Companies tend to view cybersecurity as a cost. Instead, Orange Cyberdefense Netherlands CEO Dennis de Geus points out that cybersecurity is a business enabler. “If you know a business and understand what it needs to do to be successful, then you can use that knowledge to eliminate the problems. That’s how you make gains for the business,” De Geus said.
We speak with De Geus on this topic to gain insight into what Dutch companies can do today to increase their security levels. De Geus has good insight into this, as he visits many organizations with the Orange Cyberdefense team. He notices that the average company has a patchwork of security services and advice. As a result, not everything functions as it should. A company that wants to fix this starts with reform that keeps security in mind. However, the right mindset is also needed to constantly involve the business to achieve real gains, De Geus observes.
Secure organization efficiently and effectively
The CEO of Orange Cyberdefense Netherlands divides cybersecurity into two aspects: the left side and the right side. The left side is about securing a company as effectively and efficiently as possible, while the right side is about aligning cybersecurity with business challenges. Through this alignment with business strategy, Orange Cyberdefense makes cybersecurity a business enabler. Before we can address this method of making cybersecurity a business enabler, however, it is important to understand the left side. Although Orange Cyberdefense’s work is often linked to the right side, the initial desire for security innovations usually begins on the left side.
When Orange Cyberdefense starts helping a company, it initially maps out its business strategy and looks at where it wants to go. This is inseparable from IT projects and strategy. About the business and IT strategy, Orange Cyberdefense’s consultants ask pointed questions. That way, one can get a picture of what a security strategy should look like. This can also include the company’s current security level, as that determines the next steps in a renewal effort with cybersecurity.
Including De Geus’ left-side story in this inventory is relevant to determining how to protect an organization digitally. “Then you want to know where your current and future earning power is. What assets are you earning it with? And what type of threat actors are those assets of interest to? Then, how do I build a network of measures to protect that organization? Where are the cyber risks really?” De Geus wonders about the first stages of trajectories at companies.
The basics
After identifying such issues, Orange Cyberdefense can determine how high an organization should set the bar. A thorough assessment is necessary because the cost issue comes into play on this left side. Obviously, an organization must be adequately protected, but doing more than is necessary is not wise in De Geus’ view. Then, an organization burns money. Basic hygiene should be in order as much as possible, and you have to be cost-effective with that. “Nobody gets happy if the organization is protected. People only get angry if the organization is not well protected,” De Geus describes the money issue.
This setup touches the broad domain of cybersecurity, which includes pure security tools such as identity and access management, cloud security, firewalls, managed detection and response, awareness, architecture, and strategy. Orange Cyberdefense takes these things and, in addition to technology, looks at people and processes so that they are included and aligned. They must keep up with the changes you envision as a company.
Total approach in the DNA
This is where De Geus believes Orange Cyberdefense’s distinguishing capability is visible: the ability to completely unburden itself in security. He sees organizations that knock on the door of a large consulting firm and get excellent advice about a new strategy and set-up. However, the consulting firm cannot help develop the strategy. Then, the company goes to a party that can assist in building it, but they want to tweak the details of the advice first to implement it. If the company wants to purchase managed services because it cannot build a SOC itself or does not have sufficient expertise, an additional party is needed.
This can be done differently, believes Orange Cyberdefense. “We want companies to be able to come to us for high-quality advice. They can also come to us for objective technology in its breadth. For example, there are four or five main firewalls, and we recommend a specific firewall. If you want the other one, that’s also possible. For Orange Cyberdefense, it doesn’t matter. And the third step is that the customer says, ‘just make it work for my organization, build it.’ That involves process design, governance setup, technology connection and configuration. We get out in the field, designing and implementing processes and technology. The latter is that we can also manage from our own security operations center in the Netherlands. Or in one of our other 17 SOCs positioned in strategic positions worldwide. That takes care of customers.”
With this, De Geus makes clear the philosophy of Orange Cyberdefense. The company wants to support every conceivable security tool and element of a good cybersecurity strategy.
Tip: NIS2 compliance is the beginning, better security the goal
Importance of consolidation
What can certainly be included in this overall approach is companies’ desire for consolidation. For example, statistics show that three-quarters of organizations want to reduce the number of security vendors they use. Indeed, the security architecture has become far too large at many companies. They embraced several security tools over the years to further eliminate risks. However, it resulted in the opposite: the tools and various security vectors were not adequately used. Many tools led to operational inefficiencies, and the architecture was insufficiently integrated. Because of the hefty number of security vendors, many different points of contact often lead to suboptimal communication flows and process alignment.
Now, companies strive to reduce the number of security vendors they work with so everything works better together and defends more effectively against cyber attacks. Orange Cyberdefense’s holistic approach to cybersecurity allows to achieve exactly that consolidation desire.
Local presence, global strength
Looking further into what sets Orange Cyberdefense apart from its holistic approach, we see the SOC as an asset within its services. To outsource SOC services, it employs some 250 security researchers who constantly collect, analyse and make available threat intelligence. These researchers operate worldwide, but local experts are also available. Dutch cyber threat intelligence experts work with the global team to collect and enrich information for Dutch organizations. Together, they annually produce a comprehensive report, the Security Navigator, aiming to help all companies by providing information on trends and developments. In it, Orange Cyberdefense correlates the latest developments around cyber threats. The insights into attack patterns and statistics should help companies fine-tune their cyber defenses. What’s convenient here is that Orange Cyberdefense enriches the insights with information from its sister companies. For example, because it is under the same ownership, it can gather threat intelligence from Orange Telecom’s telecom networks and Orange Business’ infrastructure expertise.
In addition, the SOC’s collaboration between local experts from Orange Cyberdefense Netherlands and colleagues from other countries works its way into the other parts of the service. If a company grows to the point that it starts business outside the Dutch borders, Orange Cyberdefense can make consultants available in the new country. If very specific knowledge about a particular security solution is desired, it can also be found at a foreign Orange Cyberdefense department. The local character of the Dutch department can thus be further strengthened through global cooperation.
Towards cybersecurity as a business enabler
The total approach that includes all facets of cybersecurity ultimately touches both sides we started this article with. So, on the left, you have made the organization more secure, while Orange Cyberdefense links the right side primarily security innovations to business challenges. This is by asking what business challenges are related to the digitization strategy. “Think about; we as an organization need to be able to get much more value from our data, we need to reduce development times for our new digital services, or we need to be able to collaborate much more intensively with our partners in the ecosystem,” De Geus explains.
These challenges are essential to understand because Orange Cyberdefense sees it as its duty to help think about the solution to the challenge from a cybersecurity perspective. “The moment you think about that as security experts, for example, reducing the development time for those new services, then you’re on the value creation side,” De Geus said.
That sounds like a nice wish, but De Geus makes this tangible with practical examples. De Geus saw a healthcare provider benefit from linking security to the business challenge. The business there wanted the nurse to spend more time at the patient’s bed. At first, you think of taking away traditional administrative work, but Orange Cyberdefense looked a little further. It saw that care workers were spending a lot of time logging into various systems. Minutes of work could go into that every day. At this healthcare provider, Orange Cyberdefense was able to significantly reduce the number of login screens through a revamped IAM strategy, leaving staff with more time to do what they were hired to do.
That’s precisely where Orange Cyberdefense’s DNA is. It wants every Orange Cyberdefense employee to understand where companies’ business challenges lie. “We understand what that customer does and needs to do to succeed. From that knowledge, we think about how we will solve the problems. Bringing those worlds together, that’s unique,” De Geus concludes.
Tip: There is no OT apocalypse, but OT security deserves more attention