Vulnerability Management at Coca-Cola: Nimesh Mohan

Coca-Cola Europacific Partners’ Group Cyber Security Threat and Vulnerability Lead for Australia Pacific and Indonesia, Nimesh Mohan, talks about his role and foundational approach to vulnerability management

When Coca-Cola Amatil merged with Coca-Cola European Partners this year, it formed Coca-Cola Europacific Partners. The company says it is now the world’s largest Coca-Cola bottler, with 33,000 employees and a footprint covering more than 25 countries.

With large organizations come vast amounts of computer systems and networks to monitor. Change is constant. Systems are brought online frequently to support new projects and staff, and technology advances demand regular upgrades.

This requires continuous attention from the company’s information security team to ensure the correct processes and policies are followed throughout the whole lifecycle of IT architecture.

Nimesh Mohan is part of that team, and as CCEP’s Group Cyber Security Threat and Vulnerability Lead for Australia Pacific and Indonesia, his core responsibilities are two-fold.

“Though it’s quite broad in terms of what needs to be done to actually cater to these areas, I get to see both sides of security,” he says.

“Threat landscape monitoring gives me a clear indication of what’s happening out there on the internet, what the latest threats are, and how they possibly can intrude, while vulnerability management on the other side gives me an idea of what we could possibly be exposed to.

“That gives me a clear idea in terms of what my priorities should be, and which critical infrastructure needs the most attention.”

Ahead of speaking at CISO Online A/NZ in August, Mohan shared a tip or two that he thinks makes a big difference when it comes to vulnerability management.

Patching and Ownership

Mohan is passionate about vulnerability management and his two-tiered role gives him great visibility over the areas that need more attention than others. That passion also feeds thinking into best practices for and how other industries and organizations can improve this area of their security strategies.

“A key problem I see is that many organizations are acting a little bit late in terms of vulnerability management,” he says.

“An organization might assume there are vulnerabilities in their environment, so they start a vulnerability management program and along the way they think if they procure a vulnerability management solution, like some bespoke scanning software, it will solve their problems.

“In fact, buying a vulnerability management solution is just the start. In most cases, when you do a scan midway through a production rollout or project, you are going to get hundreds and thousands of vulnerabilities listed. What to do with all of those is the big question mark.” 

For Mohan, the work of patching is essentially never done and an organization simply cannot address every single one of the vast number of conflicts that may arise during a vulnerability scan, particularly if it is conducted halfway through bringing new systems online.

“While I think most organizations would have a strong hold on keeping all of their Microsoft-related applications patched, that’s pretty easy, but when it comes to third-party applications and middleware components you can get stuck. Critical vulnerabilities will arise in those systems that may be missed,” he says.

“The next problem is if there are no owners mapped to those elements of the architecture, who will do that patching?

“Traditionally the infrastructure team is responsible for patching operating systems and maybe one small area of software. But when it comes to application patches, it’s a hard thing to manage unless you have clearly mapped the application owners.

“So, much before you actually go into this patching part of the vulnerability management program, one of the fundamentals that need to be addressed upfront is inventory management and having a clear asset management process in place that identifies all the application owners and who will be responsible for each.”

CISO Online A/NZ will be held from Tuesday 17th – Wednesday 18th of August. To download the full agenda and register your free place, visit this link.