We talked with Antonio Grimaltos, from the Information Security Office at the Department of Health in the Autonomous Community of Valencia, about the importance of implementing the Spanish National Security Scheme (ENS)
After Sothis was recently certified in a high category of the National Security Scheme, we spoke with Antonio Grimaltos, Technician at the Information Security Office that’s part of the Department of Universal Healthcare and Public Health in Valencia’s Regional Government. Before, among other positions, he was Head of the Systems Section and Head of Security at the Júcar Hydrographic Confederation (2016-2018). His job is to manage security incidents, analyse the data provided by IDS probes, coordinate solutions to vulnerabilities and implement the ENS.
Question: How did you get your start in the world of information security?
Answer: I didn’t get my start at university, since there were no subjects that addressed cybersecurity issues. Actually, there were none at all back when I was studying, as I was part of the second class at the Polytechnic University of Valencia, and I believe there still are none, which I think is a mistake that needs to be corrected.
In my case, in the Administration, specifically in Agriculture, we were receiving reports from CSIRT-CV in 2011. Thanks to this information, we started to have notions about security aspects, intrusions, attacks, unauthorised accesses, etc.
I was entrusted with the task of working on maintaining compliance with the good practices provided for in ISO 27002 and then the DGTI security department was formed, which I was a part of.
Q: How have you experienced the evolution of information technologies?
A: On Twitter I recently posted: “I recognise that I’m a dinosaur.” I learned to programme in Pascal, in Cobol, I saw the evolution of Visual Basic, etc. I consider myself a lucky guy since I got to experience this evolution. You have to read, a lot. We have to keep learning day after day, since everything changes at a supersonic speed in Information Technology, and even more so in cybersecurity.
Q: What do you consider to be the current state of Cybersecurity in Spain? Is there a link between ENS, CIP Law, NIS, GDPR, etc.?
A: The current state is good. Except for specific cases, there are no large-scale attacks. but it’s important to note that a company will never recognise an attack, as this would impact its image and its prestige. But in general, everything is pretty much under control.
All the regulations related to Information Security (ENS, CIP, NIS, DPA), have resulted in mandatory compliance which has improved the current state of cybersecurity.
Q: Are the Public Administrations adapting correctly to the ENS?
A: If we understand adequacy as the last and final step being certification, then I would say no. On the other hand, if we view the adequacy of the ENS as the implementation of measures, than yes. Even if they are not audited, security controls are being implemented.
Q: At the beginning of the implementation of the ENS, how did you approach the first meetings?
A: The first meetings have to be approached with Senior Management or the Agency’s Management. The assignment of responsibilities must be very clear. If done correctly, it should only be necessary to meet with those in charge of the different established “parcels”. That is the basic start: identify who assumes what roles in each area.
Q: Regarding the protection of information, what is the weakest link in an organisation?
A: It’s always human error. But, in cybersecurity, it’s said to be the user, and really little is being done in this regard. More awareness is needed. With just a one-hour course, you could solve a whole lot in an organisation.
We’re at war. Readers can ask their firewalls, their proxies, their antivirus, etc. It’s a war of organisations who want to take advantage of how easy we make things, being able to wreak havoc. Who will win the war?
Cybersecurity is a wall, in charge of protecting order against chaos. Cybersecurity people aren’t enough to stop the attackers. Users are needed to win the war. If, for example, you raise awareness in an organisation with 32,000 users who, when they receive an email with an attachment from someone they don’t know, send it directly to the trash can, then you just created an environment with 32,000 firewalls. Thanks to the idea of the Human Firewall, you’ve just gotten rid of 32,000 headaches and thus you’ve just established the strongest link.
Q: What do you consider to be the main errors in an Information Security Management System?
A: Actually, an ISMS as such has no errors. Who creates the errors are the people. The maintenance of the ISMS is critical and sometimes we forget about it. In the Administration, I think this is an important mistake, since with changes in personnel or rotations, the employee in charge of maintaining the ISMS adequately often encounters an unknown world. The ISMS is like a monster that needs to be fed.
Q: What is the role of Risk Analysis within the ISMS?
A: RA is a key element to compare how you have evolved. The high point involves adequately controlling your inventory, so that you consider the risks properly. An updated inventory, with the relevant threats, allows us to see what can affect you. An updated asset inventory is essential.
Q: How do you see the future of the information security sector in the public and public spheres?
A: I see a good future in the private sphere. In the public area, we need Public Administrations to take the issue of cybersecurity seriously. There are very few established job positions that exclusively deal with information security.
In medicine, for example, paediatrics is a speciality. There are a wide variety of positions that require specialisation. In cybersecurity, the positions are IT positions, but not just any programmer can do this job. There are many chief positions, but there is a lack of more technical cybersecurity profiles. That is, there is a lot of management and a lack of response. The perspective must be changed so as not to end up with a bleak scenario.
The vision of the expert
In regards to the National Security Scheme, I support Antonio’s claim that it’s the most powerful tool we have. Because it’s a set of principles and requirements that could be considered strict at the time of their implementation, both due to the operational changes it requires and the resources it demands, but it results in various benefits such as:
• It involves the implementation of certified and qualified security products.
• It provides security management in daily operations.
• It contributes to compliance with applicable legal requirements.
• It provides greater guarantees to citizens while using electronic resources.
Once the ENS has been implemented in an organisation, the primary objective of any ISMS is automatically fulfilled. This objective is “to know the state of the security of information systems”, and to do so, a document structure and maturity in the organisation is required that, in the face of an audit, reflects a true, verifiable and updated state of security.
While it’s true that the implemented government framework in the entity provides security measures, protection and other documentation that supports it, merely applying it is not enough. It is management’s responsibility to convey this knowledge to all the employees within its scope, thus contributing value to the organisational pyramid.
Detecting and analysing the lessons learned from each of the processes allow us to identify new needs in terms of security. Regarding the future of information security in the public and private sectors, I foresee an impressive evolution in the first, compared to recent years. However, one should not fall into the trap of seeing the entire organisation as being completely based on a single security project. Continuous Improvement is a transversal process that requires constant innovation and renewal so we avoid becoming, as Antonio said, dinosaurs.
Therefore, at SOTHIS, as a provider of security services to Public Administrations, and in compliance with point 48 of Guide 830 SCOPE OF THE NATIONAL SECURITY SCHEME, our clear commitment to Information Security is reflected through the certification in the HIGH category for the information systems that support the provision of consulting and auditing services in the field of information security, regulatory and legal compliance, risk management and training; 24×7 Managed Services for Monitoring, Operation, Systems Administration, Communications and User Support Centre; Security Operations Centre (SOC); and Projects and managed services for Cybersecurity Solutions.