BMS - More Projects

During my time at BMS, I took part in a few more projects that are worth mentioning because they were important to my professional development.

One of them was the project to replace the antivirus across the whole Belgo-Mineira group. I don’t remember exactly which solution was being used before, but there was a clear consensus that we needed to migrate to something more modern. We talked to representatives of several AV companies and ended up choosing Symantec. Among the major vendors, it was the solution that seemed most suited to the company’s environment, especially because of its management tools, which were far superior to the ones we’d been using.

I took part in the presentations and technical discussion, and the decision ended up being relatively consensual. I left that process with the impression that the operations team, which already handled the antivirus, would naturally lead the project. To my surprise, shortly afterward the director called me into his office and informed me that he wanted me to lead the rollout. When I questioned whether it wouldn’t make more sense to leave the project with the operations team, he replied that he saw no reason for that if there was someone “highly qualified,” with a PhD, available to take on the responsibility. It was the first time I clearly saw how, in corporate environments, titles and credentials sometimes override discussion about roles and responsibilities. In this case, it ended up playing in my favor. And it also wasn’t an optional invitation…

We scoped out the project, which was large but not particularly complex, and I got in touch with one of the main software resellers in Belo Horizonte, which also acted as a Symantec representative. I presented our needs and we received a quote based on the number of licenses. Support for the installation would come directly from Symantec, and we were already in contact with their technical team.

Shortly after, there came another surprise: the executives decided the purchase would be made through IBM. As I mentioned in another chapter, there was a very strong partnership between BMS and IBM, and IBM’s salespeople used that relationship to position themselves as the best commercial option. In practice, the decision was already made and I would have no influence over it. The problem is that this information reached the reseller who had prepared the initial quote, and their reaction was, understandably, negative. The saleswoman called me several times to complain about the change mid-process. All I could do was explain that it was a decision made at the executive level, beyond my reach. They asked for the director’s contact, which obviously I couldn’t provide. I ended up absorbing a good part of the fallout from a situation I had no control over.

It was a very concrete lesson about the weight of commercial relationships and about how decisions are actually made inside companies. At the same time I was praised for my qualifications when put in as the project lead, my opinion stopped being relevant the moment a larger strategic relationship came into play.

Around the same time, the concept of Single Sign-On was starting to get more traction. The idea is simple: instead of requiring the user to type a different password for each system, you create a central mechanism that authenticates the user once and propagates that information to the other systems. From the user’s point of view, you’d just authenticate when you start your workday to have access to all the corporate applications.

What already worked reasonably well was integrated authentication with Windows, via Active Directory. Any system that integrated with that ecosystem could benefit from that mechanism “under the hood.” The big problem was Belgo’s main system: SAP, which didn’t offer the option of integrated authentication.

Alternative solutions started to appear. One of them, presented by CA, consisted of a Windows application capable of identifying login screens and automatically filling in the user and password fields. At the time, we classified that as a hack: something that might work, but was architecturally wrong. I still think it was a fragile solution, but today I see that product as a pretty primitive form of RPA. Modern automation tools essentially do this: they read the screen’s content and simulate human interactions with the mouse and keyboard. They became extremely popular precisely because they solve real problems, regardless of the elegance of the architecture. It was a reality I could only see more clearly many years later. The solution is also quite similar to the way current password managers work: they watch web pages for login forms and use under-the-hood access to fill the login fields for you.

The third project (perhaps the most important information security projects during my time at BMS) was the creation of an information security policy for the whole Belgo-Mineira group. I managed to convince not only my manager but also BMS’s executives and the group’s CIO that a formal policy was needed to guide decisions and practices in this area. It was decided to hire an external consultancy, and the chosen firm was KPMG.

The consultants were hired to assess the group’s security situation and, based on that, define a suitable maturity level. Based on that assessment, a security policy would be drafted and adapted to the company’s reality. KPMG requested that there be a dedicated technical person on Belgo’s side, and BMS named me for that role. I began collaborating directly with the consultants throughout the whole process.

That gave me much more direct access to BMS’s executives and to the company’s various areas, as well as frequent interaction with internal audit, which became responsible for facilitating access to the group’s units and plants. The executives decided to allocate a specific room in the BMS building for the project, where I was to work during the duration of the project. The consultants would be there almost every day with me. It was even stipulated that a snack be served every day at four in the afternoon for the project participants. Since the lead consultant wasn’t always around, it became a habit to invite my teammates to come enjoy the snacks. Certainly no one went hungry during that period.

After visits to various units of the group, the consultants presented a gap analysis report, showing where the company was well positioned and where it needed to evolve. It was the first time I had contact with spider web charts and with systematic comparisons against industry benchmarks. By following that work closely, I learned a lot about risk analysis and about the more organizational, less technical, dimension of information security.

The writing phase of the policy was also instructive. Instead of text created from scratch, the consultants started from a fairly extensive generic policy, adapted it based on the assessment, and then ran sessions with executives to adjust the content to the company’s reality. It was my first close contact with this kind of strategic consulting. There I learned, in practice, that Lavoisier was right: “Nothing is lost, nothing is created, everything is transformed”.

Shortly after delivering the security policy for the Belgo-Mineira group, the time came to take a different direction — but that’s a story for another chapter.