Brewing a Safer Future: Carlsberg's CISO Talks SASE and Network Security

Written by

Carlsberg has been producing beer since 1847 but in 2023 it is facing the same modern technology challenges every large enterprise in the world deals with – network connectivity and cybersecurity.

With over 200 locations and 25,000 remote workers, Carlsberg is embarking on the implementation of a single-vendor SASE platform with Cato Networks. Carlsberg and Cato are working on an aggressive implementation timeline with the aim to have the SASE solution rolled out across all sites and fully operational by summer of 2024.

Infosecurity spoke to Tal Arad, Carlsberg CISO & Head of Technology, about his role as a cybersecurity leader, the cybersecurity challenges the company has faced, and how the network and security team helps to keep the beer flowing.  

Infosecurity Magazine: What is the biggest challenge for you working in an enterprise which has so many worldwide locations?

Tal Arad: I basically wear two hats, one being the cybersecurity hat and the other the operational hat, which manages the infrastructure. If I look at our enterprise from the operational view first, we are essentially running three regional networks, one in Asia, one in Western Europe and one which is a kind of mix of Eastern and Central Europe. We never had end-to-end visibility or end-to-end maintenance and it makes it difficult to run global projects in this kind of setup.

We are still wrapping up on the global active directory consolidation project and found that when we started connecting regions, we had an IP conflict between two countries which is a hell of a headache.

Image credit: Vlad Ispas/Shutterstock com
Image credit: Vlad Ispas/Shutterstock com

The other thing was that preventative maintenance was difficult. In many cases we only figured that we had an issue after the problem had already occurred because of the multiple solutions and technologies we’re using to deliver the network.

Finally, the fact that our manufacturing locations and offices can be in remote areas means the connectivity can be poor. Implementing something that is reasonable for the amount of people working on those sites can be quite difficult.

From the security standpoint, every site is another entry point into my organization so its another point that I need to secure somehow.

IM: With sites in China, you have previously noted that VPN performance can be a challenge – can you expand on that?

TA: In China, because of the regulation, there are only certain ways to take traffic outside of China and towards other parts of Asia and worldwide. Our regional headquarters in Asia are in Hong Kong so sometimes we need to find a solution to go out from China to Hong Kong and other parts of Carlsberg. The limitations we have mean that we are relying on various solutions at the moment that can be quite expensive and do not give us the bandwidth we need.

We have quite a big presence in China, but we didn’t have a good solution over there so hopefully our work with Cato can help with this.

IM: Visibility is a key part of your work with Cato Networks. What is it most important for you to have visibility of?

TA: Preventative maintenance and any kind of operational monitoring is a starting point. To give an example, we have hypercare periods during different times of the year, for example, Chinese New Year is huge and manufacturing in Europe is very big during the summer holidays and Christmas periods.

At the moment, we don't have a single point that can tell you how resilient the networks are when we need to be at the top of our game. With everyone doing their own thing, the global operations doesn’t necessarily know if we are ready as a group to what is coming up in terms of end-to-end visibility.

The Cato solution should give us that kind of operational monitoring out of the box, almost.

Source: What is SASE? Secure Access Service Edge (Cato Networks)
Source: What is SASE? Secure Access Service Edge (Cato Networks)

IM: Working with Cato Networks, Carlsberg has chosen to embark on a project to implement a single, global SASE solution. What is your advice to other security leaders who may be considering a similar approach?

TA: I think the fact I also have an operational hat makes my point of view unique compared to other CISOs because the deciding factor [to work with Cato Networks] was the networking side over the security side.

The fact that I can use a single console to manage everything, and my team can know, almost with a within a blink of an eye, what's going wrong and where, is a huge advantage for us. The other thing that is a big advantage for us is that Cato own their own hardware, rather than subcontracting it. That means when we need to deliver to new sites…the delivery times are much shorter.

From the security standpoint, because you have the network and the security sitting on the same technology stack means its much easier. You blur the line between the network and the security people, which I think is the right way to do it.

Think of it as the DevSecOps of infrastructure management. If you look at the ultimate place where security and infrastructure can really hold hands together its the network. This is where single kits can really help make it easier for both sides because security is asking for something then the network can see immediately whether that's going to cause an issue somewhere. If network is going to make a change security can say, ‘that's going to open a back door somewhere’ and over time I expect that those questions will not happen, because both of us will be exactly on the same page.

IM: Thinking about the cybersecurity landscape at large, what are your biggest concerns within cybersecurity today?

TA: For me, because I'm in a manufacturing company, availability is the is the top thing. As a smart person once said, the beer must flow. I have a little ceremony every morning where I check my phone and hope that nothing has happened during the night and we’re still up and running. It can be a scary job sometimes, especially when at a critical juncture like going into hypercare or when there is a big event happening.

“It can be a scary job sometimes.”

I think it's also the fact that it's a never-ending arms race. You can see already the next thing coming with AI around the corner. I don't think we're in a place yet where we need to start preparing for the war between us and the machines, but it is going to make our lives interesting over the next few years when all the various players within the attack groups are starting to use more AI and large language model-based tools.

IM: On the flip side, what are the biggest successes that you think the cybersecurity industry is experiencing today?

TA: Two things come to mind with this question. First, the change with which we get support from management had been significant. I've been doing this for a long time, and I still remember basically begging for literally scraps of money to get traditional antivirus or very basic tools.

I think now we have gotten so much more positive attention. Management understands that there is a threat and I think since 2017 probably that’s been a big paradigm shift. Its not just a tick-box exercise.

It’s been fantastic from my perspective because I’ve gotten everything I’ve asked for, as long as I’m being reasonable. One thing that happened for the first time in my career was when I first presented my budget to the CFO at Carlsberg, and the CFO told me “you need to ask for more money.” That was quite a new, interesting experience.

On the technology side I think one thing that has been very good is that we have a much better ecosystem in terms of tools. The various technologies that we are using can talk with each other. Almost all the solutions I’m using today have some sort of interface between one another.

IM: Finally, if you could give one piece of advice to fellow CISOs, what would it be?

TA: Understand the business you’re working in and make sure you’re supporting the business goals rather than stopping the business from what in needs to do.

Feature image credit: TY Lim / Shutterstock.com

What’s hot on Infosecurity Magazine?