hp seeds

Inform security emagazine

Seeds of change

As global head of information security for one of the world’s leading companies, Dilyan Batchev and his team are preparing the Information Security function at Syngenta for the challenges of the future. Inform went to meet him and find out how.

Syngenta employs 26,000 employees in 90 countries and develops products that are essential to meet the challenge of feeding a rapidly growing world population. Syngenta’s help increase yields in the world’s increasingly precious arable areas. As such, Syngenta’s is a highly valuable and significant business.

Sitting at the heart of the security function that protects Syngenta is the affable Dilyan Batchev, Global Head of Information Security. He started working for Syngenta three years ago while still a consultant with PricewaterhouseCoppers.

“I was called in to help with the Information Security function, and after a couple of years it looked like a great opportunity to do it permanently. It just looked right. I saw a rare opportunity to carry on building something different, something I was able to help transform. It was almost like a “green field,” he explains.

The fact that senior management at Syngenta is quite involved in information security matters immediately appealed to Batchev, who had the opportunity to meet the CEO and other senior management on a fairly regular basis. This provided a great opportunity to introduce fundamental changes. Another appealing factor was the strong Corporate Security team that he was part of. It made all the difference.

“There is very strong support, a very good understanding of the key risks we face. Of course, it doesn’t mean it was all very easy, but that certainly helped.” he says.

“And life science is a fascinating industry, something different for me. It’s growing very rapidly. Many changes took place at Syngenta over the past three years, but as a result, the company is doing great.”

So he had the support, he had the buy-in, what was the next challenge as he went about changing Syngenta’s Information Security function?

“We had to take security best practice and convert it to a simple, executable strategy that could be implemented and sustained in our organization. While very interested, our busy leaders rarely have time for in-depth conversations on theoretical concepts, so putting together smart, innovative and pragmatic solutions while achieving buy-in from our stakeholders – those were our key challenges.” he says.

“We had to quickly crystallize the key risks that we’re going after. Part of the problem in security is that people try to cover everything. The reality is you just can’t do it all. It makes no sense to do everything, so being able to show exactly which risks we needed to address was a great exercise. Developing the strategy around risk was an important milestone, especially with a risk-aware management.”

Batchev explains that information security in Syngenta is now part of Corporate Security, and no longer part of the IT function, as it was three years ago.

“There was Information Security and IT Security. Upon joining Syngenta, we decided to combine the two to align strategies so people work towards the same goals. IT is very much concerned about the availability and quality of service, while Information Security is mostly concerned about risks. So they need to be joined up to be truly effective,” he says.

Batchev has thought about what kind of information the CEO and other executive officers need from their security leader and how to present it.

“One of the first things we did was set up governance bodies for security. When I initially joined, a top-level security committee was missing, so we set up the Information Security Council to provide steer in our strategic efforts. It is comprised of two executive members plus heads of various functions like HR, IT, Online Communications, R&D, Legal, Commercial and of course, Corporate Security. The Information Security Council reports to the Compliance and Risk Management Committee (CRMC), which is the highest governance body in Syngenta when it comes to risk and compliance.”

“Every quarter, present new initiatives, progress on running programs and statistics on incidents to the CRMC. If there is an important decision to be made, we can go all the way up to the CEO if necessary. This provides better traction when implementing our programs globally,” he says.

Batchev outlines the main risk to his business and it comes as no surprise but none the less serious for that: information and IP theft. “We are a research and innovation company. We spend more than 10% of our revenue on R&D – that’s quite substantial. So our intellectual property is very, very important. Information theft is therefore a key topic for us. The accidental leak of information is a second issue that people now understand much better.” he says.

However, Batchev shows that he is a business and people person too when he says he has no desire to stifle communication and innovation – particularly in a business like Syngenta, which depends heavily on the innovation and intellectual capabilities of its employees.

“For us, security cannot be like in a financial institution or a government, where things can be departmentalized and classified – it just wouldn’t work at Syngenta. We work with many third parties and therefore need to exchange information. There’s no choice – we need to balance the need to know and the need to share.” he says.

And of course the threat of espionage looms heavily for a business like Syngenta, which is involved in issues of global and political importance.

“Nations want to build their own know-how. They are interested in seeing what others are doing. We’re not alone there, that’s for sure, and our R&D and intellectual property is of interest to certain parties. So economic and industrial espionage is a topic for us,” he says.

Another threat that initially was not on the radar screens are politically motivated hackers. Today, nobody questions that threat, as it is an “an obvious risk” and one that is “hugely unpredictable”.

Batchev and his colleagues have further established a highly sensible, business-facing and integrated security function – what were the driving principles that led to that achievement? Where does he find inspiration?

“Maybe it’s something I adopted from our Chairman, Mr. Martin Taylor. When we interviewed him about security he said it needs to be “smart, invisible and non-boring” – and I quite like these principles and try to apply them in everything that we do in security,” he says. “You don’t want security that’s in your face all the time and preventing you from doing your job. You want security that works for you, not against you. It has to be effective against threats, without keeping people from creating value for the organization.”

”One thing that’s changed today is all the complexity – not only in technology, but also in the way we work both internally and externally, all these new opportunities and challenges that we must adapt to. We must assume we’re going to have a ‘weak link’ in our security – actually, we will always have more than one. What we strive for today is a strategy doesn’t win every battle, but wins the war. We want resilience, not perfection,” he says.

“How do we make a difference? By protecting the right information, which is what matters at the end of the day; by how we deal with risks; by how we are able to demonstrate results. Our stakeholders support us because we help them to understand what we are doing, why we are doing it and how we are doing it. By supporting the company in preserving the value it creates with its products and knowledge, we are in the business of creating value and money; not just being secure.”

I think the role of the CISO has changed quite a bit. It’s become a lot more management- / organization- / strategy-driven, information management-driven rather than IT security-driven.

Batchev hits the nail on the head when he says Syngenta is financially successful, but how does he demonstrate his financial awareness in day-to-day dealings with his senior management?

“Just because our management is risk-aware, that doesn’t mean they will write us a blank check. We therefore approach security in a way that allows us to keep costs down. Here’s an example: information. We have more than one petabyte of data on our central servers, growing at 30% a year. And that’s the data we want to protect. That’s the real asset, not the servers themselves.”

“However, information storage and protection comes at a cost. For us to be an effective and efficient security function, we need to reduce the amount of information we protect. We are in the process of implementing a project to reduce the volume and growth of data. We will to identify what has value or has risk if it’s released or destroyed, and we will strive to protect only that information,” he says.

“Reducing the growth and volume of information reduces the storage and security costs for the business. It also allows people to find information more easily. It allows us to protect information that has value – which I would refer to as ‘lean security’. That is a very, very important piece of work for us.”

At the same time, Batchev, like any CISO, must keep ahead of threats and social pressures that impact on the level of those threats. How tough is this?

“One of the big changes that we wanted to make when we started was to transform security from reactive to proactive. But a lot of people say that. What we did was to hire people in our security function who are solely responsible for that. They follow what is happening on the internet and social media, as well as working with police or intelligence agencies. It really helps us to target out efforts while reducing costs. These days, nobody can afford 24/7 full-blown security. You need to be smarter than that,” he says.

Smarter is the word. At Syngenta, Dilyan Batchev and his colleagues seem to be edging closer than most to the goal of efficient, cost-effective and risk-aware corporate security.

More Articles
Seeds of Change

As global head of information security for one of the world’s leading companies, Dilyan Batchev and his team are preparing the Information Security function at Syngenta for the challenges of the future. Inform went to meet him and find out how.

Are managed services too much of a risk?

Many businesses are now looking to outsource either some or all of the security function to a MSSP. But what should CISOs consider before taking the plunge?

Guarding the guardians of the enterprise

The weakest link in security is often the employee. Today, that employee may well be at the top of the organization rather than the bottom.

Advanced persistent and very threatening

Is your organization at risk from advanced persistent threats? It may already have been hit without your knowledge.

Cost of Cybercrime Report 2012

The cost of cybercrime to your business is going up each year. Find out why in our special report.

Security is all about the business

How you can turn your security strategy into a competitive advantage.

Dealing with disaster

Business-focused CISOs spend much of their working lives trying to prevent a security breach occurring, but the odds are that such an incident will one day happen. How can they prepare themselves, and what procedures should they put in place when the worst happens?

A security man who means business

Quentyn Taylor is the director of information security, governance, and risk at Canon Europe. He is known in the industry for being one of its most progressive security professionals. Inform went to meet him and discovered that his thinking is matched by acute business sense.

The changing of the guard

As the world enters the age of super mobility, some businesses are having to adjust strategy and security policies accordingly.

HP Inform security magazine provides information security thought leadership enabling business intelligence to secure operations and optimize investment.