CISOs are no longer the technical experts they had often been and still have the image of. They must now approach cybersecurity from multiple angles: technical, of course, but also operational, legal, insurance, organisational, and strategic. In a way, they have become a ‘conductor’ working with the company’s business lines, other support functions and, of course, management committee.
At the heart of the CISO’s missions is risk analysis, which is by its very nature cross-functional and therefore collaborative. But where should the CISO be positioned within organisations? What are their supports and relays? What best practices enable them to involve the business lines in their approach and to mobilise the executive committees around the challenges of cybersecurity?
These are the questions answered by Cyril Bras, CISO at Grenoble-Alpes Métropole and Vice-President of IN.CRT (Institut National pour la Cybersécurité et la Résilience des Territoires [National Institute for Territorial Cybersecurity and Resilience]), Jérôme Poggi, CISO of the City of Marseille, and Philippe Cotelle, Head of Cyber Insurance Management at Airbus and Board Member of AMRAE (Association pour le Management des Risques et des Assurances de l’Entreprise [Association for Corporate Insurance and Risk Management]), on 2 June during a round table moderated by Luména Duluc, General Delegate of Clusif, at the Virtual FIC organised by Avisa Partners.
The question of the CISO’s position and autonomy
In the absence of a hierarchical position granting them sufficient autonomy and freedom of action, the CISO still too often struggles to correctly carry out the tasks incumbent upon them and to anticipate the ever-increasing number of attacks that affect French organisations. And it is with great pain that they must manage incidents when they occur, according to Cyril Bras (Grenoble-Alpes Métropole & IN.CRT).
“When the CISO reports to the IT department, they are both judge and jury. Let’s imagine that the IT department is a car garage. When a car arrives, the garage’s role is not simply to focus on the colour of the car and whether it has been well washed, but to point out its weaknesses, such as its deflated tyres or damaged headlights. This is what the CISO does, but their role is complicated because it is difficult for them to criticise the structure to which they report. For the CISO to have more weight, they must be given the status of a technical control unit, independent of the garage,” explains Cyril Bras.
The CISO’s job is to monitor information systems and ensure that they are well protected. To do this, they needs tools, resources and, above all, the support and ear of a sponsor in the company. “If the chairperson or the executive committee does not follow their recommendations, they will not be heard. Ideally, the CISO should report to the senior management and manage their own budget. They should be a mini-CEO,” agrees Luména Duluc, General Delegate of Clusif.
An increasingly broad and cross-functional role
Cyberattacks now go far beyond the technical sphere, and no longer consist solely of intrusions into the information system. “They are becoming increasingly sophisticated and are now attacking people. As part of his duties, the CISO must therefore also monitor what is happening in their company’s or local authority’s environment to protect the structure’s information assets,” adds Cyril Bras.
This monitoring must be shared at all levels of the company, with the aim of raising awareness. “The CISO is a real conductor. They create links and get people to talk to each other with a view to IS security. This does not only concern the end users. Developers are just as much—if not more—concerned as the business lines or support functions,” analyses Luména Duluc (Clusif).
To help the CISO in their task, they must create a network of correspondents in the business teams. These ambassadors relay the best practices advocated by the CISO. “This avoids the CISO having to approve projects in just 24 hours, without having time to look back. It’s a long-term communication and awareness-raising job to explain that the objective is not to say ‘No’ but to provide the means to carry out all projects in a context of best practices for securing tools,” adds Luména Duluc (Clusif).
A duo to form with the risk manager
Can the CISO also rely on the risk manager—when this function exists within the organisation? “Certainly,” says Philippe Cotelle, Head of Cyber Insurance Management at Airbus and also Board Member of AMRAE. “It’s a duo that can be very beneficial in the context of crisis management. The risk manager, in collaboration with the CISO, can provide senior management with an insight into the operational impact of a cybersecurity incident,” he notes.
As for cyber insurance—when it has been taken out—it can support companies that have been attacked during the management of the incident, particularly through technical, legal, and communication support. “This support can be essential for organisations that do not have the necessary resources in-house. It can help reduce the duration of the crisis, which is beneficial for the insured party but also for the insurer, as the financial impact of the attack will then be less significant,” adds Philippe Cotelle.
The ‘positive’ effect of the pandemic
All this support is welcome, as the tasks and missions of the CISO are extremely complex. More than a year after the Mespinoza/Pysa ransomware attack that affected the City of Marseille and the Aix-Marseille-Provence metropolis on the eve of the first round of municipal elections in March 2020 and a few days before the first lockdown, Jérôme Poggi, CISO of the City of Marseille, gives a mixed assessment.
“Fourteen months after the attack, things are better, but we are discovering a perverse effect of the crisis, which is physical and moral fatigue. The moral impact on the teams is very important. Burn-out is always underestimated in such a crisis. There is of course fatigue during the crisis, which is relatively easy to manage. But after the attack there is also a psychological impact that is more pernicious,” says the CISO.
Fortunately, the pandemic and lockdown periods had many positive impacts. In addition to raising awareness of cybersecurity issues among managers thanks to teleworking, many IT teams have used the time available to update some operating systems and deploy security solutions that they never had time to address before. Every cloud has a silver lining…