Cybersecurity Leaders – Youssef Saidi, CISO @ Société Générale Maroc
Cybersecurity Leaders – Youssef Saidi joined Société Générale in 2002 following a scientific education and an advanced academic training. He obtained a PhD (Doctorate) in Physical Science at the University Mohammed V in Rabat in 1999. The computer component was already present in his PhD work. In 2001, he further strengthened his knowledge and skills and obtained an engineering degree in IT and Computer Science from the ORT (organization in France).
He joined Société Générale to work on the Internet Access Point. In such a role, he observed the risks of the web and the damage cyberattacks can cause to businesses and customers. He then got interested in the security of the internal systems and in 2006 started to work on the risk analysis of bank’s projects.
He has contributed to and supported all the bank’s transformations since 2002. In 2008, he became responsible for the IT security. In 2014 he was appointed deputy CISO (RSSI). Since 2018, he has had role of the bank’s CISO and head of the Risk and Security department.
The job of CISO is never going to be an easy one. The bad guys only have to be right once. How do you deal with that seemingly impossible challenge ?
Any security breach or incident has a significant impact on the image of the company and may result in substantial damage. The mission of the CISO is to anticipate, prepare and protect the company against any potential incident. The challenge is indeed difficult, but it is also motivating and rewarding. The biggest challenge is that threats are in continuous evolution. Overcoming today’s threats is not a guarantee against future ones. The digital transformation initiated by companies in recent years has increased the potential entry points for cybercriminals. There is an increasing number of systems in the company, generating large amounts of data and information, and it has become very challenging to detect malicious activities among the large volume of information available. It is therefore crucial to have a global strategy relying on the human element as well as the processes. Technologies used or developed are aimed to support this effort rather than being an end goal.
To succeed in his mission, the CISO must:
- Put people at the center of the strategy. The human element is often the weakest link in a security process. Yet, colleagues remain the greatest asset against external threats. Having them central to the IT security strategy allows them to leverage their ability and intuition that no automated security tool can offer. Well trained collaborators remain alert to timely cascade up relevant information to allow targeted actions. When employees ignore or fail to identify suspicious activities and messages that the IT system displays for them this represents missed opportunities to timely identify, properly act and quickly adapt to security breaches.
- Remain up to date with the evolution of the field of cybersecurity and associated technologies. The most efficient way to fight cybercriminals is to remain well informed and to timely access to the latest developments.
For security executives who don’t have a strong relationship with their board, how can they improve it?
Given the impact of cyber security on the activity of the company, the CISO-Board interaction has intensified a lot in recent years. This led to an evolution of the role of the CISO. The latter is in contact with various stakeholders and therefore has to adapt the communication and translate technical matters into messages that can be used for decision making. In doing so, the CISO has to move away from the technical comfort zone to better understand the business, the interdependencies and the risks.
Building a good relationship with the board and streamlining communication and exchange is central to the success of the cybersecurity strategy in the company. On the one hand, it is essential that the CISO knows the expectations of the board, their questions and concerns. On the other hand, the board should be guided to understand the risks, the strategy and the financial figures. It is therefore critical that a CISO speaks about cybersecurity in business terms and presents quantifiable metrics and measurable outputs.
In summary, for a fruitful collaboration with the board, it is key to:
- Have regular meetings for exchange and establish a process for the Security governance
- Fully understand the expectations
- Be transparent
- Provide an accurate assessment: what is the current status and where do we aim to be?
- Help target investments to areas where the risk is highest
- Limit the use of technical terms
- Be solution-driven
- Translate the investments in cybersecurity into tangible added value to the Business.
Each of these points could be the subject of a paragraph.
Some people call for daily security drills and exercises at all levels of an organization to help reinfornce defensive strategies. What is your take on this?
An important pillar of the cyber security strategy is a clear and efficient awareness program. To be successful, such program must involve all employees regardless of their hierarchical position or job level.
Research indicates that the majority of security incidents were triggered by human errors generally due to either ignorance, naivety or negligence. Employees have become a prime target for cybercriminals to enter corporate networks and awareness campaigns are necessary. However, for example, daily awareness campaigns can be counter-productive and are difficult to maintain in time. To achieve the desired outcome, the awareness program should be suitable in its style and content.
An awareness program is effective when it comes in a dynamic and interactive format, and when delivered using various means. Ideally, each format puts the emphasis on a specific issue. The program is most successful when spread over the entire year and when it targets all users. Dedicated sessions to target a specific audience are also recommended. For example, employees of the HRD will not face the same risks as those of the IT team. Each functional entity must be aware of the value of the data and classification of the information it handles. It is therefore essential to support all employees and help them fully understand the risks associated with the data they handle.
Threats are everywhere and are always changing. How can we address this difficult reality?
First of all, one should be fully compliant and inflexible with the basics of security. For example, it is not sufficient to deploy a patch, it must be deployed on 100% of the available resources. It is not sufficient to have a good anti-virus, you need to have it on 100% of the assets. The security basics, if fully implemented, allow us to be protected from most threats.
Regarding the more sophisticated and evolving threats, these are often carried out by organized and highly motivated groups. To adequately face these threats, one must adopt the principle of “zero trust”: double check everything and trust nothing. Put controls on the whole chain of connection; make the applications “self-resistant”.
We can summarize “zero trust” by the following:
- Ensure secure access to all resources regardless of their level of connection to a network (exposure via the Internet or internal network)
- Adopt the principle of least needed privilege
- Control (filter) the entire traffic
Recently, some solutions based on artificial intelligence and behavioral analysis have been developed to help to detect and fight more sophisticated cyberattacks. Despite showing some limitations, these new solutions hold a promising future in the fight against cyberattacks.
How do you predict the future of authentication?
The authentication means are continuously evolving. This is due to the evolution of the threats as well as the growing complexity of the IT environments. In contrast to that, users request more flexibility and ask for user-friendly access and ease of use. They request secure access to their personal space but view complex authentication as a hurdle.
Today, access using password is dominant. This way of authentication is less used for sensitive or high privilege access. In my view, the access using password will remain the norm for some time yet, even if several experts announce that it will be abandoned.
Strong authentication (2FA), which has brought strength to the classical authentication, seems popular and has a bright future in the coming years. 2FA offers a good compromise between the user experience while ensuring a decent level of security. This method also shows certain limitations and was at the center of recent incidents of cyber fraud. Still, 2FA, remains an acceptable means to be protected against basic attacks.
The biometric authentication, existing for several years now, offers a fast and simple means of authentication. It was originally predicted to overtake the other methods, but its wide use was held back by several issues, mainly ethical considerations. Its further development and future use are therefore questioned.
A single (one-time) authentication (like a single door one can go through) is no longer sufficient to ensure a good level of access security. Ideally, the control of identity should remain continuous. Recently, a new sort of behavioral authentication emerged as an alternative. It consists of a continuous control of many contextual elements of information which can inform on a person’s true identity. Everyone is different and unique, which makes the way an individual carries out daily tasks also unique. It is therefore possible to define the behavioral imprint of a user. It may consist of the usual connection times, the tools used, or documents/resources accessed, the keyboard typing speed, the movement of the mouse, etc… Consequently, a malicious user entering the system will deviate from the usual behavior and rapidly trigger an alert.
Further development of machine learning and artificial intelligence science will certainly help such authentication to dominate the coming years. It is likely the future development anticipated for authentication to undergo.
How important is information sharing within the sector to keep abreast of new threats and cybersecurity best practices?
Timely information sharing and keeping up to date with the latest developments, security breaches and emerging threats is essential to adequately fight against cybercrime. Yet, even that information sharing can by itself create vulnerable spots and cause security risks. One of the concerns is the risk of revealing companies’ confidential information or sensitive data on their customers. This risk can be mitigated by implementing a standardized formal and secure process to allow the community to exchange while preventing malicious access.
This open exchange between companies is unfortunately not yet fully leveraged. Various professionals are still trying to find the right and safe balance between information sharing and confidential data protection. Companies have a legal obligation to report incidents to the authorities. Yet, this remains a limited bilateral process and does not benefit the whole community. It is evident that more effort would be needed to improve on this aspect.
The field of cybersecurity, as well as our profession, evolves rapidly. The cybersecurity strategy should be continuously reviewed to be able to keep up with and follow any developments. It will therefore be essential to adapt and rapidly react to emerging priorities in order to balance risk management and business performance.
Cybersecurity Leaders – Youssef Saidi, CISO @ Société Générale Maroc