4 min

Cybersecurity is only one of the pillars of digital responsibility!

Cybersecurity requires a risk governance approach and the involvement of all company players: administrators, managers, IT teams and users, including suppliers, subcontractors and partners.

Marie De Freminville

Marie de Fréminville is an expert in governance, finance, cyber security and data protection. She is a non-executive director and founding partner of Starboard Advisory. She is also the Vice-President of CSDA (Swiss Association of Women Directors) and IFA (French Institute of non-executive Directors).

She worked for Airbus Group as Financial Controller and Corporate Head of Subsidiary Governance Department, and previously for Lagardère Group and for a family-owned Company (Construction and Real Estate) as Financial manager.

She is the author of “Cybersecurity and Decision Makers”, rewarded by the Cyber Book Prize of the FIC 2020 (International Forum of Cybersecurity and the European Cyber Week.

View all posts

Among other things, the board of directors has a legal obligation to monitor the effectiveness of the company’s risk management system. Directors must therefore be aware of the risks, understand them, and elaborate a digital strategy. This entails setting up a system to monitor the evolution of risks and take appropriate measures, under the supervision of the CISO and the CIO, in coordination with the other heads of departments. The latter must imperatively be involved in risk management, as well as the implementation of measures, in order to comply with, and enforce, the future rules. The training of all users is essential, as unfortunately tools are not enough in preventing all attacks.

Flaws are 95% human in origin and come mainly from negligence. The RSSI cannot watch over each user to prevent such negligence, just as each motor vehicle driver must be familiar with and respect traffic laws, and drive responsibly.

Cybersecurity should not only be considered a cost. It should be thought of as a lever for the growth of business, a tool enabling competitiveness and performance, and as a barometer of the organization’s health. It is a pillar of digital strategy.

However, digital responsibility is not limited to cybersecurity. It also includes social and environmental considerations, legal issues and finally questions of sovereignty!

On a social level, it is a matter of:

– training: due to digital transformation, some jobs are disappearing while others are appearing. It is the business’ responsibility to anticipate evolutions, train employees to guide them towards new jobs, and also recruit skillsets that are suited to the company’s future challenges;

– remote working: there are positive aspects (no commute, flexible working hours, enhancing employee accountability…) and negative ones: lines are blurred between personal and work times, settings, tools, which has consequences on productivity, security and quality, in short performance, according to me.

– gender representation is unfortunately skewed in digital jobs. There are few women in this area, which is worrying because the world is increasingly digital! In fact, the percentage of women working in IT has gone down over the last 35 years. Today, only 20% of heads of cybersecurity are women, particularly because there are few women in computer engineering schools.

On an environmental level, the digital and technological revolution has transformed businesses and our way of life, impacting energy consumption, work organization, employment and personal data collection to better target consumers. Indeed, although digitalization can be a terrific tool in the energy transition, it remains energy-intensive (a datacenter consumes as much as a town of 30,000 people) and represents 4% of greenhouse gas emissions. Simultaneously, it leads to the depletion of natural resources, as 50% of the world’s yearly indium yield is used for smart TVs.

This share of digitally-produced greenhouse gas emissions will double in the next years, possibly amounting to 8% by 2025. In this context were born various concepts such as green IT, sustainable IT and digital sufficiency.

Extending equipment lifetime, using refurbished equipment, favoring Wi-Fi over 4G etc. So many examples that show digital innovation also allows us to develop avenues for a sustainable digital strategy, as is evident from data centers placed in liquid solutions to act as real heat conductors and allowing a drastic decrease in energy costs given their cooling. In matters of Artificial Intelligence, thanks to their optimized architecture, robots are becoming frugal in regard to energy consumption.

On a legal level, “The Cloud is someone else’s computer!”[1]: there are legal consequences depending on the choice of the Cloud provider, for example concerning access to data. The American justice system, thanks to FISA and the Cloud Act, can for example compel major US companies to hand over data located on their servers (whether they are on American soil or on Swiss soil).

A sovereign Cloud makes it possible to host data and applications on national territory, and is compliant with the laws of the country. It makes it possible to legally protect access to data, and to reduce dependence on digital giants, and grants the ability to operate without interruption, under competitive economic conditions.

On a digital sovereignty level, it is up to companies to define their digital strategy (tools, organization, process and training), in order to limit risks involved in their business and reduce their legal and economic dependence. To do so, they need to have a choice! The State’s ability to regulate and maintain order in cyberspace (courts and police), and to influence the digital economy: security of critical infrastructure, protection of State, corporate and citizen IT, growth of national players (operating systems, equipment, networks, messaging services, office automation, detection and protection tools, software, Cloud), etc. All these aspects contribute to guaranteeing the country’s and its businesses’ independence.

Moreover, although Cloud migration is easy, going back is much more difficult, even impossible, or very costly. The skills allowing one to develop one’s own solutions are lost. The prices, which are attractive at first, are then hiked, once the solution turns out to be the only one.

This should be kept in mind when establishing a digital strategy!

As complementary reading to my remarks, I recommend the Ethos[2] report, which mentions seven principles:

  • setting up a digital responsibility code;
  • communicating on digital practices and the (social and environmental) digital footprint;
  • respecting standards in regard to the collection, processing and protection of data;
  • ethics in regard to Artificial Intelligence;
  • ethics in regard to sensitive digital activities (surveillance, autonomous weapons systems, fake news, human rights, addictions…);
  • understanding the social consequences of digital transformation, particularly on employment and societal models;
  • reducing the digital transition’s carbon footprint.

[1] “Letter to those who want France to run on someone else’s computer” Tariq Krim

[2] https://www.ethosfund.ch/fr/news/ethos-publie-sa-premiere-etude-sur-la-responsabilite-numerique-des-entreprises-suisses

Send this to a friend