Cyber Security Leaders - Jeremy Voisin, CISO and Head of Information Security division @ DFi Service
Jeremy Voisin, is the Chief Information Security Officer and Head of Information Security division for DFi Service. He is CISSP, CISM, C|CISO, Security+ certified and also holds several certifications in offensive security.
With more than 10 years of experience in information security, he had the chance to work and provide services to many clients in several fields of activity. The plurality of business areas in which Jeremy has been able to work allows him to have a global vision on cyber activities and will ensure that the services delivered are aligned with the best solutions and industry-leading solutions.
As a permanent member of the management committee, Jeremy ensures the reporting of activities and risks, as well as the definition of the cyber strategy. His strong technical background ensures that the governance strategy is aligned with a best-in-class solution and will always deliver state-of-the-art service.
We hear about People, Process and Technology in cyber, but which do you consider the most relevant?
Organizations are secured because the three pillars’ People, Process and Technology (PPT) all work together. However, in my opinion, the most important thing is People. People are generally seen as the weakest component of companies, but with proper awareness training for “normal users” and “senior management”, and with a clear training plan for system, network and security engineers, the user will now be the most powerful element of the information system.
Process is also an important element, as it will define the approved rules and best practices for People to interact with the Technology.
Technology is, of course, necessary in all information systems, but it is the least important factor to consider in developing a solid cyber security strategy. You can choose the best technology in the world (if there is one…), but if the technology is not implemented in the proper way by the engineers, following the best practices and the right standards, then the Technology only will not be effective.
As a CISO how do you communicate the seriousness of cyber risk to the board?
Communicating the risks to the board and ensuring they understand the impacts and the actions to be taken can be difficult.
As a CISO, ensuring the board understands the seriousness of cyber risk requires being well prepared. When presenting risks, it is important to have a business-centric approach in presenting the potential impacts and consequences, and, of course, to present the various constraints of risk treatment.
ISO27005 and NIST RMF can help the CISO prepare the presentation of constraints in risk mitigation (financial constraints, technical constraints, operational constraints, etc.).
In your opinion, what are the key considerations that organizations should factor while defining their cyber strategy?
In my opinion, the success of organization cyber strategy relies on:
- The current level of maturity of the organization
- The governance structure in place
- The involvement of the CISO to the strategy definition
Moreover, the key factors to consider when defining the cyber strategy are the industry of the organization and the current cyber security culture inside the company and the implication of Senior Management. Senior management involvement will help add cyber security to the company’s DNA. Security should no longer be considered as a simple budget line, but as a strong business support.
Is Zero Trust the solution to defend against ransomware?
Zero Trust is a very good proactive approach to secure the network against threats (Insider Threats, Threat Actors, …).
Zero Trust Architecture principles will:
- Make Compromise difficult
- Make disruption difficult
- Make detection easier
- Reduce the impacts of compromise
However, can we really have Zero Trust? We have to trust for example the updates provided by Microsoft or other vendors, we also have to trust the latest encryption standard, etc. This means that in some aspects we have to trust something, but we need to check and monitor the behavior.
Never trust, always verify!
To be sufficiently effective, the Zero Trust model must be implemented throughout the Information System and not just on public networks.
When pushing forward with digital transformation, many companies will migrate to the cloud. What are the main risks to consider when doing so?
Moving to the Cloud is now inevitable for a lot of companies (reducing of costs, less of operational management, etc.). However, it’s important for companies to understand what the reasons are to move to the Cloud.
Migrating to the Cloud as a fad is not a good idea.
To migrate securely to the Cloud, organizations have to first define a Cloud migration strategy, then have a data governance strategy in place:
- Where is the data stored?
- What is the classification of the data?
- Who has access to the data?
- What are the objectives of the data?
- What is the value of the data for the company?
- What are the controls in place to protect the data?
In the event of a breach, how can companies regain customer trust?
Transparency is the key to trust. Companies should be transparent during the incident, with a clear line of communication and regular communication on the current status of the investigation.
Once the incident is closed, now is the time for companies to share their plan to avoid any further breaches, what actions will be taken and the estimated timeline.
Closing statement
The role of CISO can be very stressful. Indeed, the CISO must face ever-growing and increasingly advanced threats, as well as having to support the business in its growth objectives.
It is sometimes difficult to find the right balance between security and business, which contributes to the frustration of the CISO.
However, by putting in place a strong cyber security governance strategy, as well as strong processes, the CISO can have a “seat at the big table” and be listened to. In addition, the establishment of a security team on which the CISO can place all his trust helps to reduce stress.
