CISO of the Week, Stéphane Nappo, Société Générale
He was a senior consultant specializing in IT security as of 1995. His extensive training in telecom, business administration, and law, allows him to have a unique approach towards solving technological and business-related issues. He has worked for over 80 organizations in numerous sectors.
He implements conventional risk management methods with a systemic and pragmatic approach to complex problems. Based in Paris, he operates regularly in Russia, Central Europe, and Africa. His current mission targets digital services security, anti-fraud prevention, incident response and the digital transformation of information security.
How do you articulate the three-pronged approach of people, processes and technology?
Today, cyber-security is much more than a matter of technology. Beyond tools, the emerging sophisticated threat implies merging business management and security. Many sophisticated attacks start from social engineering or just an email. If the offense targets human and process, defense must be aligned accordingly. In this context, CISO’s scope must associate people, processes, and technology in a consistent security framework.
Building and articulating such a triptych framework might be challenging if the CISO’s mission statement and reporting line with senior management are not efficient. Nowadays security missions imply embracing, and pool transversal topics focusing around departments like IT, organization, HR and even compliance.
This cross-disciplinary playground is underestimated for cyber-security requested skills. The CISO must remain a good technical expert, but this role must be supplemented with deep business understanding, strategic communication, psychology, legal, and many other abilities. Beyond challenges, I really think this evolution represents a positive rebirth for the CISO profession.
For security executives who don’t have a strong relationship with their board, how can they improve it?
Communication, communication, communication! Probably due to secrecy culture, security executives are often too reserved. This holds true, even if user awareness is more and more developed.
First of all, a relationship with the board presupposes having direct access to the board on a regular basis. In that case, the security executive must use the language of the board members. This may sound obvious, but many security professionals are misunderstood because they use a security semantic. Lastly, it is important to align with board members’ centers of interests. All security topics must be aligned with strategic stakes (eg. user experience, customer trust, time to market, profit, enterprise image, etc.).
Furthermore, too many security executives limit their intervention to reporting on action plans and figures during board presentation. Complementary to achievements, it is crucial to show the empty part of the glass with security gaps and propose solutions with associated budget and means.
Finally, threat must be a factor to consider, but never to scare the board. Fear is not a good tool for cooperation. Thus, to correctly inform the risk owners and to bring a positive but pragmatic vision of security (we must cope with this phenomenon…, If we do nothing, we will pay twice, once for the hacker, once for security mitigation afterwards…).
Almost everybody agrees that organizations need a culture of security. How can security leaders help facilitate that type of culture?
Indeed, I deeply believe that security culture can achieve more than prohibition posture. People are and technology can’t secure everything. Between seat and screen, there is not only the user and a fading memory of the last security awareness campaign. There, we must add a societal security culture and a broad range of convenient security procedures.
As of 2017, humanity has been majority-connected to the Internet. Technology alone won’t stop the user from being one click away from the next security breach. Beyond technologies, security is a matter of culture and procedure. “If you want to build security, avoid straining people, but rather teach them to be vigilant and to long for customer trust and satisfaction”.
Furthermore, today’s security culture need is not only “within” the organization. Considering security is no longer about the systems you manage, but also all third party systems you depend on, security culture must broaden to a societal dimension between enterprises and at the nation level. As a data protection pioneer since 1978, France is taking this cybersecurity challenge very seriously at Government and enterprise level.
What security challenges does the financial industry face?
Security challenges are numerous. During recent years and particularly during the last few months, the Financial Services Industry has been seriously attacked, including DDoS, ransomware, APTs, IP hijacking, achieving a new record data breach every quarter. The list of security challenges is long and we will have to live with this phenomenon.
A holistic vison can help to build the comprehensive approach we need nowadays. Currently, the security challenge landscape is wider than cyber-crime. The real scope includes five main factors: Cyber-threat, technology issues, business evolution, behavior gaps and legal compliance. In addition, security funding is asymmetric, it saves money for enterprise and a strong source of profit for the offence-side.
Threat must be demystified. This latter issue is mainly the reflection of enterprise weaknesses and gaps. And security basics (vulnerability management, access rights review, password policy, system hardening, vendor management, awareness, etc.) are often 20% of costs and 80% of risk coverage…
How can CISOs balance security and innovation?
Innovation fuels 3 fields: Progress, Threat, and Security. Considering this, CISOs must adopt a nuanced approach to balancing security and innovation:
1. Support innovation projects with agile security methodology.
2. Take into account new sophisticated threats and monitor the.
3. Use innovation as a security solution. This last point is important, threat is agile and well funded, weaponization of innovation is a reality (automated hackbots, crime as a service, Darkweb, etc.).
Considering the hacker is a step ahead of the regular IT security market, the CISO must implement innovative counter-measures and this approach has to leverage the startups’ offer. We are progressively attacked by robots and we must answer with Artificial Intelligence. “Human beings with a mouse, can’t answer to hundreds events per second”. As an example, Security Operations Center (SOC) must implement AI to analyze the substantial cyber-noise and let human experts treat the real offences.
What is the best way to foster an image of information security being there to help support the business rather than talking about raw technology?
To foster the right image, the CISO must shape a customer-centric security approach and look beyond your own production means to see the true picture of cyber-risks. Digital services increasingly rely on external factors. Beyond raw technology, security must broaden its scope and imagine how to ensure a ‘known and consistent’ risk level with in-house and outsourced means. Referring to value chain is one of the keys, security must shift from supply chain, to value chain.
Considering “it takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it”. In this context, one of the main cyber-risks is to think they don’t exist. The other is to try to treat all potential risks.
One of the best approaches is to keep positive and pragmatic. Fix the basics, protect first what matters for the business and be ready to react properly to pertinent threats. Think data, but also business services integrity, awareness, customer experience, compliance, and reputation. Sound and balanced cyber-risk appetite is vital for business. The CISO must be seen as a risk dietician more than a policeman.
We believe in Société Générale that nothing is as strong as team spirit, I warmly thank the teams I work with.
CISO is a fantastic role.