Cybersecurity: Visualizing, Understanding, Deciding, or how to address decision-markers ? (By Henri d’Agrain, CIGREF)

This year, for the first time, Jean-Claude Laroche, CIO of Enedis and President of the Cigref Cybersecurity Circle, will bring to the FIC a delegation consisting of around 15 digital decision-makers from French general government entities and major companies that are Cigref members. The organisation of this delegation is a testament to the growing concern of Cigref members for their digital security.

Under the effects of digital transformation and dematerialisation of physical processes, companies virtually no longer have essential functions independent of their information systems. This mean that companies must make sure that these information systems are protected. Managers are now demanding, and must demand, trust in the level of security of the activities for which they are responsible.

Indeed, cyber crises are no longer hypothetical situations for which it is only necessary to “consider thinking about preparing.” Stopping short of catastrophism and maintaining an unnecessarily stressful atmosphere, the news and the facts are definitive: crises are real, looming in the doorway of every organisation, company and government entity. A year and a half ago, the Wannacry and NotPetya malware attacks spurred organisations to varying depths of action. Some of them endured damage on an unparalleled scale. To give an example outside of Cigref and illustrate the order of magnitude of such damage, the Merck group announced in November 2017 that the NotPetya cyberattack had cost it more than $600 million in the 2017 financial year. This is the first time that a cyberattack in which the business in question was not a specific target, but a collateral victim, has been identified to have such a dramatic impact.

Today, this change in scope is mobilising top management. Executives are expressing great expectations regarding the means to be mobilised to limit the impact of such attacks and the stance to be adopted. Digital decision-makers must now be in a position to explain to their representatives, executive committee and board of directors, in suitable language, the current and future conditions of the strategic management of cyber crises in major organisations and global companies. Digital decision-makers, backed by their managers and supported by their operations teams, face a pressing need to prepare their organisations for a crisis resulting from a major cyberattack, identify the emergency measures to be implemented as soon as possible, and regularly train all operational and decision-making chains to react in a constrained or fail-soft situation. Under the extreme conditions of a major cyber crisis, the leadership of the CIO, the trust of the CIO’s managers, cooperation with the cybersecurity ecosystem and the operations teams’ ability to react will be determining factors of a company’s capacity to overcome the impact of a crisis, which it now recognises as potentially lethal.

With this in mind, the Cigref delegation will be present at the cybersecurity ecosystem meeting organised by the FIC in Lille on 23 January.