On European Data Protection Day, we talk to Martin Nakou Lelo about the cybersecurity challenges faced by ACC.

 

Why is data protection a key issue for a company, and how do you integrate this issue into your IT projects from the design stage onwards?

Data is part of a company's assets. 
There are several types of data. These include: employee data, customer data, our innovations and industrial property, financial data, etc. The issues are therefore strategic, legal, financial and reputational. Protecting them is not optional!

Integrating protection into IT projects from the design stage involves adopting a risk-based approach. Cybersecurity experts must understand the business need expressed in order to define the appropriate means of protection. Let me illustrate this with an example: IT receives a request to create two data storage directories. The request specifies that one of the directories will be dedicated to the Finance team and the other to an intern working on the design of a new website. The means of protection for these two directories will not be the same. Each of these directories has a different security requirement. Unauthorised access to financial data would not have the same impact as unauthorised access to the intern's data. The difference lies in the implicit security requirement associated with each of the directories.

Design from the outset involves identifying the security requirements behind each project and need in order to provide a technical and/or organisational response that is consistent and appropriate to the risk. Integrating security from the outset also means involving the security team in the early stages of expressing requirements and drafting specifications. 

The supervision of third parties is an important part of securing an enterprise's information assets. This supervision must begin during the selection phase, where security requirements must be part of the selection criteria. It must continue throughout the contractual relationship, for example through the implementation of security assurance plans.

 

Which emerging technologies or solutions do you think are most promising for strengthening data protection in the coming years?

The solutions are not emerging, in reality. They have been around for a long time.

The whole paradigm of protection is called DLP (Data Loss Prevention). I will not go into the details of this concept. To simplify, protection involves behaviours, processes and technologies. We can only protect what we know. It is the person who creates the data who knows its importance and value!

The first step is therefore to comply with the company's data classification and labelling policy: public, internal, confidential, etc.

The second step is to be aware of where the data is stored. We need to know whether it is a location that is open to everyone or not, depending on its sensitivity. The rest is down to the cybersecurity team's technologies and rules for protecting what is created, stored and transmitted through communication channels.

 

Can you tell us about a recent project where data protection significantly influenced your architectural or technological choices?

There are many examples. I can cite one that involved exchanging information between a maintenance management application and an ERP for material control purposes. This involves interface exchanges known in technical jargon as APIs (Application Programming Interfaces). 

An ERP contains financial data, customer data and other information. It is therefore quite sensitive. Best practice for securing exchanges involves setting up specific infrastructures to guarantee the confidentiality and integrity of the information exchanged.

 

How do you train and raise awareness among your technical teams about the challenges of data protection on a daily basis?

The first layer of training is general awareness via the dedicated market platform. This is a common core, so to speak.

The rest is the result of collaboration between teams:

• The cybersecurity team defines and adapts standards to the company's context.
• Technical architects use robustness and security as the two wheels of the design cart.
• The teams in charge of day-to-day operations ensure that everything is applied and kept in working order.

This three-stage collaboration facilitates continuous improvement through iteration.