The figure of the CISO, Chief Information Security Officer, is essential today within every company and government institution. The CISO is responsible for ensuring the security of the organization's information and data, supervising the management and implementation of policies and measures to protect against cyber threats. The figure of the CISO in recent years has become increasingly important, taking shape within an increasingly accurate structure dedicated to information security.
In this regard we present the first of a series of interviews with CISO of important companies to tell about an increasingly necessary profession, today we speak with Matteo Herin CISO at Carrefour Italia, who tells us where his interest in this world was born and how he deals with the challenges of this sector in an interesting dialogue.
CISO & head of network at Carrefour Italia Matteo is a cybersecurity addict since the early 2000s which made his passion his job. Serving as head of Cybersecurity (CISO) and Network at Carrefour Italia, he is in charge of the constant evolution and improvement of both worlds, trying to build a retail world where cybersecurity, infrastructures, digital services, and people interact seamlessly and efficiently. Absolute cat lover, Matteo has spent the last 7 years in the retail industry and the previous 10 years as a cybersecurity consultant in multiple sectors, including energy, publishing, and automotive.
What is your path in the world of cyber security? What brought you to where you are?
Since high school I have always had a huge passion for computers and their potential. When I got my hands on the first Internet connection at a friend's house in 1996, I sensed - or rather I decided, with the conviction of a teeager - that this was the future. From there, curiosity prompted me to try alternative operating systems (at the time): GNU/Linux, FreeBSD until I pushed myself - with the help of friends from the underground community of Milan - into the world of hacking.
“Convincing” machines to do what they were NOT designed to do was the real cultural revolution in my way of approaching information technology, what kept me up late. Then there were years of work as a consultant for various large companies, both in offensive security and then defensive projects, passing through forensic and governance. In 2016, 20 years after my first scratchy 33.6 modem handshake, I found myself responsible for operational security for a large retailer, and then CISO. I haven't stopped yet, neither with the retail sector, nor with my job.
What are the key elements of Carrefour's internal security strategy and how does it integrate with the organisation's overall cybersecurity approach?
Carrefour Italia is part of the Carrefour group which operates in over 10 countries, both directly and through partnerships. At the heart of our operations is the internal community which includes the CISOs of all business units and cybersecurity operators. Our international reference framework is NIST, and in Italy we are also ISO27001 certified for systems that manage data subject to GDPR legislation.
Our strategic approach is based on services and tools common to most business units, considered core, i.e. essential for the governance and measurement of the effectiveness of security measures. However, it is not a rigid approach, because each BU has the possibility to independently test and use local solutions. For example, in Italy, the third-party risk assessment and management system is different from other countries, as is the Cloud SecOps system.
A global team, located in France, is in charge of managing common services, such as WAFs, SOC, related SIEM, EDR and incident management platforms and coordinating operations. From an evolutionary point of view, then, it helps us by coordinating multi-country projects, for example the hardening of some infrastructures and distributes blueprints and best practices borrowed from the other BUs.
Carrefour has the ambition to become a full-fledged digital retail company and this has a profound influence on the group's cyber strategy: we are gradually turning towards the concept of digital product and with it comes the need to have a higher and more comprehensive vision of the cyber risk. We are moving with a view to evaluating each digital product as a piece in the value chain, equipped with its own KPIs and KRIs and - increasingly - also with a ROI; cybersecurity is no exception and every initiative, project, product or service must be evaluated according to these criteria.
How are identities managed within Carrefour to ensure data security and insider threat prevention?
Identity management is a complex topic that passes through the management and responsibility of the Cybersecurity team. To date, each BU is autonomous in management both in terms of processes and tools and Italy is no exception. We are equipped with a semi-automatic identity management system integrated with the HR systems and the group IAM. This helps us guarantee one of the fundamental aspects at the basis of correct identity management: the correctness and updating of the main data and attributes.
Operationally, the principle we apply is the balance between agility and control based on risk measurement: identities are associated with various accounts which, in turn, are linked to profiles and application roles. Each account or profile request is subject to a non-bypassable approval workflow involving one or more approvers. The greater the risk produced by the request, the more complex the workflow. Unfortunately, it is easy to imagine the amount of work produced by the manual management of approval workflows, not to mention all the routine checks that we periodically perform to identify and remedy any errors or inconsistencies.
The next step we are working on will be the introduction of a more sophisticated Identity & Access Governance system which will allow us, on the one hand, to increase the level of automation and on the other to ensure greater consistency over time between the granted grants to the collaborator and those actually necessary to carry out his duties today, according to the principle of least privilege.
Added to all this is the complexity of the high number of franchisees who enrich our network of points of sale in the area every day: the governance of third-party companies in all respects, which require very strong integration with the Carrefour organisation, from use of emails, sharing documents, passing through the dozens of applications they use every day. Hence, the need for a great organizational effort to allow the business to maintain the agility it needs without falling back into an operating model that is too prone to risk.
Does Carrefour adopt an internal training and awareness policy for end users? How are employees educated on cybersecurity best practices and what tools are used for this purpose?
Certainly, we have heterogeneous populations with almost extreme levels of digitization of their jobs and therefore specific training and information needs. We operate by cluster, proposing training scenarios suitable for everyone according to the tasks and therefore the associated risks.
In principle, however, information is necessary before training. How is it possible otherwise to think that colleagues spend a part of their - precious - time training on subjects of which they do not perceive the usefulness or value? To solve this problem, we have chosen to target the entire population with an information campaign - developed with a technical partner and a communication partner - extremely "light" and amusing, using a raccoon as a mascot (yes, the funny bear that empties your pantry, that) to propose a very direct parallel with cybercriminals, able to sneak into the company and carry out damage or theft, only to realize it when the worst is done.
It may sound trivial, but it worked. The funnel obviously didn't end there, the purpose of the campaign was to encourage users to train on one of the most critical topics, i.e. the defense against phishing: a course was made available on the internal training platform. Could that be enough? Definitely not, to measure the effectiveness of the program we have launched several legitimate phishing campaigns that we will continue to offer over the years.
Making an important topic funny is a way to make it "top of mind" for a while, but it is a continuous exercise that must be maintained over time.
However, this step is not fundamental for all populations of collaborators, think for example of the top management who must be trained on "VIP frauds", every year we offer at least one classroom session only on this topic and we maintain a periodic flow of information to keep the our colleagues most at risk on the evolution of the threat and the ongoing campaigns.
What security measures are in place to protect critical systems and corporate infrastructure within Carrefour? How is IT security risk management handled at Carrefour? Are periodic risk assessments conducted and preventive measures taken based on the results obtained?
I can't give many details on the first question, we certainly have on board all the technologies that a complex company needs. For example, some points that we consider critical are the patching process and the widespread diffusion of the EDR platform. We are also progressively rolling out state-of-the-art UTM in all SD-WAN capable stores and adopting micro-segmentation solutions for the most critical systems. For customer-facing systems we have multiple detection and response platforms as well as a WAF.
Certainly priorities are driven by risk, at group and local level, there is no doubt about this, and this is why the main platforms that help us measure and manage it are provided by the group; we still have an important path ahead of us to make management completely homogeneous and fully automated in all the BUs, but the road is marked and the goal is clear. Compared to daily activities, the management of risk management processes is certainly a significant part and building relationships of trust and collaboration with the Security, Internal Audit and Risk departments has been and remains fundamental for distributing workloads and ensuring good pervasiveness of the control model.
Returning to the more technical subject of risk management, we constantly monitor the perimeter subject to ISO27001 certification which includes - no surprise on this one - some highly critical suppliers and their SaaS platforms which we use under some of the names in the first 10 lines of our BIA.
Here we enter the topic of risk related to third parties or Cybersecurity Supply Chain Risk Management which for 2 years now has really been gaining ground as a topic with an increasingly higher specific weight. The scope and pervasiveness of third-party monitoring is increasing, as are the costs and effort produced by monitoring this area.
What are the top current trends in cybersecurity and how are the threats to organizations evolving?
On the organizational side, undoubtedly the management of third parties and their associated risk: it is an issue in which the clear trend concerns the drive towards automation, because without this, it is unthinkable to maintain a capillary and frequent monitoring and audit framework which produces substantial human resource costs.
On the technical side, at the risk of repeating myself, again scalability and automation. Let's think about the impact on scalability that AI is about to have, for attackers and for red and blue teams, for CSIRTs and all the players in the cyber ecosystem. Who will gain a real competitive advantage? Who will have the “best” AI for a certain goal? Who will have the most computing power? Google and NVIDIA are investing hundreds of millions of dollars into these simple questions. It is easily foreseeable that the code we will use (both offensive and defensive purposes) will be written by AI and supervised by humans, but the point lies - in my opinion - in the speed with which this wave will change the technological landscape. Although the hype around AI today is more or less the same that was unleashed by the word "blockchain" 4 years ago, the outcomes will probably be different. The blockchain has not tangibly marked our daily experience as cyber professionals, nor as simple digital citizens; as opposed to AI: which is becoming the new interface paradigm with knowledge worldwide.
What are the main factors that contribute to the success of an organization's cybersecurity program and how do you measure the effectiveness of your initiatives?
In a complex group like Carrefour, the determining factor I find is the possibility of working in community to create value for other BUs through synergies, exchange of information, data, experiences. When there is a common perceived value, teams get closer and work together, dramatically increasing the value of the results. Products that work, resulting from well-designed projects, always receive a follow-up and can be easily tested and adopted by different BUs.
Iterating the agile paradigm on your cybersecurity program is an effective practice, because it allows you to select within it what works and what doesn't, investing in products and projects that bring results while maintaining a certain speed of movement, of adaptability. Given the speed - sometimes excessive - with which retail businesses operate today, this criterion should not be underestimated.
How do we measure - or at least try to measure - when a product or an element of our cybersecurity strategy has hit the mark? With ROI, Adoption and, sometimes, on broad targets such as shop users, with NPS. The "raccoon" campaign I mentioned earlier, for example, received an NPS score on the training module.
How is artificial intelligence and machine learning impacting the cybersecurity landscape? What are the potential benefits and concerns associated with this technology?
This question is not easy to answer; we are realizing that we have on our hands a - perhaps - goose that lays golden eggs, but it is not yet entirely clear what we can use it for. We can hypothesize that we will see more and more adaptive, tailor-made offensive techniques with a substantial increase in the accessibility of advanced techniques even to subjects with tighter budgets. Huge scalability in the ability to process potential or confirmed events and incidents at a first level. So again, the level of automation could rise dramatically and so could the need for automation to keep up with the opponent.
What are the most common challenges organizations encounter in managing data breaches and how do you recommend addressing them effectively?
By starting to address the problem now and investing the necessary budget. Knowing you're behind schedule and admitting that you have gaps in your data protection program is the first step to solving the problem.
And don't forget to have your DPO and external communication as very good friends!
Jokes aside, every organization is so different that probably only after a few crisis management simulation sessions will you have a realistic idea of how to effectively manage a data breach, hoping not to be forced to deviate too much from the playbooks when something goes terribly wrong. The trend of recent months to equip ransomware with double-extortion payloads unfortunately confirms that the threat is tangible.
How do you see the future of Cyber Security?
I think the sector will go through a period of ferocious growth for another 3-5 years, then maturity and consolidation will come, the search for efficiency and, perhaps more in the short term, a more aware and hybrid use of the cloud. The perimeters of control will be increasingly large and those who profitably adopt the benefits of AI will be able to obtain a fairly lasting competitive advantage. As professionals, we will gradually become more and more experts in technologies developed and operated by third parties, partly controllers, certainly "trainers" of systems that operate in increasingly black box mode. In all likelihood, we will see a diffusion of a more adequate level of cybersecurity in important companies and production structures, which until now have not had the need, or the will, to invest consistently in cybersecurity. We will certainly be forced to evolve in increasingly rapid cycles, maintaining high agility at all costs, without compromising the effectiveness of control models. In short, we will see some good ones for a while longer.