Recently, we had the chance to interview Christophe Rome, chief information security officer (CISO) at Lineas.Lineas is the largest private rail freight organization in Europe. The mission of the company is to offer such superior rail products and services that customers shift the transport of their goods from road to rail. This allows them to improve their supply chain while decreasing their negative impact on climate, mobility, and air quality.
We talked with Christophe about how he arrived at the role of CISO at Lineas, what drives the security department at the company, how he wants to improve the cyber resilience of Lineas, and why one can’t avoid building a human firewall.
Christophe is also doing an amazing work in building a community of CISOs that understand that we should all use the same weapons to mitigate attacks. Keep on reading. We promise it’ll be insightful!
Since I was young, I have always had a healthy appetite for anything IT related. When I was in school, I was running a bulletin board system that was pretty popular. Those were the days when the Internet was nonexistent, and computers connected to each other via dial-up lines and modems. My room was filled with computer hardware that I assembled and disassembled to my liking.
Having a less healthy appetite for school, and parents with no understanding of IT, I was forced to study economics and graduated as an economist. However, once I left the university, I immediately started working in an IT role. From then on, I went from network engineer to system engineer and ended up in security-related roles: first in security engineering and later growing toward policy writing, auditing, and risk assessments. I have always worked in the financial industry. Moving toward a company such as Lineas was a very conscious decision. Over the years, my feeling that the financial industry had become overregulated grew stronger. Too much of my time was going into fixing audit items that did not need fixing. Or at least they were not a priority, in my opinion. There were bigger fish to fry, but there was no time for that. The facade was still standing, but fires were burning in the basement. Checkbox theatre at its best.
So while being on the lookout for a new, meaningful challenge, I ended up joining Lineas. First of all, I was completely new to the transport industry and certainly to transport by rail. Additionally, I was taking responsibility over the security program of the company, which was exactly the kind of challenge I was looking for. Take into the mix the ambitious growth ambition and drive of Lineas, and you have a golden opportunity at your hands.
As a CISO, I am responsible for the confidentiality, integrity, and availability of Lineas' systems and data. My role mainly consists of developing the company strategy from a cybersecurity point of view. This translates into a tangible roadmap that we are following. Focus areas for this year are the following:
We live in a world where we have to assume a breach. Criminals have shifted their activities to the digital space, and we must act accordingly and change our focus. In the cybersecurity space, we have thus far put all of our money and resources into protecting the perimeter. All of our focus and attention went into prevention. That is no longer sufficient. Assuming breach means that you acknowledge that cyberattacks will be successful and that it is only a matter of time before attackers come knocking on your door. That is why we need to develop efficient detection and response capabilities. To improve our cyber resilience posture, we have been investing in next-gen behavioral Security Information and Event Management (SIEM) technology and have partnered with a security vendor who is providing the Security Operations Center (SOC) capabilities on top.
Since companies have been spending so much money on the protection of their perimeter, attackers have been looking for alternatives. Attackers will always look for the path that is least resistant to achieve their goal. That’s how they found out over time that targeting the individual, who sits within the company perimeter with access to the network and the data, seems to be a very lucrative shortcut. Through social engineering techniques, attackers are able to steal credentials, or they are directly succeeding in getting their malware installed. This way, a foothold within the organization is created from where attackers can further move laterally within the network towards their objectives. It’s this new security layer of individuals, the employees of the company, which we are improving. We like to refer to this as the human firewall.
So, when our objective is to mature our human firewall, it means that we build a partnership with our userbase. We explain to our userbase the responsibility that they carry regarding the security of the IT environment they use on a daily basis (which often comes as a surprise), and we provide them the training and the tools needed to identify the dangers and react accordingly. Hoxhunt is the number one tool we are leveraging to obtain that objective. The continuous flow of phishing simulations and the accompanying micro learnings that Hoxhunt is providing seem to be the ideal methodology to educate our users in recognizing and reporting social engineering attempts.
Many companies do not like to talk about their security posture. They fear that this would reveal too many details about their environment. I call this mentality 'security by obscurity.' We are all in the same boat. We should more or less all use the same weapons as we are all facing at least a subset of the same threats. We have to reach out to each other and share intelligence and experiences. That is why I am actively reaching out to the community, and I am open to discussing and explaining the choices that we are making to survive in the minefield of cybersecurity. It also helps to convince our existing and potential customers that Lineas is serious about cybersecurity.
Don’t be the 'department of no'. All too often, security departments are seen as disablers. Let’s not forget we are supporting a business. We are a supporting department—trusted advisors, if you will. Nothing more. Our role should be to advise the business on the risks it is facing and the mitigation of those risks. If we approach security with this mindset and engage in that continuous dialogue with players in the business, people will start to understand why certain security measures are needed and will ultimately come up with these proactively.Thank you, Christophe!
We would like to thank Christophe Rome for his excellent insights. We are thrilled to support Lineas on its mission to become more cyber resilient and build a partnership with its users for improved security.
Would you want to be featured?Are you interested in joining our #HoxhuntCISOSeries? Send us a message to marketing(a)hoxhunt.com and we will get in touch with you.