Jean-Baptiste Bres

StatePlus - Sydney (Australia)

Chief Information Security Officer (CISO) at StatePlus (formerly State Super Financial Services) since March 2015
Business Technology Services

About StatePlus

StatePlus (formerly State Super Financial Services) is an integrated financial planning company providing advice, service and implementation solutions.
Today, StatePlus is one of Australia’s leading financial planning companies with over 57,000 clients and $16 billion in funds under advice.


  • Managing team of 6

  • Information Security: responsible for all aspect of information security, including governance, implementation, awareness, and testing
  • Business Continuity: Business Continuity Manager, responsible for the Business Continuity Framework, Disaster Recovery solutions and crisis management.

  • Governance: definition and implementation of new policies, standards, guideline and procedure for Information Security, Business Continuity and Disaster Recovery.
  • Reporting: in charge of reporting (monthly KPIs) to Executive Committee and to the board of regular progress and status of all Information Security topics.
  • Risk: responsible for risk definition within all IT areas, risk rating and controls to ensure respect of the company risk appetite.
  • Regulatory: analysis, review and action plan implementation in order to align our Information Security and Business Continuity Framework to regulatory requirements and Industry Standard (ISO 27001, PCI DSS, APRA PPG 234, PPG 232, Australian Privacy Act).

  • Information Security: responsible for identity and access management, data protection network protection and platforms protection.
  • Information Security Committee: Secretary of the Information Security Committee: agenda definition, meeting leading and minutes.
  • Information Security Incident Management Response Team: Leader of the Information Security Incident Management Response Team

  • Business Continuity: overview of Business Impact Analysis and Business Continuity Plans reviews and maintenance.
  • Business Continuity: test manager, in charge of planning, test plans, coordination and reporting.
  • Business Continuity: management of the business and IT disaster recovery site.
  • Business Continuity Committee: Secretary of the Business Continuity and Disaster Recovery Committee: agenda definition, meeting leading and minutes.
  • Crisis Management Team: Lead member of the Crisis Management Team

  • Incidents and breaches: Information Security incidents quality manager and repository manager.
  • Permanent Controls: in charge of the controls repository and framework for IT.
  • Permanent Controls: 2nd line of defense for IT: performing a set of controls to ensure that 1st level of controls are adequately executed.


  • Information Security: design and implementation of a AUD 1.2 million program to increase information security. Program was achieved on time (1 year), with a 5% cost saving on budget, and resulted in shifting the risk profile of information security from high to low, as per company risk appetite.

  • Future Operating Model (FOM): definition of security requirements and full review of implementation, including white box penetration testing, of the StatePlus AUD 65 millions FOM program. The project (and its security) covers all aspect of the company activities, from a secure website for customer transactions to advisory services, registry and secure payments.

  • Awareness: definition and implementation of a new information security awareness program “user centric” that resulted in a notable reduction of security incidents.
  • Controls and KPIs: definition and implementation of a set of regular controls to monitor and measure security capabilities
  • Projects: Definition of a project security framework to ensure high level security is integrated within all projects.

  • Security Operation Center: instigation of a Security Operation Center (SOC) to monitor security 24/7
  • Identity and Access Management: definition and implementation of an identity and access management framework, with definition of business profiles and associated system accesses, onboarding and off boarding process, 3rd parties access management, exception management process, and implementation in Microsoft Forefront Identity Management (FIM).
  • Data Loss Protection: definition and implementation of a data classification policy, and analysis for implementation of DLP solutions.
  • Network: redesign of all networks to comply with advance security network design. Implementation, management and monitoring of next-gen firewalls, IPS and WAF.
  • Cloud: definition and implementation of advance security solutions for Cloud (Azure, AWS, Office 365) and on premise environments
  • Business Continuity and Disaster Recovery Plan: definition of a business continuity and disaster recovery program. Business Impact Analysis, capabilities analysis, definition of scenarios, remediation and tests, improved awareness, better KPI

BNP Paribas Sydney - Head of Governance & Process Improvement