Barco Security Organization: the power behind your shield

By David Martens, Head of Product Security

In the critical applications market, trust serves as the main cornerstone. This means products must not only be reliable but also fully secure. Barco has made a clear commitment to security, which translates into our comprehensive security organization that ensures we remain a trusted company delivering secure solutions to market. In this article, I'll explain the different aspects of security at Barco.

Companies are becoming increasingly aware of and concerned about cybersecurity – and rightfully so. The cost of downtime is enormous, making investment in security a true necessity. According to a BlackBerry report, in Q3 2024 (June to September) alone, no fewer than 600,000 attacks against critical infrastructure were reported, with 45% targeting the financial sector.

As a company, Barco has security embedded in its DNA. We've been active in the control room market for over 30 years, having deployed numerous critical installations across government, energy, and security markets. Additionally, we're active in the healthcare market, where security requirements are exceptionally high and heavily regulated.

Our company's security organization operates on three lines of defense: the first line consists of all our employees in their day-to-day operational roles; the second line is our Security Office (which I lead as Head of Product Security), focusing on both corporate security and product security strategy; and our third line of defense is cybersecurity auditing.

Every employee plays a vital role as our first line of defense, embedding security into every aspect of their daily work. From development to deployment, they actively implement, uphold, and refine the safeguards that protect our infrastructure, products, and data. This collective vigilance helps prevent accidental leaks, unauthorized transfers, and cyber threats, ensuring resilience across the organization.

To embed a security-first mindset throughout the organization, we conduct regular awareness training and anti-phishing campaigns for all employees. For our R&D teams, we go further with targeted security training that ensures engineers are equipped to design and build secure products from the ground up. 

Within our R&D departments, dedicated security profiles (Product Security Engineers and Security Architects) guide and support secure development practices. We also apply the Security Champion model across all R&D squads, ensuring security is considered at every stage of the product lifecycle, from concept to deployment.

This layered approach empowers every team to contribute to a resilient, secure ecosystem.

Barco's Security Office, our second line of defense, drives the company's cybersecurity program by focusing on both corporate security and product security. Barco diligently ensures compliance with cybersecurity regulations and standards while implementing an ISO 27001:2022 certified ISMS to continuously improve our security posture.

At the heart of Barco's innovation philosophy lies an unwavering commitment to security, one that I've championed throughout my tenure as Head of Product Security. Every day, we witness our customers' growing recognition that robust security is fundamental to modern digital solutions.

The digital landscape presents fascinating challenges that energize our team: protecting Barco's valuable intellectual property embedded within our technologies, preventing our products from becoming gateways into customer networks, and safeguarding sensitive personal and patient data processed by our systems.

Our product security roadmap serves as our north star, charting an ambitious course through four critical domains: embedding security at the earliest stages of development through our shift-left approach; navigating the complex and ever-evolving regulatory landscape that shapes our industry; pursuing rigorous certifications that validate our security commitments; and fostering a culture of transparency that drives continuous improvement across our product portfolio.

Certification and standardization are key ways to both maximize our security levels and respond to legislation. Legislation is mostly region and industry-specific, which makes it a daunting task. Fortunately, there's considerable overlap and common sense between different legislations, making it manageable. Nevertheless, beyond security best practices, extra focus is required to obtain certifications and comply with standards.

Our job is to build trust through excellence. Each security enhancement represents our dedication to protecting the customers who rely on Barco's innovations and quality every day.

Our third line of defense is external auditing. Annual ISO 9001 and ISO 27001 external audits provide Barco with the highest level of independence and objectivity while pushing our people to focus on continuous improvement.

We act with intention, guided by well-defined processes, and always strive for meaningful improvement. By staying true to our operational frameworks, we create clarity and consistency. But we don't stop there—we challenge ourselves to evolve, refine, and embrace change that leads us to better ways of working.

Beyond focusing on improving our internal processes and operational frameworks, we also integrate external security validation into our product development lifecycle itself. We engage ethical hackers to test our products, requesting them to find vulnerabilities. These penetration tests are extremely valuable for both our developers and our customers. They keep our development teams continuously alert, ensuring that all recent developments in cybersecurity are meticulously monitored and implemented. For our customers, this provides the peace of mind they need regarding cybersecurity. Read all about penetration testing in this blog.

Furthermore, we encourage everyone to report vulnerabilities in our systems, which is why we implement and publish a responsible disclosure policy. Our Product Security Incident Response Team (PSIRT) is a dedicated global team that manages all reported security vulnerabilities. They coordinate the swift resolution of issues and deployment of applicable patches. In this way, we remain transparent about our product security, ensuring our solutions are optimally safe for deployment.

Next week, we"ll dive deeper into product security, and how we implement this in our control room solutions. So make sure not to miss that article!