Cybersecurity: top management finally getting their act together

In November 2019, a cyberattack paralysed the Lise Charmel company for a month. The entire value chain—from creation to production, and from logistics to stores—was blocked. The ransomware that caused this paralysis brought the Lyon-based company—which specialises in high-end women’s lingerie—to its knees. Indeed, a few months later (February 2020), Lise Charmel went into receivership to rebuild its information system and relaunch its activity in the best conditions. This procedure is due to last 18 months.

Ransomware attacks are on the rise. According to a report by IT security vendor SonicWall, there were more ransomware attacks in the first half of 2021 than in the entire 2020—an increase of 151%. Furthermore, a study carried out by NordLocker—publisher of a cloud-based file encryption tool— shows that France was the fourth most affected country in the world by this type of attack in 2020 and 2021.

And another report—conducted by the anti-hacking startup Anozr Way— explains that these attacks are becoming increasingly sophisticated. Hackers are no longer content to simply encrypt the servers of targeted companies, they are extracting data and exploiting it via rebound attacks. According to the report, one company’s data can be used to attack 150 other businesses.

The awareness of top managements is growing

In this context, few are the leaders who have not yet realised the extent of the threat. The last two years have been decisive in this respect. According to a study carried out by IDC France in partnership with CESIN and the firm Eneid-Transition, « IS security confined to a technical management role with no clear link to the executive committee will soon become a thing of the past. » This will be a logical development given the economic stakes associated with cybersecurity risks.

The most striking aspect of this evolution is the positioning of IS security within organisations. When surveyed by IDC, cybersecurity managers and CIOs confirm the rapid change in their organisations on this subject. 57% of respondents consider that two years ago cybersecurity was seen as either a cost centre or a technical department. Today, this share has dropped to 31%. And only 22% of respondents believe that their organisation will still be in this configuration in 24 months’ time.

« In December 2020, a ransomware attack spread from a peripheral system to the mainframe. We had to shut down every device connected to the latter and were locked out for six weeks. It was a very traumatic event for the company. Following this attack, we reorganised ourselves. Previously, cybersecurity was the sole responsibility of the IT manager. Even though he did an exceptional job during the crisis, this episode showed us that cybersecurity is everyone’s business, » said Pierre-Louis François, chairman of the board of directors of the Atlantic group, a specialist in heating production equipment, as quoted by IDC.

This kind of testimonial accelerates the awareness of managers regarding « cyber » risks. This is reflected in the increasing participation of the CISO in the company’s executive committee. According to IDC, in 68% of cases, the CISO reports hierarchically to the IT department (far ahead of the Risk Department or Top Management, which each represent 10% of responses). Via the department to which they report, the CISO is present at the executive committee in more than 70% of cases. This enables them to pass on their prevention messages to the right level of management.

The other development—which can be associated with the increase in cybersecurity crises—is the desire to anticipate. In more than eight out of ten organisations, respondents fully or somewhat agree that cybersecurity risk is systematically taken into account in risk assessments by the management board and the top management.

What governance should be put in place?

There are various ways in which the top management, the CISO, and the CIO can communicate optimally. In the second edition of its guide entitled « « L’essentiel de la sécurité numérique pour les dirigeants et les dirigeantes » (The Essentials of Digital Security for Managers), the association known as CEIDIG (Conseil de l’Economie et de l’Information du Digital) gives recommendations to management teams.

According to CEIDIG, organisations dealing effectively with cybersecurity issues have three things in common:

• Cybersecurity is managed as a cross-cutting theme within the company. It concerns everyone, at all levels, from the design of a project to its execution and sale.
• Three key principles—a clear mandate, proximity to the ExCo, and freedom of action—are applied to guarantee the effectiveness of the security manager’s mission. Their word will thus have greater impact, and management will retain control over the security policy best suited to its strategy.
• A separation of roles: the employees in charge of controlling security and devices are not the ones who have to implement them.

This last point is crucial and raises the issue of the CISO’s direct report. By reporting hierarchically to the CIO, the CISO loses room for manoeuvre and freedom of speech. If we take an image borrowed from the automotive sector, they cannot be both the vehicle safety inspection body and the garage mechanic…

This is what Stéphane Czernik, Director of Information Security and deputy CISO of the French pharmaceutical company IPSEN, underlines in a mini-guide on the new challenges of the CIO-CISO relationship published by Alliancy.fr: « Having experienced several configurations in my professional career, my feeling is that it works better when the CISO is outside the IT department, essentially for reasons of freedom. […] The CISO’s independence allows them to raise more freely with the IT department the issues that need to be put on the table and discussed in complete transparency between the two. »

Cyber ExCos to play the collective card

Regardless of the department to which the CISO belongs, many companies agree on one point: cybersecurity cannot be left to one person only. This is why more and more « Cyber ExCos » are being created.

« Putting in place dedicated security governance greatly increases the ability to consider everything. What is the acceptable level of risk? What process change is relevant? What investments should be prioritised? Thanks to the support of business representatives and a member of the top management, the person in charge of security will make the most appropriate decisions jointly. This Cyber ExCo should meets on a regular basis, but also on its own initiative when a subject requires it, » reads the CEIDIG white paper.

The final word goes to Denis Mercier, deputy managing director of the Fives group, which specialises in industrial engineering, as quoted by IDC: « We have chosen to deal with the subject of securing innovative projects through a collective approach, via a cybersecurity sub-committee that reports to the Digital Committee. This body involves the IT department and managers from the various divisions—including CortX (a subsidiary that serves as a hub of expertise for digital developments for all the group’s divisions). In my opinion, nothing is worse than a cybersecurity approach where everything rests on one person only, » he concludes.