For governmental organisations, it is important to have a clear overview of their digital footprint and risks. They need to ensure the right policies are in place when it comes to cybersecurity. To illustrate their challenges, and the benefits of digital footprint management, we've interviewed one of our customers from the governmental sector. Rick Verkade, Security and Privacy Specialist at Provincie Overijssel shares his experiences in this interview.
Rick, can you tell something about your role and the organisational structure of the Provincie?
“Of course. I actually have somewhat of a fresh outlook on the cybersecurity challenges within the organisation. I started my current job a few months ago, coming from a background in crisis management, where I prepared an organisation for crisis situations and advised management during incidents. Before I joined the Team Security & Privacy at the Provincie, their responsibilities were growing, which resulted in the CISO and Data Protection Officer having to do some operational tasks as well. That wasn’t what they were assigned to do as they hold more strategic positions, thus creating the need for my role.
“The Provincie Overijssel functions as the bridge, as it were, between the national government and the 25 smaller local municipalities within its borders. It controls policies and information in a broad sense, such as the infrastructure and environmental aspects, but also data on the 1.15 million residents. Naturally, it’s vital none of it is stolen or leaked, regardless of whether the data is sensitive or not. The security and management of the IT systems are my main responsibilities.”
What were your first priorities and challenges?
“Initially, I had to learn two things: the organisational structure and processes, and the digital environment. The latter was the more difficult of the two, as this was already a challenge before I joined. It was the CISO and Data Protection Officer who had started to map our online presence, but they could only do so much with limited resources and their governance-related tasks. So gradually, that task became one of my responsibilities. That way, I could provide the information he needed to set effective policies. However, before you can start to report on our security levels, you need to know what you have to secure in the first place. Logically, plans and policies are more useful when based on the entire digital infrastructure.
What impacted the need for a solution?
“The factors complicating our asset inventory were the way IT and organisational practices were set up. On the IT side, we use a shared service centre for certain IT procedures and to host our domains. On an organisational level, we have a decentralised approach, resulting in more autonomy for individual departments. When, for instance, a marketing team wants to create a domain, that request is processed by the shared service centre, and a new domain pops up. However, this is not always clear to us, meaning we can’t keep track of the exact number of domains, the information shared on those domains, security certificates and more.
“There were three questions we had to answer:
- Which domains are out there?
- Which domains are under our management?
- What are the security risks of the domains?”
How did you fill those information gaps?
“There was no real solution in place, neither manual nor automated. We needed something that superseded the alternative of having to constantly check in with the shared service centre for new domain and security updates. Information security is my team’s responsibility, so we wanted to stay in control ourselves and not be dependent on our service centre – even though we know we can trust them.
“We had to start at the beginning. As there was no previous solution or tool for the asset inventory, this was the moment to create a solid foundation. Doing it right and thoroughly was important, and that’s what we needed help with. We are not yet at the stage to track security performance or policy effectiveness, but the inventory has grown with every confirmed asset the platform identified. We have already found more assets than we thought we had.”
What are the next steps?
“We will keep mapping our digital footprint to create an ever-increasing overview. The automated risk categorisation makes it easier to prioritise any critical vulnerabilities and risks right away, but the focus thus far has been on getting a full picture. It’s insightful to see what domains are related to our organisation, and who should manage them. We don’t take ownership of domains that aren’t under our team’s control, but the detailed information and suggested action per asset helps to steer other departments. Together, we’ve made significant progress to strengthen our cyber-resilience.”
Perhaps we can meet again for a second interview in a few months, to see how the insights into our digital footprint have developed?