Celeste is a fiber operator, but it is also a provider of hosting solutions and a whole range of security solutions, a turning point that began in 2021 with the acquisition of Oceanet. It was as part of this merger that Pascal Bendimerad, initially CISO of Oceanet, was appointed CISO of Celeste group, responsible for defining the group’s governance and security policy.
“At the CISO level, I work with my deputy. But we also rely on a network of correspondents in each site of the group, around ten in total, who monitor deployments and provide us with information” explains Pascal Bendimerad.
At the same time, the company can count on operational teams, such as the internal SOC team, as well as more occasionally on the help of the cybersecurity team, primarily responsible for selling intrusion tests to the company’s clients. . “These are teams with whom I collaborate regularly, but my role is at the governance level. My scope is across the entire group, but I have a focus on the hosting and outsourcing part,” he explains.
Define security policy
Pascal Bendimerad’s job is above all to define the company’s security policy and to ensure that it is properly implemented by the various operational teams. This therefore involves considering the main threats that may target the company’s systems and proposing appropriate responses to overcome the problem.
“Our objective is to guarantee continuity, integrity, confidentiality and traceability,” he summarizes. “To respond to DDoS attacks, for example, we use traffic analysis and sorting solutions that are triggered in the event of an abnormal event.”
He is also consulted on the prioritization of vulnerabilities and the application of patches: “We have weekly meetings, during which I can press on subjects which seem urgent to us. I do not necessarily have the last word on these questions, but in general I am listened to.” Last facet of the activity, raising employee awareness of security issues.
At Celeste, the CISO position is not attached to the IT services department, but directly to the group’s presidency: “It’s a position that suits me completely, it allows me to interact with the IT department as with the group’s other departments. And this is good practice defined by the ISO 27001 standard.”
Certify and prevent
ISO 27001 is precisely what Pascal Bendimerad was busy with when we were able to chat with him. This well-known certification defines the requirements for implementing an information security management system. Oceanet obtained this certification for its hosting activities in 2016. It is now a matter of maintaining it by proving at regular intervals that the company continues to respect its commitments. And this is not the only certification to look out for: the activity has also been HDS certified since 2019.
Celeste also had IS27001 certification on one of its data centers since 2019, which the two companies are now striving to harmonize so as not to have a series of audits throughout the year.
“It’s something that requires a certain investment, I estimate that it represents 20% of our working time. But it’s important for the company, it’s a guarantee for customers and it assures them that we have managed to put in place good practices. Not having this certification would be a handicap today” summarizes Pascal Bendimerad. However, it is not necessarily a question of chasing after all the certifications: “Some are more interesting than others, some are more complex than others to implement. It is in any case a subject on which we communicate frequently with management.”
And to this are added the regulatory constraints which also weigh on the sector: the NIS 2 directive recently adopted by the European Union risks giving work to the CISO. “For NIS1, we were not completely sure if we were concerned, but on NIS2 there is no debate” explains Pascal Bendimerad. While waiting for the transposition of this directive into French law, it is better to get ahead and prepare to comply. “Fortunately, the good practices put in place for ISO27001 will help us. It is not exhaustive but we have put in place procedures and indicators that will help us do the work.”