytechnic University of Valencia

QUESTIONS:

How did you end up in the world of information security? What drew you to this field?

The Orange Group as we now know it—a number of companies in Spain brought together under the common name of “Orange”—was created in the year 2006.

2006 was also the year in which the figure of a person in charge of Global Security was created. It was a different way of approaching security. Until then, information security had been a discipline only practiced within the field of IT.

This global view of information security, transverse throughout the whole organization and from a global perspective, was something quite new in those days, and yet, the Orange Group was already applying this model to all the countries it was active in.

It was a discipline that had always attracted me, especially because of its ability to analyse computer systems and finding their faults and vulnerabilities in order to protect the systems against them. You didn’t hear much about this subject at the time, and I found the project that was offered to me—creating the whole department from scratch, with a cross-sectional view of the whole organization—very appealing and very promising. It was quite a challenge, but I had the support of a big group in France.

Now, looking back at it differently and having travelled the road, I can safely say that it was a very wise decision.

How did you get the opportunity to start working for the multinational company Orange?

It was back in 2000, after the famous Y2K that turned out to be not such a big deal. During the previous year, I had been working in a financial institution as a consultant, adapting its means of payment so they would keep working normally when the big date arrived.

I was hired by Amena (one of the companies that formed Orange in Spain) as a consultant for the computer department, and the next year they offered me the opportunity to work for them as an employee.

What obstacles did you encounter in your career path leading up to Corporate CISO at Orange Spain?

As I mentioned earlier, the creation of a figure in charge of information security at the corporate level and transverse throughout the organization was a very novel concept at the time. The organizations and people making up the group were not prepared for such a figure; the models were very hierarchical and people worked very much in silos. In order for me to advance in my position, those barriers had to be broken.

Furthermore, the function of information security has changed a lot over time. In those days its field of application was much smaller, applications were hardly ever externalized, and everything was much less interconnected.

However, the fact that the group applied the same structure in all its countries made my job much easier, in addition to all the support I received with regulations and projects.

You look after corporate information security at a giant multinational like Orange Spain. Do you consider yourself a cyberhero?

No, not at all. I do consider myself to be one of few lucky people to have started working in this field many years ago. During those years I had the good fortune of meeting many colleagues who started around the turn of the century. They were pioneers serving as role models for us. The field was much smaller and in all of Spain there were no more than a dozen CISOs. Now I feel proud to be standing alongside them.

  • As an expert in information security, can you tell us how to feel safe on the Internet?

That is a good question. As in life, nothing is 100% safe. Internet is like the streets of our cities, the streets of most of the world, so you need to be equally careful and take the same precautions.

The most important thing is to use common sense, which is “the least common of the senses”, and to apply the same rules you would in the real world, to not trust when you have any doubts.

However, the emergence of social media has led people to relax, and they now place all their information in the hands of third parties, not realizing that they are essentially opening up in public.

Some advice:

  • Be wary of unsolicited emails, those that have no reply address and those containing unknown links.
  • Give your passwords to no one, neither on the phone, nor in reply to an email.
  • Surf trusted sites.

How does Orange stay abreast of possible attacks by cybercriminals?

We have a Security Operations Centre, an organized and highly qualified team whose mission is to protect and defend the company’s assets and to continuously improve Orange’s security situation. We work on different fronts: prevention, protection and detection.

Regarding prevention, we help developers of applications and services incorporate security measures in their products by default. We also use elements for asset protection, especially those exposed to the Internet.

What solutions does Orange offer in matters of cybersecurity? Is it one of their strategic priorities?

Currently, our security services are all grouped under the name Orange Security Suite.

Orange Security Suite is a perimeter security solution composed of the following services, which are available independently:

  • IPS/IDS
  • Web Filtering
  • Antivirus

It is a security service offered directly through the net, aimed at companies, that does not require any devices to be deployed on clients’ premises, no software to be installed on their computers, and no specialized computer-security team.

Furthermore, it is a modular package that can cover clients’ security needs selectively without them having to pay for services they do not need.

It is also flexible and can provide reliable protection for data-transfer rates from 2 to 200Mbps without any need for costly hardware acquisition or equipment change. All of this with a security platform updated daily with the latest virus signatures, maintained and operated by our own Orange experts, and either remotely managed by Orange or self-managed.

This is obviously a strategic priority for us, and we are working on expanding our portfolio with the help of our internal SOC (Security Operations Centre), which allows us to offer clients services with a SOC.

Tell us about iSec4IoT (Intelligent Security for IoT – Orange Lab) and the extent to which it promotes excellence in the development and implementation of cybersecurity solutions.

The Routers and IoT centre of excellence was created in reply to the threats that started appearing in this field in 2016. Its initial objective was to protect the routers we provide to our clients, detect security incidents, and perform security tests on routers in controlled environments identical to those of our clients.

On the one hand we have routers, the element connecting clients to the Internet which is, as such, exposed to web threats. Turned on and “exposed” twenty-four hours a day in most cases, they are the potential targets of cyberattacks, either isolated ones or campaigns organized for different purposes, such as denying customers service, or stealing their identity or credentials. There are many recent examples of massive attacks on routers, some of them with serious repercussions.

Orange Spain’s security laboratory replicates typical client scenarios to monitor the activity received from the Internet.

And then there are the IoT devices that are entering our homes and businesses. It is increasingly common to find new devices capable of connecting to the Internet and allowing users to remotely control them from anywhere in the world, but this is just the beginning.

For this reason, in 2017 we expanded our centre to include these devices in order to anticipate the threats of the future. The biggest risk with IoT devices is that in most cases they are designed without security, which makes them very vulnerable and appealing to cybercriminals. Once a device has been analysed and its weaknesses discovered, cybercriminals have thousands or millions of identical targets connected to the Internet that they can launch attacks on.

We want our laboratory to certify IoT devices so they meet at least some basic security requirements, and we also want to design protection and detection measures capable of avoiding attacks and detecting any threat that may affect them.

What is your main mission as a member of GSMA IoT Security? What type of actions do you take?

The GSMA is the association that brings together all the companies in the mobile industry. Orange, as an operator, is a member. It is our understanding that, in order to design and protect IoT devices, we need to work together with the sector, sharing knowledge and defining common rules and regulations that must be applied by default in all devices. Our mission is to support and cooperate with this team to help the different lines advance toward the objective of protecting devices.

The GSMA, together with the mobile industry, has designed a range of resources to guide companies in matters of security to face the challenge of securing the connected future.

A guide with security guidelines has been developed. Drawing on its wide experience in security, the GSMA, together with the mobile industry, has created a set of IoT Security Guidelines, backed by an IoT security assessment framework, to provide a robust, tested approach to ensuring end-to-end security. This guide is free and is available on the Internet at: https://www.gsma.com/iot/future-iot-networks/iot-security-guidelines/

What profiles are currently needed in the information security sector?

There is a shortage of profiles in the field of cybersecurity, in all its branches. Because of the rise in cyberattacks and the proliferation of highly and ever more sophisticated new threats, qualified expert professionals are needed to fill specialized positions in cybersecurity in different types of organizations.

The most in-demand profiles are those with technical expertise or studies. The most difficult to find characteristic is experience; the number of professionals with years of experience is very small.

What would you say to a young person who, through lack of awareness, does not consider a career in the cybersecurity sector? What experience is required?

If they like the subject, this is their moment. If they are unfamiliar with it, the first thing to do is to consult the different associations in Spain that work in the area of cybersecurity, which can give advice and introduce them to the sector. Different conferences are held throughout the year, too, and there is sure to be one close to where they live. This will allow them to get to know this sector better and to consider starting a professional career in it.

What is especially required is people with technical knowledge and a lot of creativity. Those of us working in cybersecurity are forced to be creative, it is the best way to find solutions to the complex problems in our sector. Being able to think laterally and “out of the box” is very important.

Finding professionals with experience in cybersecurity is difficult, so any professional who is an expert in systems and communications and is creative can join this sector. We will take care of training them so they learn the peculiarities of cybersecurity in the environments they are already familiar with.

What is your opinion about the state of corporate cybersecurity in 2018? How do you think it will evolve in the near future?

It is in the initial stages. Compared with other sectors, industrial systems did not have the necessary security measures that computer systems did have incorporated into them. The main risk lies in interconnecting them with the internal networks of businesses or even with the Internet. Fortunately, the sector started paying attention to cybersecurity a few years ago.

The INCIBE has done a great job here with the creation of the National Network of Industrial Laboratories, a platform that brings together industrial laboratories that have the capacity to experiment and research solutions that increase security in our national industrial infrastructures.

We have joined this year, contributing a complementary, differentiating factor: protecting the communications and perimeters of businesses, thereby providing a protection that, together with internal protection measures, raises security levels.

Things are going to be evolving very quickly because companies will start adopting these security and protection measures, which means they will be needing products and services that protect them against Internet threats. The next few years will see constant evolution taking place, especially with IoT devices entering industrial processes as well as the daily life of any corporate process: air conditioning, cleaning, logistics…

Are companies really aware of the importance of protecting their corporate information? Does this field receive sufficient attention?

Nowadays it does. All companies are aware of the importance of the information they possess and that any threat that might affect that information is a risk for the organization. Especially when we are talking about personal data, which are the subject of new legislation that is coming into effect this very month.

The challenge now is to make the change to cybersecurity: it is no longer just about protecting information, but also the interconnected device containing it. The threats we are now facing do not so much attempt to seize control of information as they do of devices, after which they may obtain the information or compromise other devices. This is the goal of cybercriminals who want to monetize their attacks with or without access to information.

What essential cybersecurity advice would you give to companies?

To hire an expert or contact a specialized company to help them protect their assets. Also to draw up protection plans that guarantee a level of security that protects them against the threats that are emerging.

It is an investment on the part of companies meant to avoid an attack that may affect their continuity.

It is often said that knowledge is power. Is information a company’s most important capital?

It is amongst the most important ones, depending on the company’s type and sector. With the emergence of “Big Data”, data have become the new raw material; they are bought, sold, processed and transformed, and they generate services around them, a whole new industry.

Many companies have realized they possess a valuable raw material. Starting from this, they have embarked on different paths, some quickly monetizing information by selling it, others turning it into a revenue-generating service without getting rid of their asset.

What are the main threats and challenges facing companies regarding the security of their corporate information?

The principal threats stem from a company’s exposure to the outside: its communications, email correspondence and Internet browsing are the route of entry from the outside.

Currently, the main threats are malware (including ransomware), attacks on web applications, phishing, spam, denial of service, botnets … All these threats may put the continuity of the company’s activity at risk, causing economic losses.

Companies must develop cyberintelligence capabilities to understand the threat environment they are exposed to and thus anticipate the corresponding risks. Risk analysis must be an essential tool in all business processes. Employees must receive training in cybersecurity and be made aware of its importance.

A security plan must be designed that makes it possible to protect communications, computer systems, email correspondence and web browsing, in addition to mitigating denial-of-service attacks.

Is there such a thing as an invulnerable system?

As in the physical world, no system is invulnerable. Everything depends on the attacker’s level of specialization and the means at their disposal.

What we have to do is to raise the level of protection of our assets based on the threats facing us and have a detection system in place in case it is overcome.

Regarding the Facebook scandal, are you worried about this personal information leak?

What worries me is the ease with which people give their data to these companies. If people didn’t give them their data, these companies wouldn’t have them. So at the source of everything lies this voluntary leak of information where people give information to these companies that offer their services for free.

We need to make society aware of this situation and explain that when something is free, you are the product. Also, this creates problems for the rest of companies that do make responsible use of information.

When a society becomes more and more interconnected, does that make it more vulnerable?

Obviously, the definition of perimeter security has been lost, because today all kinds of networks and systems are interconnected.

On the one hand, this is good and necessary for improving users’ communication and information-access capabilities, and it is a service that we are promoting.

On the other hand, however, systems are being connected that should not be accessible from other points but only from the systems and by the people responsible for them.

We should consider the idea of having independent networks for different processes, of segregation based on services and needs.

The concept of the Internet of Things is becoming ever more deeply embedded in our society. Are our data at risk? What will our lives be like when everything is connected to the Internet?

As we connect an increasing number of devices in our homes, we also raise the risk level, mainly because we are unaware of the capabilities and risks associated with these devices. Then there is the issue of privacy, of how companies make responsible use of the data they gather about us.

To this end we are advocating the creation and application of security certificates for products and services, especially IoT, that guarantee users a level of security sufficiently high so they do not have to worry when installing one of these devices. This is what we are doing in the GSMA, designing to make the future safe. This is going to be a differentiating factor.

The future looks very interesting, with new services and capabilities that will make life easier for us. And all these devices will be safely interconnected. We are working on this already so that when our clients need it, it is available to them.

José Ramón Monleón José Ramón Monleón José Ramón Monleón José Ramón Monleón