Cybersecurity Leaders - Valérie Utges, CISO & DPO Consulting @ GIE Comutitres

Cybersecurity Leaders - Valérie Utges - Advisor for Chief information Security Officers, Data Privacy Officers and Chief Information Officers thanks to a 25 years IT and Telco professional experience, Valérie’s expertise encompasses various branches of cyber scope: EBIOS risk analysis, remediation plans, crisis management, cyber awareness etc.

Her credo: cybersecurity is not a constraint but an extra warranty for Business!

     

How do you articulate the three-pronged approach of ‘people, processes and technology’?

No doubt for me: people are at the heart of cybersecurity ! Simply because they are, we are, the weak point…More than half (some statistics say sometimes even more than 70%) of the data leakages are due to human errors, not to volunteer actions.

Technically speaking, there are many solutions available for cyber, probably too many in some cases when it’s difficult for a CISO to choose among all options, but at least technology is not a showstopper.

Therefore, any organisation, whatever its dimension is, needs to focus on awareness, and I would say at a more global level, education needs as well to encompass these cyber topics to popularize them and facilitate learning best practices. As soon as these practices become a habit, we have won!

Furthermore, processes (i.e. audits, patch management, monitoring) will be more easily integrated in teams as their benefits better understood.

When speaking the languages of Business to their boards, are there certain phrases Leaders/CISOs should be using?

When CISOs are part of the Boards, that’s a first important step! It’s not always the case unfortunately. So this is a major challenge for cybersecurity leaders: build a win-win relationship with Business owners. I have heard so many times that cyber is a constraint! Among key words I would say we need to propose Security As A Service, working in close cooperation with business and projects, understanding their targets and constraints to propose the best options for them.

Security by design, privacy by design processes are major success factors as when security is involved too late in the cycle, it appears to be more expensive and leading to delays. Work together, that’s the main phrase.

What advice do you have for security leaders?

I don’t think there’s a single piece of advice for all the leaders - it depends on their company specifics, namely exposure to cyber risk, maturity vs security, constraints or limitations (i.e. cultural, historical, geographical etc).

They need to understand the cons, not ignore them, and open discussion to leverage issues. For example, when small subsidiaries manage their own budget, they can argue that investing money in cybersecurity is not a priority as it might be paying for something that will may be never happen - but then why are we paying insurance for our cars? Simply because we do not want to cover the cost of a car crash.

Professional and private lives are more and more mixed, especially when we refer to personal data, so as security leaders we need to convince people that our professional behaviour should be based on personal best practices as well.

Another piece of advice should be to build a cyber network and empower business ambassadors who will relay cyber messages and convictions, tailored for the corresponding team.

We have recently witnessed a spate of massive DDoS attacks via IoT devices configured as botnets. Do you think legislation should mandate device manufacturers to meet minimum cybersecurity requirements to avoid this kind of incident?

Two years ago I made a prospective study around cybersecurity and smart buildings. Obviously IoTs were a major driver in the intelligence of the building. However, at that time, the IoT landscape appeared to be like the “wild west” in terms of security and I’m afraid it’s more or less still the case. IoT usage is increasing at a very high pace in our lives and in the industries (50 billion in 2020), as are the attacks they’re facing in parallel.

IoT will be driving many aspects of our lives in smart cities, connected cars, healthcare and other topics we are not even aware of today. Therefore, we need to impose regulations and laws as we did for other technologies to protect ourselves. We need to have the power to choose the manufacturers that fulfil security requirements and follow ethical rules.

California’s IoT law active from January 1, 2020, is an example of what can be done around this ecosystem.

How can CISOs balance security and innovation?

Security is innovation! As CISO we need to help building the best secure solution and this requires being agile and inserting a tiny dose of disruption to comply with functional, budget and planning objectives. As I like to say: better done than perfect! Perfection does not exist, and neither does zero risk. Therefore, we can only find the best pragmatical secure solution thanks to transversal cooperation in the company relying on all major contributors’ goodwill. Even in the way of working together we need to be innovative!

Why are some industries more open to sharing information than others?

Unity is strength – it seems obvious, doesn’t it? However, some companies or industries still believe they can win the war against hackers on their own. It’s not the case of the aeronautics industries that demonstrated a decade ago that they were stronger when putting their forces together against cyber risks. Confidence was simply more important than competition because the stake behind this was human protection. On top of that, this war requires money, a lot of money and not one shot, but every year and for years. But I’m optimistic, as I see every day that there are many initiatives to share information between CISOs, all around the world. I want to believe cooperation will be more and more effective and efficient.

 

Perspective

I cannot close this interview without mentioning COVID-19, because in this terrible period we have seen the best and the worst, and among the worst, I would like to highlight the hospitals’ hackers in several countries. Not to mention the fatal consequences of these attacks. It’s clear, everybody can be a target.

My conclusion: no need to panic but prepare ourselves to be ready and resilient in case.

  .

Follow Us

Cybersecurity Leaders - Valérie Utges, CISO & DPO Consulting @ GIE Comutitres