The chemical sector doesn’t have a reputation for embracing cutting-edge technology in IT. Yet the international giant Ineos tries to keep up as best as possible, partly because it has to.
Ineos is a British multinational active in the chemical sector across 32 countries. In Belgium, the company is known to the general public as the builder of the large Ineos One project in the port of Antwerp, though it has several other locations in Flanders, Brussels, and Wallonia. Ineos also has factories and offices in other European countries, the US, South America, and Asia.
We met with Claudio Bolla at Fortinet’s Security Day. As CISO, Claudio Bolla is responsible for the extensive IT environment that encompasses all these sites. In this conversation, he highlights the biggest challenges, from cybersecurity to AI.
What does the IT environment you are responsible for look like?
Claudio Bolla: “It sometimes resembles a plate of spaghetti. We’re a globally active chemical company, so our IT structure is enormously intertwined. Everything is connected: sites, systems, IT and OT processes. This complexity requires strong coordination between overarching standards and local autonomy.”
What are the main priorities right now?
Bolla: “My priority is keeping the company’s name out of the newspaper when it comes to cybersecurity. This includes three specific goals: bringing IT and OT together in terms of cybersecurity, complying with NIS2, and properly managing third parties.
“We work with more than 28,000 suppliers. Should I focus on those who cost the most? Or on those who are deepest in our systems? And what about major players like Microsoft, BP, or Shell? You hope they take responsibility in the supply chain, but even with certified or well-known suppliers, you’re not automatically protected as a customer.”
Does the business sufficiently understand the IT challenges?
Bolla: “Awareness is growing, but still not enough. We’ve taken major steps to get cybersecurity on the agenda. Management increasingly understands its importance, partly due to increased regulations and media attention. Yet it remains technically challenging. Board members are sometimes older and not technically proficient. Fortunately, I do see improvement, especially compared to five, ten, or twenty years ago.”
Does your Organization Have Access to Sufficient People and Resources?
Bolla: “No, the chemical industry is simply not attractive to IT professionals. We usually don’t lead in technology. It’s much nicer to work for a telecom company like Proximus, for example.” To compensate, Ineos tries to attract talent globally through a hybrid model. “We centralize and standardize where possible, but also allow local autonomy. This way, we can draw from a broader pool of people.”
Is the Future of Ineos’s IT Environment in the Cloud, On-Premises, or a Combination?
Bolla: “Fully migrating to the cloud will never happen. Ineos will continue to work partly on-premises. We’re a heavily regulated sector with real-time systems that have physical impact. If these fail, things can quickly go wrong. Every millisecond counts. At the same time, the cloud is necessary for global applications. We use cloud for systems that span multiple sites and countries. So yes, it will be a hybrid future.”
What impact do regulations such as NIS2 have on policy?
Bolla: “NIS2 completely changes the rules of the game. It not only makes the board personally responsible but also the local legal entities. This decentralization of liability changes how IT communicates with the rest of the company. I see it positively: it increases the involvement of local management and forces us to better apply cybersecurity rules.”
How is Ineos Dealing with the AI Hype?
Bolla: “We’re cautiously curious. AI is already being tested within Ineos for predictive maintenance, chemical modeling, and even cybersecurity. “But we’re also vigilant. How can hackers use these tools? How will regulators respond? In the US, for example, there’s now a requirement to preserve AI output. But what does that mean in practice? Will it be challenged? And what are the implications for Europe?”
What are the main plans and challenges in the near future?
Bolla: “Two themes stand out for us: AI and legislation. The speed at which regulations are evolving today is mind-boggling. In the past, legislation was slow and predictable. Now we have to try to keep up with lawmakers. This has consequences. We don’t become more successful by having ISO 27001 certification, but we might need the certificates to be allowed to continue operating. That’s a trend I take seriously.”