Stephane Lenco is passionate about aerospace and cybersecurity. He holds an engineering degree from ENAC (National School for Civil Aviation) in Toulouse (France) with majors in Air Traffic Management and Computer Science.
Cybersecurity has been his main job focus since 2007, notably as Group CISO for Airbus until 2018 where he founded the Airbus CERT. As a convinced European he is currently a member of the ENISA “Permanent Stakeholder Group” for the 2017-2020 tenure. He has been CISO at Thales Group since early 2019.
Stephane keynoted at events such as “the Australian Cyber Security Conference” on topics like Cyber Security Strategy and Awareness and at the “Wall Street Journal Cybersecurity Executive Forum” on creating a cyber culture.
Why did the role of CISO appeal to you?
Prior to taking up a CISO role, I had occupied roles in programme management, IT infrastructure management, IT & IS strategy. I liked the ability to see the big picture in those jobs, and contributing to making the company business perform better, faster or cheaper. But the CISO role is one of the few that has a complete 360 view on a business. No two days look alike, and interactions with the core business are rich and fruitful. While it is not exempt from job stress, that is highly satisfying.
How can security executives get that “buy-in” from the top?
First of all, you need to speak the language of whoever you talk to. Quit the tech-savvy language, make your speech understandable in English (enough with acronyms already!), and highlight the stakes for the company in your board’s terms. Then speak reality -not promises that can’t be kept. Silver bullets never existed, and you will never be 100% safe. Speak about risks and ways to make them acceptable – by what time? For what budget? Ultimately, what support you need, and what’s in it for “them”.
In an information technology environment where personnel are taking on increasingly complex responsibilities, what do you think is the role of a cybersecurity awareness program?
Humans perform better with a sense of meaning. The “why” is what gets people onboard. Security is felt like “added time or effort”, sometimes perceived as “needless or excessive”. The role of the awareness program is to reconnect people with “what’s a-t stake” (the risk of their actions), and the “why” of what is expected from them. This is a combined effort between employees and the security team. The investment in transforming people into your active defence takes time but it is worth it because no solution will be better than 80,000 active employees in security.
People are your best asset for defending your company once they “get it” – never forget to make it “do-able” for them. The solutions we implement for them must be adapted to their activities and for this the security team must understand the business needs. A password changing policy of “daily with a history of 400 previous entries” will not be successful no matter how well you communicate.
We have recently witnessed a spate of massive DDoS attacks via IoT devices configured as botnets. Do you think legislation should mandate device manufacturers to meet minimum cybersecurity requirements to avoid this kind of incident?
Indeed, security of these devices is a clear and present concern. We all have a “do your security basics before” view in some shape or form, but buying devices that have no “minimum cybersec” is building for failure. Legislation is a way to achieve the goal, but that legislation must also consider the consequences of how it is phrased. A device cannot be upkept forever, it is economically unsustainable.
Also, forcing security updates drives an obligation of connectivity with assorted risks (or concerns for disconnected by design environments). ENISA is about to release a paper on this very issue that we discussed at the ENISA’s PSG, which I believe will be highly useful.
Digitalization is a double-edged sword, offering incredible benefits but also entailing serious risks. What are your thoughts on this inevitable development?
That is where CISOs kick in. The right way is to be able to bake cybersecurity in the tools and processes and convincing people. I’m typically actively working with our Chief Data Officer and Data Protection Officer to make things right from the start, and iterate to improve. At some point we need to reduce the risk from “performing digitalization”, so that the question that remains is whether or not the “act” itself is acceptable from ethical, personal or belief reasons, for instance.
What is the best way to foster an image of information security being there to help support the business rather than just being about the raw technology?
I believe in standing alongside the business every step of the way. My job is to work out the how once we have agreed the risks we’re both willing to accept. That includes making that risk understandable and understood, as well as making sure I understand the business benefits of an initiative.
You’re successful when your business explains the risks and you’re able to explain the business benefits and are tempted to say “if I was in your shoes” both ways, as happened to me some weeks ago.
The role of CISO is an evolving role where no two days are alike. It certainly came from a technology field, but it requires human skills to be successful – accepting that risks shall exist, and that humans are your best defence if you have successfully conveyed your vision.