I have worked for VINCI Energies for over 10 years, giving me the opportunity to cover and improve my skills in a lot of IT Infrastructure landscapes : IT Support, Infrastructure Admin, Database Admin, ERP and IT Architect.
With more and more threats coming up, my board decided to build a new team 3 years ago called « Monitoring & Security » and we are putting our IT Security Program into practice in our large company Group.
So I am a young CISO & DPO, passionate about new technologies and, along with a great team, improving day to day to reduce IT risks in a complex Group working on different Business lines.
It’s all very exciting !
The CISO’s role is a very high-pressure, high-stakes job. What is the right profile for this job?
The pressure on the CISO is already at high level and will continue to grow according to multiple new threats. The CISO must deal with it as a reality.
The CISO needs to have a multi-faced profile as he needs to :
- Understand Business requirements and risks
- Involve people in a Security Program and give opportunities (positive) instead of constraints (negative)
- Deal with very large technical scopes (Infrastructure, Networks, Identities, Devs, Legal, Applications, Middlewares, Hardwares, Softwares, etc…)
- Communicate to different people (from board to end-users)
- Communicate inside (users) and outside (customers and suppliers)
Therefore the CISO needs to be either flexible or strong, depending on the topic and the risks.
This high-pressure needs to be like adrenaline and not a brake.
For security executives who don’t have a strong relationship with their board, how can they improve it?
The relationship between Security and Board depends on the organization. Some CISOs are directly linked to the Execuive Committee and some CISOs form part of the Information System Department (which is my case).
If a strong link between Security and board does not exist, strong sponsors have to be involved in the process. I have the chance to get the support and the sponsorship with my CTO and CIO and they will always assume this indirect link .
By the way, this does not preclude having a direct link. Sharing security awareness, raising business risks, reporting security incidents and proposing innovative protections could be some good practices to improve relationships.
Almost everybody agrees that organizations need a culture of security. How can security leaders help facilitate that type of culture?
Security leaders can’t change minds in a whole organization by themselves.
First of all, Security leaders can help to create a Security Awareness Program based on Security policies defined in the organization. This allows them to focus on people, channels to be used, and messages to be shared. Building e-learning, Mobile Apps, or videos can provide a « Security Awareness Program Kit » to be reused.
The next step is to identify messengers:
Security Correspondents or « Security Champions » could be designated in order to relay this Program.
Therefore HR lines could help to integrate Security training during employees’ careers.
Raising Interest, realizing, adopting and measuring are the main steps of the security awareness program that needs to be created between security leaders and business and deployed by the business.
What are the biggest challenges you face in the year ahead?
Some challenges remain unavoidable every year and we need to stay focused on “Security by Design” in projects, legal compliance, audits, incident response, security awareness, etc.
From my point of view, the biggest challenge will be to enhance security on decentralized IT with the explosion of information managed by IoTs, APIs and inter-connected systems.
Finally, as basic Security protections managed by humans are still not enough to confront new robot threats, innovation in cybersecurity is already a challenge. We are studying startup programs on IA, Blockchains or BugBounties topics.
When the business is steaming along and wants to introduce new products or services, how do you make sure that security is plugged in?
Everything is in the cloud and every employee can become an IT Project Manager. The idea of including security in 100% of projects is a utopian one.
For managed projects, providing a «Security in Project Kit» with risk analysis and out of box counter measures can help protect projects without braking short term planning.
For others, monitoring tools can help security teams to detect shadow IT and help keep risk to an acceptable level.
Could you offer advice on how CISOs and CIOs can work together?
In reality, both have the same objective in delivering IT services with good SLAs (availibility), and which are both robust (integrity), and hermetic (confidentiality).
The CIO needs to follow his IT Program, including the security requirements of the CISO, so maybe it is something best discussed between them in a good restaurant!
The CISO role is fantastic, as it is at the center of people, projects, and business risk analysis.
It is transversal, currently buzzing on all forms of media, for personal and professional purposes, and covers a lot of capabilities – but sometimes the days & nights are very long.