Privacy and regulatory compliance are fundamental aspects to have good IT Governance in any organization. To talk about it, Byte TI, together with HCL Software and DataDog, organized a meeting that included the participation of David CaballeroCIO of Kymatio; Manuel AsenjoCIO of Broseta; José Luis Berrocal, EMEA security sales leader of HCL Software; Carlos CastellsCIO of Serban; Daniel Damashead of IT assurance at Nationale-Nederlanden; Alejandro Expósito, Servatrix CIO; Jaime Alonso, sales engineering manager at DataDog e Ildefonso Vera, director of digital transformation at Isdefe.
Implementing robust privacy policies and complying with the set of existing regulations, protecting sensitive data to strengthen customer trust are just some of the aspects that must be taken into account in good IT governance. A correct strategy will reduce the risk of legal sanctions while improving business continuity and fostering a culture of responsibility and transparency. In this sense, both DataDog and HCL Software are two firms that are helping organizations develop a correct IT Governance strategy. The first of them is a SaaS monitoring, observability and analysis platform that offers a unified view of infrastructure and applications, allowing companies to monitor performance and security in real time. In this way, it helps companies comply with existing regulations and implements advanced security measures to protect sensitive data.
For its part, HCL Software is the division of the Indian giant HCL. In the IT Government section, its proposal includes solutions that ensure compliance with different regulations. In addition, they implement systems to identify, evaluate and mitigate risks related to regulatory non-compliance and develop advanced technologies to protect sensitive data and guarantee the privacy of information.
Both companies are helping their clients adapt to a reality in which compliance with legislation is becoming increasingly complex. As Ildefonso Vera, director of digital transformation at Isdefe, explained, “either we adapt or it will affect the productivity of companies. We have constant changes practically every month, so we have to be attentive to new calls and what is coming out on the market. Internal IT departments must be in charge of managing services. In our case, we are working in three directions: ensuring business continuity, securing customer and supplier data and a third line, which is information security, because more and more data is handled.
Alejandro Expósito, CIO of Servatrix, stated that in the case of his company, “we have an advantage and that is that we are a spinoff of the Autonomous University and everything has to be done, which is an advantage since you do not have to adapt and there is no a legacy. The mentality we have about IT control or government is that cybersecurity and data protection must be part of the company’s DNA.”
The difference between the companies’ ways of operating was very clear from the beginning. For example, and as Daniel Damas, head of IT assurance at Nationale-Nederlanden, explained, “our idiosyncrasy is totally different from that of other firms. For example, in our case we are completely regulated. And that causes us to anticipate what may come. This is something that, for example, we are currently doing with NIS2. The Government has not yet transposed the directive into Spanish legislation, but we want to be prepared when it does, so what we have done is adapt to IS27000.”
Privacy and regulatory compliance are fundamental aspects to have good IT Governance in any organization.
Carlos Castells, CIO of Serban, explained that their challenges are several: “In our case, we have, on the one hand, the technological GAP, but on the other, we are acquiring companies in other countries that have different regulations so you have to adapt to all of them. To all this we must add that you have to provide services to clients and maintain all regulations is complex. The most important part for us is therefore observability.”
For his part, Manuel Asenjo, CIO of Broseta, gave priority to protection. As he explained, “for Broseta the main objective and the most important thing about our strategy is not to lose credibility with customers. For this reason, the protection of your data is one of the most important parts.”
How to address the situation
Protecting data and complying with regulations poses, as we have seen, different challenges. But there are some fundamental elements that should be common to all companies. In this sense, José Luis Berrocal, EMEA security sales leader at HCL Software, believes that “the correct approach is when the business is aligned with IT strategies and functions are automated. It’s about implementing strategies that make sense. Our tool allows companies to comply with each and every one of the regulations that exist. Among other things, we carry out a complete control of all the tools that companies have implemented.”
For his part, Jaime Alonso, sales engineering manager at DataDog stated that “companies that are successful in IT governance are those that have an appropriate culture. If they continue working in a silo it is more complicated, while those that have security and compliance aligned with the rest of the teams and divisions are the ones that are successful.”
In this sense, Ildefonso Vera stated that “in the case of Isdefe, what we try is to involve everyone in the cybersecurity part, so that everything is aligned. It is true that this generates more bureaucracy, but there is no choice if you want to comply with the legislation.”
For Alejandro Expósito, “bureaucracy and those processes that are tedious are a cultural issue. In my case, business is the one that requires compliance with the cybersecurity and compliance part. If we do not comply with regulations, in our case, it can mean the slowdown of a certain project. So it is the users themselves who require you to comply with the rules. “Governance is there to protect data.”
On many occasions “the problem is that the internal client is not always aligned. There are times when the only thing the client wants is the seal that allows them to demonstrate that they comply with the regulations, but they don’t care about the rest of the things,” said David Caballero, CIO of Kymatio.
For Daniel Damas from Nationale.Nederlanden “there has to be a balance. We are experimenting with different actions because the security area has very well-defined patterns and what we want is to improve the pipeline. If a department or a user does not comply with the rules, then you are a stopper. In our case, now everyone knows that when someone passes an application they know that they already comply with the rules.”
For Carlos Castells, “it is true that everyone wants a seal, but regulations have had to come to demand that they really comply with them. It’s sad that this happens. The problem is to change the processes and culture of companies, especially those that have been in existence for a certain period of time.”
Employee training
One of the main problems is related to employee training. It is about immersing them in a new culture of cybersecurity and that can be complex in some cases. In this sense, Damas considers that “one of the keys is not to impose how one should act. It is about the employee who realizes the importance of carrying out actions safely. This way, if you make a mistake the next time you will stop making it.”
Then there is the problem of experience and age. Although during the debate, some participants assured that it is difficult to impose certain rules on younger employees, the majority consider that the main challenge comes from older employees, for whom it is more difficult to change their way of working. In this sense, the Isdefe spokesperson stated that “young people better accept aspects such as clean tables or double authentication factor.”
For the CIO of Serban, the origin of the employees and the countries in which they are located is also a section to take into account: “For example, the Germans are very clear about the importance of security, while in other countries they do not have no concern about it.”
Manuel Asenjo, CIO of Broseta, highlighted, in this sense, the cultural part: “in European culture we are hyper-regulated, which differentiates us from other regions of the world and then the section of management support is also important. The management has to support you 100% because it is the formula to move forward.”
“There the regulations have benefited a lot,” says Daniel Damas of Nationale-Nederlanden. When you tell the Steering Committee that you as a person may face criminal problems, then they become aware of the importance of complying with the regulations.” In this sense, Alejandro Expósito considered that “complying with the standard is not a matter for the CEO, but for the entire management committee. That is why it is seen that much more importance is already given to these aspects by the councils”