Not a week goes by without news of a new cyberattack or a major flaw like Heartbleed, Shellshock or BadUSB. The number of incidents increases every year, and so do the costs incurred by businesses to resolve them. Not to mention the negative effects on business of marketing unsecure products and services, once their weaknesses come to light. It is time for companies to stop wondering why they must secure their information systems and digital products, and start thinking about how to ensure that all parts of the value chain are properly secured.
This awareness, arising naturally from fear of an attack or scandal, offers the first explanation for the acceleration of the business of cybersecurity. But it is still feeble when held up against the challenges in the digital world and the explosive rise of connected products. As US Federal Trade Commission Chairwoman Edith Ramirez stressed in her speech at the last CES, in Las Vegas, the security challenges related to the Internet of Things are still not adequately taken into account. Manufacturers’ involvement in securing their products upstream is lacking. The case of connected objects is a symptom of this problem, as they are almost void of elements to encrypt communications related to their use. Connected products and services that include built-in features to protect the information that they carry will stand out against less secure competitor products. Genuine acceleration of the industry will come about when companies understand that security is not a constraint, but a genuine selling point. Trust is built when the security of connected objects and digital services forms an integral part of the quality process. This positive cybersecurity is a key driver of digital transformation.
However, regardless of a company’s size or purpose, the teams developing products and services naturally focus on their uses, on business outcomes. Corporate cybersecurity remains almost systematically confined to CIOs and CISOs, and organised around a dated “detection–response” model. Security teams — where they exist — are not integrated into businesses, but limited to the role of “firefighter” when there is a digital “fire”. Businesses’ heavy involvement in making the digital revolution secure will be the next major factor in accelerating the business of cybersecurity.
Being very much upstream in nature, cybersecurity must form part of the curriculum in every engineering, business and management school. Awareness of security issues may be acquired throughout the course of a career through individualised further education, like that offered by EPITA’s SecureSphere training programme, presented at the last FIC. On a more strategic level, it may also be acquired by means of IT crisis exercises such as those proposed by CEIS, placing a company’s professionals, security experts, communication teams and top management in realistic scenarios to achieve maximum impact. By raising awareness of the subject’s importance among professionals and decision-makers, they will become the first sponsors of this “positive” vision of security.
However, the benefits of this acceleration of the business of cybersecurity will not be fully enjoyed in the French industry without substantial consolidation of our national providers. Indeed, if international companies are present in our services and systems integration, we have no security solution publishers able to compete with the major international players. This means that the major French integrators are integrating solutions that come from abroad. No industry-leading publisher with a complete portfolio of solutions and efficient marketing has managed to emerge in France. And yet, France innovates. Our R&D is abundant. Every region boasts numerous start-up companies and SMEs developing high-value products that may be able to find their market. This fact is grounds for promoting organisations like the CEIS-launched CyberLabTM, a forum that regularly brings together all the different players in cybersecurity — start-up firms and SMEs, major integrators, potential clients, state experts and players in finance and innovation — for product-demonstration sessions.
The “size” factor is also important. Many clients are hesitant about trusting solutions that come from small organisations, owing to real or perceived risks relating to product sustainability. Our major IT companies should play an important role in key accounts by “insuring” the integration of these innovative technologies and promoting the source of this innovation. By integrating code-recovery clauses in case of financial problems, and by supporting R&D and marketing in innovative companies by profit-sharing in kind or in cash, without stifling creativity, our champions of services and systems integration would find themselves in the midst of an extremely dynamic and innovative ecosystem.
The State also plays a fundamental role in accelerating the business of cybersecurity. Ministers’ public statements on the subject at such important events as the FIC help raise general awareness of the importance of the industry. Acting as regulator and legislator, the State imposes regulations obliging certain actors to take adapted cybersecurity measures. Article 22 of the French Military Planning Law, the French response to the European NIS Directive, will have direct effects on the market. It also plays a positive role in supporting industry companies (French Tech initiatives, start-up accelerator projects, the French Future Investment Programme [PIA], RAPID financing from the French Ministry of Defence, export promotion activities carried out by UBIFRANCE, etc.).
The problem is that while the ANSSI’s budget and staff grow year after year, unfortunately, the budgets for security solution and service equipment of other French ministries and agencies do not. This “national priority” is still subject to budget constraints. However, the State, as France’s top purchaser, must first of all support the industry through all its public procurement activities. It should constrain to take security into account in design, incorporate clauses that directly support innovative SMEs and approved solutions, etc. Given the degree to which obtaining a good State reference is a business accelerator for an SME, the State’s first source of aid should come from its own contracts. This “State trust” will serve as a model. And nothing serves better to accelerate a business than client trust.
Vincent Riou, CEIS