Interview with George Kanellopoulos, Information Security Operations Manager, Coca-Cola Hellenic
George, could you outline your current role at Coca Cola Hellenic?
As one of the largest bottlers of the Coca Cola company, Coca Cola Hellenic operates in 28 Countries across Europe, Asia, and Africa. My role is to keep the security assets of this operation safe.
How has security, as a topic or issue, changed in the past 3-5 years? How do you see the future?
I feel that information security is gaining ground in our company as we evolve, and we monitor this area very closely. Hopefully we will not have any serious incidents, we are not a very high-profile company in terms of risks. Our main business is to bottle and distribute Coca Cola products in 28 countries, so we can’t be compared to, for example, a financial institution when it comes to information security. Nevertheless, we do have our “crown jewels”, such as our brand. And reputation for us is key. So, in fact, this makes brand protection one very important aspect of our business.
We are always trying to stay close to our business priorities, as they shift from time to time. Recently, the most influential technology trend for us is the digitization of our business. While five years ago, Coca Cola Hellenic had a small footprint in the digital world, our business was primarily taking place through physical channels. Recently, we expanded our business across digital channels and social. We also keep an eye on the regulatory compliance requirements that are evolving around us. We have a zero-risk approach versus any regulatory compliance.
We are always seeking a balance between the value of our assets and the amount we invest in protecting them. The cornerstone for our information security is the risk-based approach. As information security professionals, we always aim to stay as close as possible to our business priorities, and always adjust our program to meet those priorities.
How have these priorities been changing in recent years, and what do you see as the main drivers of those changes?
The priorities have been changing due to the way we want our business to operate. I mentioned the digitization of our business as one of the core drivers. Our channels are traditionally non-digital channels. We are exploring this area in order to evolve, just as we are exploring other technologies to expand our business. In this situation, information security becomes essential, in order to address our growing digital footprint and ensure that associated risks are mitigated.
To give a more specific example, in the area of Internet of Things, we are exploring some technologies, such as “smart-coolers”, which will be equipped with a system to collect information for the use of maintenance and other purposes (i.e., stock levels, ideal temperature, door openings, peak times, etc.), and this has to happen in a secure manner.
You mentioned IoT. From a security aspect, you have two issues: you have to protect the business data and you have to protect the connected devices in the field. How do you manage this?
That is correct. To be honest, I must say that we haven’t explored this area fully since IoT is new for our business. Let’s take a smart cooler as an example; it needs to be protected from many kinds of hacking attacks. The data must be inaccessible and unable to be tampered with either during transfer or at rest. We have certain controls in place to protect and validate that. But again, our experience with the Internet of Things technologies is recent and still evolving.
Just as the market is evolving.Exactly. Our traditional business model is evolving to keep pace with and take advantage of new digital technologies.
Would you say that your current focus when it comes to information security is more on internal or external threats?
At this stage, we feel that external threats are better managed and risks better mitigated than internal threats. So the protection levels and controls in place for external threats are stronger, and we have observed a trend in the market that internal threats are rising. We are now moving towards a level of protection that is “source neutral” if I can say that, where it is the same regardless of whether it is internal or external.
Have you developed any new kinds of measures due to these internal threats growing?
Yes, we are actually well aligned with the industry standards, our information security program stays very close to ISO 27000, NIST and the other related frameworks. One area that we put greater focus on in terms of internal threats is the area of information security culture. So we are building a program, rolling out an advanced awareness program – I like to call it an information security culture program – where we separate our people into groups based on different risk profiles and needs. We then apply a different set of controls and communication for awareness to ensure that our perimeter of people is the strongest part of our information security program.
Do you have processes in place that can overcome the challenge of processing and classifying the large amounts of data you generate?
In our business we produce a lot of structured data (i.e., orders, invoices). For the time being, it is a sufficient challenge for us to manage the structure data before we turn to the unstructured, or dark data (i.e., documents, pictures).
The classification of the structured data follows a standard classification policy. It is based on the principle of the risk profile of the data. We encrypt certain data across the full matrix of our data, but for the time being, ways to encrypt the unstructured data has not been explored.
In terms of your personal experience, how has you understanding of security evolved?
In a personal light, I find myself challenged to better understand the business that we are in. Coming from a technology background, I’m very frequently unable to synchronize and address the same risks as we see in our business. In the past, information security was a topic in which our business was marginally interested; risk tolerance levels in the company were high, and most of our activity was internal. However, the digitization of our business and the growth of data and the amount of that data that rests outside our company due to outsourcing contracts, working in the B2B sphere, we now see an increased risk for our data being “out there”.
This brings information security higher on the agenda of management, and thus my understanding of business requirements is becoming more demanding. I would say that I need to adapt to this new environment and requirements that didn’t exist in the past in a faster way.
And how has this affected your relationship with the board? Do you find yourself challenged to justify the new investment requirements?
This dialogue is always challenging. In the past, we have both taken steps to close the association gap. A very recent approach we have taken in this direction is to link all the related information security costs with associated business priorities and respective business risk. So we capture the strategy of the business first, and then we see ourselves as enablers of this strategy. A specific example of this: our company implemented a B2B web sales channel that is currently active in six countries, through which we accept orders from small outlets via the internet. So this is a new channel for our business – it is digital, and we saw that we need to secure those transactions. We needed to ensure that our customers, the outlets, which are accessing our systems 24/7/365, feel secure to place orders based on online information on product availability, price, and active promotions. The respective information security costs were justified as enablers of this new digital sales channel, which is one of the priorities of our business. In this manner, we get a much better response to our justification of related information security costs.