Spotlight on Security
Ana Alves, Chief Information Security Officer (CISO) and Data Protection Officer (DPO) for GÉANT, talks to CONNECT about the role and the responsibilities of a CISO, a relatively new leadership position for GÉANT, about her involvement in the organisation’s security restructure, and its significance for the GÉANT community.
Ana, GÉANT recently announced the completion of its security restructure. Can you tell us about this initiative and the implications for the GÉANT community?
Yes. Let me first give you the context of our security restructure. Around two years ago we were facing some challenges related to the structure of the security team and lacked a strategy that reflected GÉANT’s values and objectives. When GÉANT started the IT restructure process, it became clear that we should take advantage of this opportunity and extend the restructuring initiative to include also security. I had the privilege to be part of the working group of experts involved in the restructure and with the team’s passion and dedication we successfully completed this project.
The mission seemed impossible, especially considering how busy everyone was with their everyday tasks and work, but finally GÉANT’s approach to security was raised to a new level. We have successfully created a focused, dedicated and structured security team, looking to deliver secure products and services, as well as to provide the necessary support to the GN5-1 project and to the GÉANT community at large.
GÉANT has now a very different vision and posture and a far more conscious approach to security that adds significance to our role as a model for the community. We strive for continuous improvement at all levels of the organisation. One of the critical factors enabling our smooth transition to a higher level of security maturity has been the relentless support of the GÉANT Executive team.
What does a CISO do? What is the purpose and goal of this role? What are the main challenges you are tackling as a CISO and how?
This answer depends on the type of organisation, their approach to security, the team(s), and the structure. There are in fact far too many factors that can influence and define the scope of this role to be able to give a concise definition.
The CISO role at GÉANT originally emerged from the need for an independent security assessment resource reporting directly to the organisation’s management levels. Gradually it evolved from a role dedicated mainly to compliance, audit and assessment to a focus on GÉANT’s strategy, team alignment, objectives, security risks, and especially the coordination of all security areas and projects across GÉANT.
It was particularly challenging for me during this transition to find my place. The CISO role is an independent one, meaning that it is not part of a team or a department. That, for me, was the main struggle. I worked hard to find my voice and my place in the security team. Fortunately, GÉANT gave me the opportunity to work with extraordinary and generous colleagues who were absolutely crucial in this process. Working in a supportive environment, especially under the mentorship of Alf Moens (GÉANT Security Lead) has made my path so much smoother.
What’s next for you Ana?
Well, there are so many things … I just wish my days had more hours, especially as I am a mum of two young children. In the beginning of this year, I returned from maternity leave, and it has been quite a challenge to combine the roles of DPO, CISO and Mum. The passion for my job and the love for my kids give me energy and inspires me every day. It is this continuous cycle between home and work and the support from my colleagues that makes everything possible.
For the moment, I’m dedicated to the supportive side of the CISO role for the benefit of the community. As part of this strategy, I was appointed Security Coordinator within the GN5-1 Work Package (WP1) on Governance, Management and Coordination. This position aims to be a resource for guidelines and security best practices for the community, ensuring that all areas, tasks, and projects receive the same guidance and are able to align on the same quality standards for project deliverables. The second part of this plan is community engagement, and to facilitate alignment among security experts from NRENs and support them in the implementation of security and legal requirements.
From the DPO (Data Protection Officer) role perspective there are also new projects that will certainly represent a challenge, but privacy probably requires a separate article.
Don’t hesitate to get in touch with me via firstname.lastname@example.org for any privacy or security-related matters, and if you are at TNC23, do come and find me at the GÉANT booth or at one of the security meetings.
For more information about security products, services and initiatives at GÉANT, visit security.geant.org
This article is featured on CONNECT43! Read or download the full magazine here