CISO of the Week, Michaël Frippiat, CISO AXA Luxembourg
– Start of my career in 1998 as a web developer (PHP, Java and C #) for a public body (BE).
– 2008, at KBL (LU) as Head of IT projects for the international subsidiaries department.
– 2012, at Axa Luxembourg (LU): manager of an IT development team
– 2013: Information Security Officer and Head of Infrastructure at AXA Luxembourg
-2016: Chief Information Security Officer at AXA Luxembourg
– Master in Management Sciences, Bachelor in Marketing and Bachelor in Management Computer Science
– CISSP, CISM, CEH, CHFI, ISO 27001 LI
Why did the role of CISO appeal to you?
When I was at KBL, I was struck by the attention to detail in all the projects we were doing. Even if it was painful some days, I was bathed for more than 5 years in this over secure climate. This leaves obviously some traces…
When I arrived at Axa, I quickly realized that the level of maturity was not at all the same! Suddenly, when the opportunity arose to take over this department to develop the program of the Group, I did not hesitate a single second to take up the challenge!
When speaking the language of business to the boards, are there certain phrases CISOs should be using?
When I heard some of my former colleagues in charge of computer security in my previous experiences, they seemed to complain regularly that they lacked resources and were not well regarded.
Today, we have a tremendous opportunity, thanks to security news and regulatory pressure, to have our business recognized as an added value for the company.
For example, I would recommend that the young CISOs put forward the image gain that we will demonstrate to our customers through the application of ISO27001 standards rather than talking about recurring expenses to fund the procedure reviews.
How can CISOs better understand a business’ needs?
By working hand in hand with the business!
The developing trend is the practice of “DevOps” which means a close collaboration between the operational professions and the developers.
It seems that it works pretty well!
Why not also apply these concepts with computer security? It is by getting closer to people that we are most likely to understand each other.
Technological jobs that work in an ivory tower have been outdated concepts for a long time!
The biggest threat to your institution…
The first question to ask is: are my employees happy in their work? If so, the risk of seeing diverted or abused resources is really slim. The main risk will come, in most cases, from employees who are disappointed or dissatisfied with their management.
It is therefore important to monitor these people who could leave the company by doing maximum damage.
The second question is: do my collaborators know what they are exposed to in case of action harmful to society? This problem can be easily addressed by conducting regular information campaigns to raise awareness of the company’s rights and responsibilities regarding the use of IT resources.
How do you predict the future of authentication in online banking
Easier than ever!
Personally, I use the services of Belgian and Luxembourg banks and I must admit that progress is especially marked on the ease of connection and the fluidity of the user experience.
For example, my Belgian bank is closely monitoring the technological developments of mobile devices such as FaceID which allows users to log in by scanning the owner’s face.
Payments between customers of this bank have become as easy to use as sending a simple mail!
In the future, the real challenge will be to maintain, if not improve, the overall level of security protection while simplifying more and more access. I would therefore see biometric authentications coupled with OTPs that would be required for sensitive operations.
In any case, I strongly doubt that the passwords will remain very long as a means of authentication.
Why are financial institutions more open to share information…
A few years ago, I had the opportunity to work for a private bank whose security culture was really very advanced compared to the competitors of the Place of Luxembourg.
Unfortunately, this company practiced security through opacity and therefore communicated very little externally about its practices. As a result, every society of this type did the same and that to the delight of hackers.
Today, these mentalities have really evolved and this thanks (or because of) to news more and more loaded in terms of computer security but also following the growing involvement of financial organizations in certain types of attacks, including by phishing.
These companies are major players in the economy and have realized quite quickly that if they do not form a common front against these growing threats, they will not be able to resist them effectively.
Another reason for this change of mentality was undoubtedly the pressure of their customers to prove to them that their assets were really safe and that they could demonstrate their resilience notably by the adoption of global standards like ISO27001-207002.
In Luxembourg, there are now many opportunities to share his experiences with his colleagues (CISO clubs, sponsored meetings, …). I think that the small size of the country allows it a great reactivity and it is really a plus for our ecosystem!
I really hope that the word of IT Security will copy –paste this model as much as possible in order to grow our community!