CISO of the Week – Sofiane FEDAOUI, Head of Information Security, Vialink
Sofiane FEDAOUI has been Head of Information Security for Vialink (a BRED Banque Populaire Company) since 2016. Prior to this, he was a senior Information Security Auditor specializing in TSP (Trusted Services Provider). His extensive experience in Trusted Services, Compliance and Business Continuity, allows him to have privileged relationships, both technical oriented with the CIOs and business oriented with Board members.
Brief Background :
- 2009 : Security & Compliance Project Manager
- 2012 : Technical Product Manager (PKI, HSM, SmartCard, Electronic Signature, …)
- 2014 : Senior Security & Compliance Auditor
- 2016 : Head of Information Security, Compliance and Control
- Computer Systems Engineer
- Master in Security of Contents, Networks, Telecommunications and Systems
- ISO 27001 LI, ISO 27005 RM
How can a CISO work with a CIO ?
If the CISO does not report to the CIO, the main objective for a CISO in its relationship with a CIO or the technological team is to define a process that takes into account the security at several levels, especially :
Before and during change management process (Security By Design)
- Functional Managers must specify the security requirements validated with the CISO.
- The Project Managers / Product Managers must translate these requirements by integrating them into the functional documentation. The collaboration with the CISO is also very important at this level.
- The Developers must implement the requirements and security controls required by the Product Managers.
- The QA (Quality Assurance) must verify the implementation of the requirements specified by the Product Managers and this verification must be materialized by a “GO SECURITY” and a “GO PRIVACY” in addition to the famous “GO QUALITY”.
After change management process
Trust does not exclude control: intrusion tests and regular compliance audits must be performed by independent entities to validate the successful execution of the defined process between CISO and CIO / technological teams.
The process can include a quick communication plan between IT and Security collaborators.
How does one obtain the commitment of the Board/CEO?
Information security is a complex subject for Board members/CEO, and its questions are precise and complicated. However, the CISO answers must be short, complete and easy to understand.
Here are three ways to get Board/CEO commitment:
- Business Loss:
A CISO can work with the Business to identify opportunities lost due to the organization security levels not meeting customer expectations/requirements.
- Security incidents and their consequences :
Major players have suffered security incidents. Due to these events, data protection has become a major topic for strategic and operational committees of organizations.
The subject becomes important and worrying for the leaders who ask more and more questions, and are waiting for understandable answers which are both short and precise.
- A Strategic Committee :
A CISO must have a strategic committee chaired by a Board member/CEO in the presence of concerned actors (Chief Information Officer, Business Management, Communication, Legal Direction, Financial Direction, etc), the three main objectives of this committee may be :
- Risk management
- Ensuring the concerned actors apply the security action plans
- Reporting to the board/CEO
Why must security be a process ?
Security may be, for some people, a target to reach, in which case, the answers may be more complex, especially as the target identified today may not be the same tomorrow.
This is why security must be the process to reach the target and not the target itself.
Security must be a series of actions which are carried out in order to achieve a particular result, and the actions must be executed by identified individuals.
What do you identify as the Business and innovation teams’ constraints?
Imposing security rules just because they are identified as best practice is a wrong way to get teams to work together in order to reach the identified security objectives.
So by working hand in hand with the business / innovation teams, the CISO must manage the risks between the Business / innovation constraints and the security rules.
What do you think about the importance of communication in the daily life of a CISO?
Communication is probably one of the most important tools that a CISO should use to explain his vision and in taking into consideration the point of view of others. In addition to his relationship with the Board/CEO, Business management and CIO, a CISO must have a special relationship with the compliance officers and legal department.
Climate of security or security culture within the organization.
Since the main vulnerability in your company, like in many other organizations, is probably coming from your own collaborators, you may say that you have a Climate of Security, some people talk about Security Culture, in your organization, if all the collaborators ask this question before each action they take:
What is the security risk if I take this action?
The risk can be a result of the exploitation of any vulnerability by a threat with potential impacts.
The increase of the security requirements in customer contracts is an issue. 10 years ago contracts included one or two clauses on data protection and security. Today, complete appendices on the Information Security, Business Continuity, and Compliance with regulations are automatically integrated, so CISOs have become key across all corporate levels of the organization to meet the contractual requirements, reassure customers and mitigate the associated risks.