CISO of the Week – Aline Barthelemy, CISO, Louis Dreyfus Company
Aline Barthelemy is a highly-experienced Information Security and Risk Management professional with a proven track record of excellence in design, implementation, management and oversight of complex Information Security programs, projects and initiatives. Over the last 14 years she has managed and implemented IT Security for large groups in diverse environments, from industry to commodities trading, with different security requirements. She has supplemented her technical background (MSC in Sciences) with an execMBA.
Why did the job of CISO appeal to you?
To be honest, I became CISO a bit by accident. The previous CISO left the position after a promotion and I was offered the job which, at first, I declined. The job seemed too techie to me, I was afraid that it would become a dead end and that I would remain stuck in this domain and would not be able to change anymore. At that time, I was used to changing jobs every 3-4 years (Supply chain, financial controlling, and IT). I finally accepted the job and I have now been happily working in this domain for 14 years.
As a CISO, you never know what you will do with your day. You may have to face an attack, present to the board, negotiate with a vendor, launch an awareness program at company level, or perform investigation. You must cover all domains of IT to secure them: network, servers and cloud, the code of an application, the user management, prevent data leakage. You talk with the whole IT team, the board, and the users. Every year, you must learn about new attacks, new threats, but also new technology. This domain is fascinating and always evolving. In fact, I have never been bored in 14 years, and that’s the main reason why I’m still working in this domain today.
When speaking the language of business to the boards, are there certain phrases CISOs should be using?
My main advice would be: before talking, listen! Be humble. Most of us are CISO in non-IT companies. You must first understand the business of the company, how it works, what the competitive advantage of your company is, their main strengths and weaknesses. I recommend spending time talking with the board and using active listening. If you do not have access to the board, find a business sponsor or a mentor. Once you have taken this time to listen, you will then be able to talk to the board using their terminology, which will show you heard and understood them.
I also recommend mapping your cyber strategy to the company strategy. This will help you to prioritize your activities, but first and foremost, the board will immediately relate to your cyber strategy. They built the company strategy, so your presentation will be powerful and meaningful.
What soft skills can help security executives collaborate better?
Soft skills are what will make the difference between a good technician and a business enabler. Nowadays, they are an instrumental part of our role, as a CISO. Soft skills that help in my view include:
- being open-minded and curious: you are an expert in your field, but it is likely this is not the field of expertise of your company. Do not blindly apply solutions you have learnt in other companies
- having the ability to liaise with people easily: you will have to interact with various actors, you have to be comfortable with this
- being able to listen and use the information you have gathered: spend the time to gather the information by listening, then activate them and incorporate them into your strategy, your presentation, use them to prioritize your action plan
A good sense of balance is also key: I have heard many companies claiming to be afraid of the “binary” CISO, for whom there is only black or white, and who is not able to understand the necessary shades of grey that are part of any company. Our mission is to protect the companies while they do business, not to hinder the business. So there is always a trade-off to find between all the constraints.
At some point in time in my career, I noticed that I was lacking knowledge in those fields and decided to enrol for an execMBA. I selected a MBA that dedicated an important part of the learning path to soft skills, and it was an eye opener for me. As an example, I reuse what I have learnt based on the MBTI on a daily basis: profiling someone, understanding what the best way would be to present the information to him/her, allowing some space to reflect .It really helped me to achieve a more effective way of communicating and interacting with people.
The biggest threat to your institution is already inside the building. Studies show that 60 percent of cyber attacks come from inside the company. What are the key strategies for addressing this challenge?
I honestly do not like this terminology of Insider threat; I prefer to refer to employees as our first line of defence. How can you expect people to get on board with any awareness program if you start by blaming or shaming them in some way? I believe in giving background and information to people to allow them to be an actor of the company security. In the case of data leakage, they would probably notice odd behaviour before you would. If you decided to implement a SOC or if you build Key Risk Indicators, you would need the business to set-up risk scenarios or identify Key risks.
Also, many employees are not tech-savvy. We must help them and educate them so that they will not fall into risky behaviour. You cannot blame an employee for what he has not been made aware of. Employees are usually grateful to get that training, as most of the awareness they get is immediately reusable at home.
This simple change of mindset from “Insider threat” to “First line of defence” will be infused into the whole awareness program you would set-up. Creating a direct mailbox to IT security for the business will allow the business to contact you simply and openly. Publish the top 3 contributors or share stories of early warning that allowed you to stop an attack. This will reinforce your message and create a feeling of co-responsibility in protecting the company. People would then really feel like they can make a difference.
Why do some CISOs use technology for its cool factor instead of securing and enabling the business?
Well, let’s be honest, some CISOs do it because it is an easy way to get positive feedback, and please a steerco member or a manager who read something in the news, attended a Gartner event, or had a friend who did this before in another company. It allows a CISO to shine and show that he/she is still up to trend. I have seen several cases where solutions were implemented to “tick a box” and never used. Strong authentication never activated , vulnerability scans never used. I would recommend a new CISO check solutions or former projects that were launched and never made it up to the operations stream. You would be amazed.
At first, I had a strong stance against this way of working. Coming from industries where IT security budget was a scarce resource, and ROI a must, I was tough against the CISO working that way. But we must admit that our job is not really that “sexy”. And more times than we would like, we have to say no. Or we must cope with old fashioned solutions that are not exactly user-friendly. So, if you can run a project on new, trendy and fancy technology, or a solution visible to all employees and easy to use, I would say think twice. If you can find a win-win, go for it. We need a bit of shine and to be a bit trendy to improve our image. And what pleasure to receive positive feedback from happy users once you have implemented SSO or password self-service!
So I would not recommend building a strategy based only on this, but make sure to have at least one “sexy” project and push it to the max.
We tend to forget to do our own marketing, and it is a mistake in the long run.
You have been in the industry for 14 years. What are some of the biggest changes you’ve seen, not only in terms of threats, but also how cybersecurity is viewed in the organization?
It has been an amazing journey and I do not foresee any slowdown. Threats have evolved, but not that much in terms of technology. In the end, many attacks still rely at some point on escalation of privilege or unpatched vulnerabilities. But motives have evolved with more impact from activists. The hackers’ playground has dramatically extended with OT and IoT. All of them are now connected to the internet, and can be both a target, like with stuxnet, or a vector, like in the attack against Dyn. Unfortunately, we have not learnt from our own lessons, and many aspects that were addressed by IT were not secured when OT and IoT were initiated.
One risk I see developing is what I call a big “Oups”, an inadvertent data leakage or creation of a point of failure. If you look at the Strava issue, when US soldiers shared, through the running application, the position of secret military sites, some blamed the applications, some the soldiers. The truth is somewhere in between. It becomes more and more difficult to understand the impact of some actions, and the potential implications. The soldiers never wanted to share their position, the application never wanted to put soldiers at risk. The same applies to a recent attack performed on a casino through the fish tank, or more precisely through the Internet-connected thermometer in an aquarium in the lobby of the casino.
An incident like this explains in my view the biggest change in our status and how we are seen. We are no longer the nerds no one understands. We are becoming (hopefully!) the expert business wants feedback from. Business considers we are able to navigate into all the entanglements of IT, OT and IoT, new technology, new threats. This is a great change and a great power, which comes with great responsibilities. We can be a business enabler, but this is only possible with the right mix of technicity; collaboration with business and open-mindedness.
Cybersecurity is a fascinating domain, always evolving and mutating, with polymorphic attacks. My aim now is to promote more diversity, on age, gender, origins or background, to build a resilient team that would be able to cope with this ever changing landscape. The low diversity of current Cybersecurity manpower is a weakness we must address. Opening our world to different profiles is an interesting way to solve the current manpower shortage.
I strongly believe that building a team and assembling talents is one of the key missions of today’s CISO in order to achieve cyberesilience.