-7.8 C
New York
Thursday, January 23, 2025

Schneider Electric Deputy CISO on Managing Trust, Supplier Risk


During a keynote at last week’s Forrester Security & Risk Summit in Baltimore, the research firm presented energy management and industrial automation company Schneider Electric with the Security & Risk Enterprise Leadership Award. Stephanie Balaouras, vice president and group director at Forrester, led a discussion with Mansur Abilkasimov, Schneider Electric’s deputy CISO & chief product security officer, and bestowed this year’s honor.  

Balaouras noted that the judges, a group of Forrester analysts, voted unanimously to choose Schneider Electric. Barclays was the first recipient of the award in 2023.  

Schneider Electric’s ability to integrate security, privacy, and risk management across the enterprise stood out as a factor in being chosen, according to Balaouras. 

“We wanted to recognize organizations that have figured out how to take these functions, embed them across the enterprise, and actually use them as a driver of business, use them to drive business success and drive results, and improve the organization’s reputation for trust with customers, employees, and partners,” Balaouras told the audience. 

A Holistic Approach to Security and Trust 

Schneider Electric is a company that develops everything from DC chargers to safety instrumented systems. It maintains a holistic approach to energy and management in which security, privacy, and risk do not exist in silos.  

Related:New Cybersecurity Rules Coming for Health Care

Carrying out an integrated strategy is a challenge for a company like Schneider Electric given its wide footprint in infrastructure, distribution centers, and factories filled with industrial machines. Abilkasimov told the audience that nobody can achieve 100% visibility, but gaining this visibility as part of risk management is a key challenge for the organization. 

In his keynote, Abilkasimov stressed that product security is not an afterthought and is integrated in the “holistic vision” of a product’s life cycle. In a “security by design” or “security by operations strategy,” the manufacturing teams are responsible for security by design as well as security by operation, he said. 

The company received the award because of its implementation of a Trust Charter that incorporates ethics, safety, cybersecurity, and governance as well as a Trust Center, which addresses the requests of customers and stakeholders in security and data protection.

“Trust Charter is a document that embodies all our principles and tenants for code of conduct, from AI to cybersecurity, from ethics and compliance to price, from safety to quality,” Abilkasimov explained in the keynote.

Related:Federal Cybersecurity Policy Still Lags Rapid Change

Abilkasimov and his team also organize a “Trust Month” in which they lead discussions around cybersecurity with employees and partners around trust.

“Cyber is one of the pillars of this trust,” he said. 

Trust is important for both cybersecurity and talent retention. Forrester recognized Schneider Electric for its ability to find talent for cybersecurity roles in operational technology (OT), according to Balaouras. 

“Companies that are trusted, they earn and retain customers,” Balaouras told the audience. “They earn and retain the best talent. And what we’ve also found is customers are actually more willing to share sensitive data with trusted companies and even embrace emerging tech, where in other situations, they would have skepticism or fear of engaging with that emerging tech.” 

Schneider Electric Tackles Third-Party Risk  

In his keynote remarks, Abilkasimov described Schneider Electric’s approach to managing risk from the company’s 52,000 suppliers, which includes suppliers for Internet of Things components and regular IT as well as service providers. He explained that companies must prioritize which suppliers to work with on a security assessment.

“It’s impossible to cover all of the suppliers with a cybersecurity or third-party security program, so sometimes you need to choose your battle,” Abilkasimov told InformationWeek after the session. 

Related:Supply Chain Risk Mitigation Must Be a Priority in 2025

Schneider Electric has added 5,000 suppliers to its third-party cybersecurity program. It started with the 300 most critical IT suppliers, and the company will grow the program further, according to Abilkasimov.  

“We work with those companies on cyber, crisis simulations, partnerships, C-level connections, and continuous monitoring through threat intelligence or cybersecurity scoring platforms,” Abilkasimov said in our interview.

He added, “Be it an IoT supplier or simple product security component supplier, they all go through this process.” 

In Forrester’s “Security Survey 2024,” 28% of breaches stemmed from a software supply chain attack. Also, in another Forrester report, “What 2023’s Most Notable Breaches Mean for Tech Execs,” third-party vulnerabilities were the top cause of breaches in 2023 and comprised 23% of all breaches.  

How Forrester Chooses Its Security Leadership Award Winners 

Forrester had opened nominations for the award on May 1. Balaouras said the evaluation process is similar to a security maturity assessment. Companies must show metrics or KPIs that prove ROI, and they should exhibit how they approach security by design and privacy by design. 

“We talk about their overall approach to embedding security, privacy and risk management across the enterprise not as discrete functions, but how they embed it across the enterprise,” Balaouras told InformationWeek after the session. 

Balaouras stressed that Forrester doesn’t handpick the winners. “We put out the award and put out the criteria, and we invite companies and organizations from the public sector to look at them and nominate themselves,” she said.

Barclays received the award in 2023 for maintaining trust and transparency in its universal banking operations and for its human risk behavior metrics that revamped the company’s security culture.

A key factor in Schneider Electric’s success in managing security and risk is making trust concrete, according to Balaouras. 

“When I compare Barclays to Schneider Electric, I think one thing they had in common was executive-level commitment to security, privacy, and risk management as critical features of building trust,” Balaouras said. “Both organizations from top to bottom really had buy-in.” 

She continued, “When I look at Schneider, they put trust front and center, and they had operationalized it. What was truly unique at Barclays … last year was they had really extensive security awareness and training for a large financial institution. They had really mapped out all the complex matrices, all the different stakeholders who work together.” 

Balaouras also noted Schneider Electric’s Cyber Risk Register and how the company integrates it in the organization to make people accountable. The cybersecurity team manages the register to track potential threats, such as those that may come from third parties. 

“When it comes to the cybersecurity side, it always comes back to the risk register,” Abilkasimov said. 



Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles