Cybersecurity Leaders – Philippe Netzer-Joly, Group Chief Cyber Security Officer at Arkema
Philippe Netzer-Joly is the Group Chief Cyber Security Officer at Arkema, a global company which designs materials to address the ever-growing demand for innovative and sustainable materials.
For more than 20 years, Philippe has led major projects and departments in leading companies within the distribution and industry sector. He started his career within the Clients Management and Innovation fields, and he caught the cyber security ‘bug’ about 15 years ago to take over the operational security of large international companies.
Philippe graduated from the University of Montpellier with a master’s degree in Computer Science and Networks.
Why did the role of CISO appeal to you?
I started to work on cyber almost 15 years ago now through a Digital Identity Program. At this time, cyber may not have been as visible as it is today, and we’ll come back to that, but I very quickly found the drivers I like for communication, business transformation and innovation to be integrated into the company.
The role of CISO is a cross-functional role in companies that addresses both its Governance, its core business and support functions. Beyond its mission to secure the company, its position must also make it one of the facilitators of the company’s digital transformation, and this is perhaps even more true in industrial companies with an acceleration of IT/OT convergence.
Beyond competence in cyber, a CISO must have the soft skills of communication, diplomacy, strategy with a good stress resistance. No two days are ever the same and you never know what your day is going to look like.
How can security executives get that “buy-in” from the top?
Given the level of digitalization of companies, their performance is increasingly dependent on the resilience of their digital activities and the security of their information systems. Also, nowadays the top is already aware of the cyber risks with an increasingly enlightened perception of the risk of cyber-attacks.
A CISO must communicate permanently with the top and not only at the time of a cyber incident or for the annual budget exercise (to most often request an increase in the cyber budget). In this communication exercise, the CISO must make the top adhere to its strategy by explaining the underlying issues and the context of the cyber threats. Once this strategy is validated, the CISO has to bring people and metrics on the table (budget, progress, resources…)
Whenever possible, CISO has to benchmark Cyber maturity against its peers on the basis of a recognized standard such as NIST, the ideal being to have metrics for its sector of activity. It is also necessary to bring concrete threat elements that exist in the company from the Security Operational Center – when the company has one – and test campaigns of penetration in the company’s information system (RedTeam campaigns). And above all it is necessary to exclude any technical jargon and to address the top with analogies allowing them to very quickly understand the subject and what you expect from them.
How can CISOs better understand a business’ needs?
The CISO must take an interest in the business lines of his company and its operational, financial and regulatory constraints. He must participate in business meetings to simply listen and understand the imperatives and issues at stake.
The more he is in touch with the business, the more he will be able to adapt his strategy to the business as well as his execution plan to the business stakes and thus the business on his return will see the added value of cyber, it is a virtuous circle.
But for this to work, the CISO team must also be close to the field, they must know the business and they must be known in the company’s business teams. And the CISO has to ensure that.
One simple way, among others, is to read the thematic posts (supply chain, manufacturing, finance…) in company social networks. They contain a mine of very interesting information and sometimes questions about cyber security. Thus, this corporate social network can become an efficient communication vector and a permanent link between the business and the cyber teams.
Threats are everywhere and always changing. How can we address this difficult reality?
It is true that threats are increasing at an intensity level never before reached with an almost immediate propagation capacity due to the hyper connectivity of companies. The sophistication of some attacks is also very high even though the vast majority of attacks are opportunistic and so no-one is immune to a “stray bullet”.
In the face of this complexity, a strategy should be built around 3 axes:
- The application of the basics of IS protection – even if it is not “trendy”, companies must continue to invest in it and not lower our vigilance. Without being exhaustive, its rules of hygiene are based on user training (to reduce the risk of phishing and CEO fraud attempts), managed and up-to-date antivirus protection for the entire systems, management of technical vulnerabilities (patch management, obsolescence management, etc.), network segmentation to avoid or slow down the spread of threats, controlled management of access to the Information System and applications including SaaS application and apply the principle of least privilege, and so on.
- The Cyber Defense capabilities built around a Cyber Security Operational Center (SOC) whose operational model must evolve. Today’s SOC, based on a central detection and log correlation system (an SIEM), need to evolve in order to set up capacities and skills dedicated to certain verticals (O365, AWS, Azure, Industrial, etc.) and thus enable the implementation of security solutions orchestrated as close as possible to the threat with adapted tools that will enable an automated response. This automation of the response makes it possible to meet the challenge of the speed of propagation of the threats but also allows the SOC teams to invest time in the search for low signals (Threats Hunting) and understanding of the threat (Threats Intelligence).
- And finally, it is necessary to prepare to be impacted by a major attack and to react quickly and adequately by activating the cyber crisis management process and, if necessary, the Business Continuity Plan, while being able to rebuild all or part of the Information System.
How can CISOs balance security and innovation?
The innovation process for a company is inherent to the evolution of its offer to market expectations. It is a question of the company’s survival in the medium/long term and more and more this innovation process is linked to digital innovation, therefore exposed to cyber risks. Thus, the question is not so much “how to balance security and innovation” but rather “how security is going to support and be integrated into this innovation”.
The challenge here for cyber teams is to ensure that the subject of cyber is not an exogenous subject to the innovation process but an embedded part of it, which is often translated in an overused way into “security by design”. It is by achieving this integration that the Cyber can be an enabler of innovation in the sense that it will allow the exploration of new uses in the most secure way possible for the business.
For this to become a reality, the CISO needs to “infuse” the subject of cyber throughout the organization so that everyone can understand the main issues at stake. It will also need to successfully achieve the Human Resources transformation of the cyber security community within the company by developing new skills and ways of approaching the subject of cyber security by focusing less on infrastructure and more on data and identities.
You’ve been in the industry for 15+ years. What are some of the biggest changes you’ve seen in terms not only of threats, but also how cybersecurity is viewed in an organization?
We have gone from a threat that was primarily aimed at demonstrating the possibility of hacking a system where the trophy was to make a name for a feat to an increasingly organized, systematic and violent criminality with sometimes the sole objective of destroying an Information System. This last trend is even more dangerous when it targets industrial systems where human lives or the environmental balance are at stake.
Attacks have become a new weapon of deterrence for countries where each country displays its strengths in this area in an assertive manner. There is no longer an armed conflict in the world that does not use cyber-attacks in addition to conventional weapons. We are also seeing the emergence of the use of cyber-attacks by groups of hacktivists to make their cause heard, using increasingly sophisticated disinformation tools. All of this is made even easier by the fact that you can buy “off-the-shelf” cyber-attacks for a few bitcoins.
And at the same time the position of cyber in companies has evolved considerably, moving from a technical subject entrusted to an expert in networks and firewalls who could be nicknamed “Mr. No” to multidisciplinary teams that are highly specialized and coordinated by a CISO who is at the table of the company’s senior management.
The greatest challenges in the discipline of cyber security are still ahead of us. In corporate organizations, where a more holistic approach to the threat will be required whether it is in the physical or cyber world. In the field of human resources there is a great challenge to be taken up because of the lack of resources and global expertise which will require the creation of vocations in universities but also in companies in order to redirect some of the employees into cyber security professions.
And finally, it will be necessary to develop the field of application of cyber security in new emerging fields such as Artificial Intelligence, machine learning, data analytics and quantum computing, to name just a few examples, all while taking into account a context of increasingly restrictive local regulations.
We’re not about to get bored and that’s just as well!
Cybersecurity Leaders – Philippe Netzer-Joly, Group Chief Cyber Security Officer at Arkema