Welcome to episode 13 of Software Security Gurus, with Matias Madou. In this interview, he chats with Florence Mottay, security expert and Global CISO at Ahold Delhaize.
They discuss her recent win of prestigious industry award, and how this could positively influence cybersecurity transparency at the company level, as well as her experience in security training software and how the approach has changed over the years. Finally, Matias quizzes Flo on which of four CISO 'tribes' resonates with her way of working.
What is the Cyber Security Annual Report (CSAR) Index trophy all about? 01:30-06:12
A long history of working with developers, security training, and application security: How has training changed over time? 06:12-12:08
CISO tribes: Which one are you? 12:08-17:30
Got an idea for a topic, or a guru guest? Contact us!
Matias Madou:
Welcome to today's Software Security Gurus webcast. With me today, Florence Mottay. Welcome, Flo.
Florence Mottay:
Thank you. I'm happy to be here.
Matias Madou:
Absolutely. Hey Flo, do you mind saying a few words about yourself?
Florence Mottay:
No. Happy to. So on the professional side I've been at Ahold Delhaize for the past four years. First joined as the CISO for Europe and took on the global role a bit over a year ago.
Matias Madou:
Congrats.
Florence Mottay:
I've been in information security my whole life. I mean, almost, you know, 20 years. And I've always been on the consulting side of the fence before joining Ahold Delhaize in 2016. On the personal side, I'm French. The accent, can't do anything about this accent, but I lived in the U.S. for nine years and I've been in the Netherlands for 15 now. And I have two gorgeous daughters, 15 and 10.
Matias Madou:
Absolutely. And we know each other for I think the last 10 years, if I'm not mistaken. Running around in Europe, interviewing CISOs, and lo and behold, you're a CISO right now.
Florence Mottay:
Exactly. And that's right. We've known each other for quite a long time now.
Matias Madou:
Absolutely. So today, if you don't mind, Flo, I would like to go through into a couple of topics that are hopefully near and dear to your heart. So first of all, you received the Cyber Security Annual Report Index trophy. Congratulations for that. So it's this year's highest appreciation for a listed company. So the award recognize a cybersecurity transparency and the way you deal with cybersecurity challenges. Do you mind sharing a few words about that and what's all that about?
Florence Mottay:
Yeah, absolutely. First I think it's a great accolade for the entire team, because transparency is really what we strive for every day. And we strive for that from a lot of different angles, right? I mean, we want to be transparent with our customers. We want to be transparent with our associates and we want to be transparent with our communities, which is important. We are in the retail business, so we sell food. It's very important for us to be as transparent as possible.
Matias Madou:
And so it explicitly says, "Hey, it's for a listed company." And when I read that I was asking myself like, "Hey, is that really, is that a curse or a blessing?" Because I couldn't get my head around that.
Florence Mottay:
Yeah. And it's an interesting question, right? Because I think there are a couple of ways that you can think about it. The first is, when you're publicly listed, you tend to be more in the line of sight of some groups. So some activists for example. And it's especially true when you're a group of our size. I mean, we serve over 54 million customers in our 7,000 stores, we have 380,000 employees. And so yeah, strategy it's something that is important and that we take into account. And I think there's another aspect as well. So when you're publicly listed, you also have to report to shareholders. And so you'll have to have the support of the supervisory board, right? And I guess it can be a blessing or a curse. It can be a curse because in some companies there is little appetite to invest in information security.
Florence Mottay:
On our side at Ahold Delhaize I have to say that we have strong support from the executive committee, from the supervisory board. I mean, you mentioned the award, right? If you look at the post on LinkedIn for example, you'll see that both the CEO of the group and I received the award together. And so that does show strong commitment. And yeah, we all have the same common objective just to make the right decisions when it comes to information security for again our customers and our associates. So yeah, it does lead to fruitful conversations. And I would say that for us it's a very good thing.
Matias Madou:
Okay. And on the transparency side they also say, "Hey, you know what, you're very transparent in what you're doing." Can you give an example of, I don't know, things that you publish or things that you push to the market or say about your security program?
Florence Mottay:
Sure. Actually I'll give you an example that has been quite visible to the rest of the world as well. Last year we suffered some credential stuffing attacks. So it's interesting, because usually you always have to give a definition, but I don't today, so there you go. And we reacted extremely fast technically of course. But also with our customers we had direct communication very quickly. We also published a press release, explaining exactly what had been going on and what measures we were taking. And so for us, it's a real example of how transparent we want to be as a company.
Matias Madou:
Yeah. And I think that's really the right approach, being transparent about what happened. Because there's always something that comes out later on if you try to hide something. That's absolutely the right approach.
Florence Mottay:
Yeah, absolutely.
Matias Madou:
And so what is the biggest challenge in ... So now you've achieved this award, what's next is then my question? Because you're already like top of the list now.
Florence Mottay:
Well, there's always things that we can improve on, right?
Matias Madou:
Yep.
Florence Mottay:
I mean, we are on a journey. So as much as we've achieved a lot of transparency, again with our customers, our associates, we can still do more and we constantly strive to educate our colleagues within the company and make sure that they understand what we do, why we do it, and what they can do to support the organization.
Matias Madou:
Okay, education. Perfect segue into my second question.
Florence Mottay:
Absolutely.
Matias Madou:
So ages ago you actually led a team that built application security training. Today you have bought into a training that is fun and engaging. And I was wondering what has changed in your mind in the last years? And you have a long history with training, with training developers, working with developers, making sure they write secure code. But on the training side I would love to hear how you think about that.
Florence Mottay:
Yeah. So first it is ages ago, you're right. It really feels like a few lifetimes ago. But look, when I think back, I think that we have new platforms, there's new technology. It really allows the gamification to be taken to the next level. And so for me that's the main difference, right? I mean, it's more appealing for teams. It's easier to adopt. On the content side what's interesting is that you see of course new bits and pieces that go with our new platforms, new frameworks. But if I think of secure coding training 20 years ago, and today you still see a lot of the same foundational principles. And it's good, because it goes to show that, yeah, we still need to reinforce that, we still need to reinforce the basic sets of rules that you need to follow.
Matias Madou:
Yeah, unfortunately we have, because there's constantly turnover. There's constantly new people joining the workforce, becoming engineers and security is, they have to learn it somewhere. What is success for you? If you think about a training program, what do you consider success?
Florence Mottay:
So I think that if a program speaks to its intended audience, it becomes successful. And that's where you see that you don't have to make it a mandatory event for people to actually do the training. It's something that they want to do because they feel like they're learning and that they're actually contributing directly to their growth.
Matias Madou:
Yeah. By the way, I totally agree. If I look at my kids, they like to learn on Duolingo and they hate languages, but they do it on Duolingo. And if they get the same continent school, yeah no, it's not working for them.
Florence Mottay:
It's not the same, right? You have to find the right way to teach and everybody's different. I mean, you definitely have a different learning groups in companies or even the stuff on the personal side of things.
Matias Madou:
Oh yeah. You have to find something that works for the individual.
Florence Mottay:
Yeah.
Matias Madou:
On software security and training people like the awareness piece, like how important is that for you and for the company?
Florence Mottay:
So awareness for us and beyond software security, right. Just information security awareness is really front and center in our strategy. I mean, maybe one day we'll have the right technology that will prevent every attack and will protect all organizations and everybody personally, but we're certainly not there yet. And so the human risk is still the biggest one. And we take that very, very seriously. We have an awareness program, it's called Living Data. It's something that we launched four years ago and that we refine every year. And it's very varied to the discussion we just had. It tries to really teach to all of the different types of learners. So we have computer-based training. We run a lot of phishing campaigns. We have targeted training and not only for developers as we just discussed, but other groups as well. So marketing, mergers and acquisitions, et cetera.
Matias Madou:
Go ahead, sorry.
Florence Mottay:
Yeah, sorry. We also have a network of security ambassadors in the company and we have a yearly event, which is actually coming up in a couple of weeks. All virtual, very exciting.
Matias Madou:
No, so I was going to say that is fantastic to hear because I always think about security. The entire organization has to rally around it and it has to be everywhere. You can not only point to the developers and say, "It's your mistake." So fantastic to hear that it embodies everybody in the organization. Maybe one quick more follow up question on application security training. Because you know, you have so much experience from ages ago. Back in the day, or when did you decide like, "Hey, now is a good time to train developers?" Or back in the day when you were doing consulting, when did you think like, "Well, in this organization now it's the time to introduce training."
Florence Mottay:
So if you think of it from the perspective of the information security department, I think that in order to have developer buy-in, you have to have a trust, right? You really have to have the trust of these groups so that they understand that whatever you're trying to propose and what you're trying to include is something that will be beneficial. And I've seen that numerous times in my past lives, but also I've experienced it here. We information security introduced the program, but it was actually chosen by a representative sample of developers across the company.
Matias Madou:
That's good.
Florence Mottay:
And so we did benchmarks, we did tests. And when we had the solution, we actually helped introduce it. And that's what really made it successful.
Matias Madou:
Okay, thanks. Maybe a third topic. And given your previous answers, I may already predict what you're going to say, but still. So there's the CISO report, which divide CISOs in four tribes. And you're a CISO, so it's natural to ask this question like, "Hey, there's a tribe called security as an enabler. There's a security as technology, there's security as compliance, and there's security as a cost center." Where are you in this CISO tribe? You're very familiar with the CISO reports. So I really was wondering like, where do you think you fit?
Florence Mottay:
Well, if you look at the progress we've made in the past few years, we really went from a compliance-driven organization to what we call internally the adaptive information security. And so it's been a great journey. And if you look at where we are today, we have the year of the executive committee of the supervisory board. I have a global team of which I'm extremely proud. They're very well-rounded, very much business focused. And so not only are we embedded in all of the initiatives, whether they're IT or really business, but we also constantly try to make it easier for our stakeholders to be secure. And so we leverage automation wherever we can. We embed security as much as possible in daily tasks. And we do that centrally for the entire organization. And so we're talking 19 brands across 10 countries. So with that I think it qualifies us as tribe one as our security as an enabler.
Matias Madou:
Yeah. I couldn't agree more. If I read and hear, if I read what has been written about your organization and if I hear you talk about how you do things, I would say, yeah definitely try one or maybe try two, because I know you had a development background. So maybe you're a lot focused on technology, but I can see why you ... I think, I assume you're very happy to be in tribe one, that you landed tribe one?
Florence Mottay:
Yeah, absolutely. But for me there are always areas where we can improve. So we're not done, right? We're certainly not saying, "Okay, we're in tribe one, security as an enabler is what we want to be, because it is." But within that tribe there are still things that we can do. And so we're on the journey, we're continuing to support the growing needs of the organization and to manage the evolving threat landscape.
Matias Madou:
Yeah. It would be good for other people to figure out like how you moved on from tribe three really from the compliance to tribe one, because there's a lot of people that want to make that move, but struggle in doing that. So congratulations on getting that done.
Florence Mottay:
Thanks.
Matias Madou:
So maybe last question, and I know, we know each other for a long time, so I could ask you questions about cocktails or teenage girls, or anything. But my last question is actually something that really interests me, but we never really chatted about that. And you alluded to that in the beginning. So you lived and traveled abroad extensively, and ultimately you settled in Amsterdam. And let's be honest, you had to learn Dutch, which is not quite the most useful language on this planet. So why on earth did you chose Amsterdam? How did it come that of all these places that you visited and lived at, that you chose Amsterdam?
Florence Mottay:
So I'll answer in two ways. I'll tell you why we came to Amsterdam and then I'll tell you why we stayed in Amsterdam.
Matias Madou:
Sounds good.
Florence Mottay:
So when I was in the U.S., I was working for Security Innovation, a software security company as well, consulting company. And in 2005 I was asked if I could come open the European branch of that company. We had a number of customers and there was some appetite to have a branch here. And so we looked at three places, Brussels, Amsterdam, and Frankfurt, because we have customers in all of these. And well, they were fairly central. And we ended up on Amsterdam really by pure luck, right? The CEO and I were talking, we were looking at taxis, I mean, everything, right? And so we said, "Okay well, let's try Amsterdam. And then in a couple of years we can see how it goes."
Florence Mottay:
And so we landed here with my husband and my three months old daughter without knowing the city or the country at all. And you know, just luggages, ready to move from Florida. And we thought, "Well, we'll see how it goes." And 15 years later, we're still here because it's such a great place to live in. The city is gorgeous. It's a capital city really at human size. And work-life balance is very nice. There's a lot of respect overall for personal lives and just having children, et cetera. So it's been amazing. Couldn't imagine living in a better place.
Matias Madou:
Do you speak Dutch, English, Spanish, or French to your kids?
Florence Mottay:
So English and French, mostly French, but they do speak English natively. So you know, we have to adapt. I speak Dutch for entertainment purposes only. So I can't say that at work I speak Dutch, because I don't. But you know, we're a global company, so that's okay.
Matias Madou:
Absolutely.
Florence Mottay:
But yes, I understand it fairly well. It's quite practical.
Matias Madou:
Sounds good. Hey, Flo, thank you very, very much for accepting to be the 13th guru in our series of software security gurus. It was a fantastic chat. Thank you very much.
Florence Mottay:
Thank you, Matias, It was great to be here.