CISO of the Week – Yohann BAUZIL, CISO and DPO, Airbus OneWeb Satellites
Yohann BAUZIL joined Airbus OneWeb Satellites (AOS) in early 2017 and holds the role of Chief Information Security Officer and Data Protection Officer for the French entity. AOS is a small structure (between 300 and 400 people) and has been created as a joint-venture between an Airbus entity and OneWeb. Located in Toulouse (France) and Cocoa (USA), AOS is in charge of building OneWeb spacecraft constellation.
Regarding his technical background, Yohann BAUZIL is an IT Engineer with more than 10 years experience in Network, Security and Project management. Since 2008, he has worked for Airbus Defence & Space (ADS) as IT Project Leader and Expert in Network and Security for all the ADS spacecraft launch campaigns.
Working directly within the business all these years, he has always maintained the same approach: “IT and Security have to work for the business.”
What is your overall approach to information security?
I consider the way each one of us is practicing security is directly linked to his or her personal experience. Let’s give some context to my story: As I said, my experience was deeply integrated into ADS business within all the operational teams which were working directly on the spacecraft.
Today, it is the same story: I’m working on a daily basis to be sure that our team is 100% dedicated to our business. Understanding their needs, being able to provide a pragmatic but secured solution and implementing it in agreement with our production activity is our main mission. There is no secret: If you are not fully available for your business, we all have to be aware that they are smart and they are able to do without Security.
If Security is a ghost in your organization, people are going to deal without it. In my strategy, “No” is not an acceptable answer when business has a need. Sometimes the business comes to you with a solution more than a need and our job is also to explain to them how to express their need. If the answer should be “No”, don’t say it – “Yes, but…” is always preferable.
If you always say “no” when the business has a need, people are going to find a solution without you: be smart, be part of the solution and adapt your conviction every day. I always prefer to have 4 or 5 security measures which are accepted by the business and will be 100% applied, instead of writing a 20 page security plan which will never be read…
How important is it to have the management thinking that security matters?
From my point of view, this is not important, it is an absolute priority. Security is not made by the CISO and the Security team; Security is made by acting people, with the blessing of the Management, and in every company that’s our business, which is acting daily for the firm.
The CISO, whether good or bad, is just an orchestra conductor trying day after day to give people direction. The most important thing in this mission is to be followed by others. Furthermore, if we can give the “right” direction, it’s always easier to be legitimate.
Without a Management strongly convinced by the security strategy, it remains very hard to involve and adhere the business. Security always has to be a solution, never a part of the problem: if our Management does not see it, the business will not follow the Security.
How can CISOs better understand a business’s needs?
For sure, my experience is related to a small structure and might not be applicable to a wide firm. In a human scale entity, the CISO has to understand what people from the business are doing; he has to have a daily exchange with them.
Let’s take a standard way regarding a new need or project:
1) Expression of need.
2) Technical solution proposal.
Most of the time (and even if it should not be the case) the CISO comes only into phase 3. Even if it is not his role within the organization, if a CISO wants to understand a business’s needs better, he should to be able to answer, technically speaking, during phase 2.
To be able to validate a technical solution that you are not able to design or to propose, even in a high-level view, is certainly a hurdle in global understanding of our business strategy and day-to-day activities.
Ransomware and phishing are among the risks that have threatened all industries recently. From your perspective, how should institutions address these risks and what has really worked for you to mitigate these risks that you would recommend others might also do?
In our risk analysis, email attack (spear phishing) and ransomware are on top regarding common attacks. Often simple, this kind of attack can be devastating and no matter the size of your firm, with just one person attacked and trapped, all your organization can be down for a long time.
It is obviously easy to say, but awareness and regular training are more than 50% of the solution and a real effort has to be made. It represents a cost and it takes time but it is mandatory as a first fence against these attacks. However, regardless of the quality of your awareness, you cannot leave your users alone against these kind of threats.
From my point of view, a technical solution helping users is also something mandatory against phishing and ransomware. Some tools are very impressive on this topic – I’m thinking of Phishbots (a young French startup), whose solution would help a targeted organization a lot for a reasonable price per user. On a more technical matter, because as a CISO you have to understand how things are working technically, do not hesitate to block communication between computers on your network. This could appear as a basic recommendation, but computers are not talking with each other on a network, and when they are doing it, it is during an attack and it’s too late…
How do you see the future of online authentication?
Today, a computer is a weapon. To use a weapon, it’s better to be trained. Whenever I hear about some mass phishing attack hitting hundreds or thousands of people, I think we cannot leave people by themselves.
There is no more to be convinced of now: only having a username/password is no longer an acceptable form of protection today. Using a website (bank account, email provider, social network) where two-factor authentication is not available should not exist anymore!
We can say many things about Google, but their offensive to secure web surfing on the internet with Titan Security Key is, from my point of view, a very good message. This kind of solution can be your blast shield; do not hesitate to have a look for your personal life or for your firm. For me, this is the “future” of online authentication. From now on people have to understand and adapt how they are using and consuming the Internet.
A step ahead, another very interesting point, in the crypto world for example, you just protect your account with a private key (which is the result of a strong hash). All the fundamental and common principles about authentication – “two-factor authentication” or even the principle of “identification of the user” (your login) do not exist anymore! From my experience, this way of authentication is too vanguard and there seems to be evidence that people are not yet trained for that…
How important is being able to communicate with your colleagues?
The CISO and the Security Team are just a very small part of the overall gearing. “Security by design” and “Security by default” are very important principles, which are not always applied in a small entity. If the CISO wants to be able to help others and wants to apply major security principles, the Security has to be part of the overall project, and the communication with colleagues is definitely the key.
In our structure, the CISO is in the CIO’s team. This proximity permits closer working with all the actors of IT: Backoffice, Frontoffice and Network, but also with the business on a day-to-day basis.
This way, most of the time, Security is involved early in every new project and this allows us to orientate our business as soon as possible in the direction matching our security requirements.
Do you feel a sense of awareness with regards to cybersecurity in your industry?
An important point in our context is that people are aware that they are working on a major project for space industry. This point does not guarantee the fact that everybody has a good level of awareness regarding Cybersecurity, but everybody knows and understands he or she could be a potential target. From my experience, over the last 10 years, people realize more and more every day the potential danger of cyberattacks.
I strongly believe that the mediatization of some famous crypto-attack, like Wannacry, is a very good message to allow into the collective unconscious. All the threats that people are seeing in their personal lives, are always a step ahead regarding awareness for their professional lives.
When you meet some people talking about a Wannacry attack against a British hospital early in the morning at the coffee machine, this means that things are changing and mainly changing in the right direction.
Airbus OneWeb Satellites is involved in a revolutionary project for the satellite industry. Three years ago, this project seemed crazy; in three years, it will have been proven.
I am strongly convinced that one day it will be the same regarding Cybersecurity… Everything we were preaching in the past will become obvious for future generations…