How to Leverage Cybersecurity as a Business Growth Enabler

Many thanks to ITnation and Sébastien Lambotte for this insightful interview, where I had the opportunity to delve deeper into my perception of cybersecurity and my role.

It was an exceptional experience, and I encourage you to subscribe to this nice magazine. Magazine - ITnation | L'actualité des professionnels de l'IT au Luxembourg.

Many CISOs face significant challenges, and a recent State of the CISO, 2023–2024 Benchmark Report by IANS Research and Artico Search highlights some key findings. According to the report, 75% of CISOs are considering changing their positions by the end of 2023. The primary reason for this desire to move is the lack of sufficient support from top management.

Bridging the divide between CISOs and leadership is imperative. As always, if you’d like to continue the discussion, feel free to comment or reach out to me directly via LinkedIn.

Feel free to explore the full article in the TRANS-FOR-NATION magazine in French. And for English speakers, you can find the fully translated version of this article just below.

Dr. Christine Theodorovics Bárbara Alvarinhas Louren?o Barbara Longo Sabika Ishaq Célia Corazzin Filip Volders Pascal Steichen Nicolas HERRMANN Baloise LU

#cybersecurityexpert #CISO #Cybersecurity

Full article in English:

In view of the evolution of issues related to cybersecurity, Trans-For-Nation is inaugurating a new section, giving the floor to CISOs to discuss the challenges related to the threat and the evolution of the function at the heart of organizations. Franck BEDELL, CISO of The Year, Head of Cybersecurity at Baloise, agreed to answer our questions.

?

Last autumn, you were named CISO of The Year 2023/2024. What does this award mean to you?

Above all, it is a recognition by my peers of the work we have done with the team over the past few years. This title, above all, has highlighted the vision I have of cybersecurity issues, both internally and externally, on the scale of the Luxembourg market. It's an opportunity to show that the ideas we have are not far-fetched, but that they address critical issues and help to sustain the development of Baloise's business over time. This designation has reinforced our legitimacy while recognizing the importance the company places on these cybersecurity and information protection issues. It has helped sustain the momentum that is in place, allowing us to execute our strategy more effectively.

Because cybersecurity has indeed become a strategic issue...

In view of the budgets that must be mobilized and the transformation to be carried out, cybersecurity now goes beyond the simple framework of IT. This is a key issue, which can no longer be addressed by simply deploying antivirus or firewalls at the infrastructure level. It is necessary to set up comprehensive and transversal programs, based on an in-depth analysis of the business issues, of all the data produced, processed and stored at the level of the activity. Cybersecurity is now entering a whole new dimension. It is necessary for top management to be more aware of these facts, to agree to devote the resources to and provide the necessary support in terms of change management.

Today, would you say that business leaders have taken stock of the risks associated with cyber threats?

I believe most leaders are aware of what is at stake. In many companies, a ransomware attack is now considered one of the most significant risks to which they are exposed, much more so than certain regulatory or financial risks. However, managers are not always comfortable with the means to be implemented to limit these risks. Even today, cybersecurity and information security are still considered as a cost center and not as a lever for the sustainability of the activity or a factor of operational excellence. One of the missions of CISOs today is to get them to see beyond the simple means of protection and to define a clear path for improvement. For example, by securing operational processes or by minimizing exposure or the amount of data stored. With the right strategy, you can both raise the level of safety and contribute to the profitability of the company.

It's been three years since you rolled out a new security strategy. Can you tell us what the main thrusts are?

It is a strategy based on the Zero Trust paradigm that takes a holistic view of security. Three main axes can be distinguished. The first, at the technical level, aims to protect information across the entire value chain, at our level and with our partners. It is a question of securing all data flows, in other words, protecting systems against external but also internal attacks without distinction. The second axis is a transformation to be carried out, a change of culture, from an approach to security based on compliance with regulations, to one that is considered "By Design" at all levels of risk. Indeed, it is not a question of putting measures in place because we have to, but because it responds to key issues for the business. The goal is to make everyone aware of the importance of protecting information, both personally and professionally. Finally, at the level of the third axis, it is no longer a question of confining cybersecurity to an IT issue, but of considering it as a digital, cross-cutting risk and it is therefore necessary to work on these risks with the various departments and partners in order to better identify, understand and therefore mitigate them.

What are the main challenges related to the implementation of this strategy?

First, there was a technical challenge, at the IT level, to define and deploy all the attack detection and response systems across all our IT systems. You can't do everything at once and you really have to implement the elements, one after the other, while maintaining a global vision. It's a bit like playing with our Legos, brick by brick, trial after trial we move forward. Beyond this material aspect, people also have a crucial place and we therefore had to set up a real "cybersecurity culture" shared by all Baloise teams. With this in mind, perhaps one of the most striking moments was the organization of a "cybersecurity day" in June 2023. It was a day entirely dedicated to safety issues where all employees were able, through conferences, games and various information, to become globally aware of the issues and lead them on their own initiative to contribute to better risk management. Even if it is sometimes complicated to obtain sufficient budgets to allow all employees of a company to devote their working time to security, it is clear that it will always cost less than a human error opening the door to a cybercriminal due to lack of attention. It goes without saying that this cannot be done without the full support of the decision-making bodies. In fact, we are going to do it again this year at the request of more than 71% of the staff. The new challenge we are currently facing concerns the management of European regulation, with compliance with the Digital Operational Resilience Act (DORA) which imposes major transformations for the management, availability and security of critical data.

How do you convince top management of the importance of making security a central issue?

Is it enough to confront them with risk? This is one of the most important elements. For nearly two years, we have been making sure to raise awareness of cybersecurity among managers and to make the risks involved intelligible, through tests or simulations for example. This work is bearing fruit because when faced with these crisis situations, we understand the impacts much more easily. Regulation is another important lever to make things happen. The arrival of DORA, for example, means that we have a much more attentive ear when we talk to decision-makers. But beyond that, we also need to work to make them aware that reducing risk should allow them to make money. To get to this point, we also had to adapt and know how to quantify risks in order to communicate information in financial terms, which are much more understandable. In other words, we're not saying how implementing encryption will reduce privacy risks, but rather how integrating this service reduces the risk of ransomware from around €150 million to €120 million, for example. Reducing the risk allows you to limit the capital tied up and, therefore, it is a very good thing from a financial point of view. Speaking the same language helps to convince.

The threat is intensifying...

Yes, there is a strong acceleration of the threat and the number of attacks, estimated for 2023, corresponds to nearly 2200 per day, or about one every 49s. What is also evolving is the ease, thanks to the tools available to Cyber Attackers, with which they can exploit our systems. When I started at Baloise three years ago, we had to fix a critical security breach on average once a month. Today, the rhythm is one or even several per day. Patching vulnerabilities is a lot of time-consuming work, and the workload associated with this activity is constantly increasing. The number of new vulnerabilities detected around the world on different systems means prioritizing, focusing on critical elements in the first place, because it is no longer possible to fix everything all the time. The means used by attackers are also more important because we are no longer dealing with hackers operating alone, from their cellar or an Internet café and opportunistically, but rather with highly efficient organized groups. They have the expertise, advanced technical tools, funding and don't have the barriers of the law. Some of them are even very close to the states that mandate them for larger missions. The attacks are no longer just for purely short-term financial objectives aimed at companies, but are part of geopolitical campaigns, the aim of which is to destabilise a candidate, a government, a country, etc. Our role, as a player in the Luxembourg economy, is also to contribute to the fight against these forms of piracy by ensuring that our systems and information and thus help to ensure our protection and national sovereignty.

Cybersecurity is like a race, in which cyberattacks always seem to be one step ahead. How can we calmly apprehend this state of affairs?

The idea of being able to get ahead of the attackers is a sweet dream, indeed. My opinion is that we should try to understand the way cybercriminal organizations operate, which most often carry out large-scale attacks, focusing on what makes a lot of money in a short period of time. In this context, we need to start protecting ourselves from what is known, from existing flaws. I'd say it's 99% of the work. For the remaining 1%, you have to accept that one day you will be hacked, that the system may be compromised. Aware that this can happen, it is absolutely necessary to prioritize the protection of confidential and critical data for the company. It is at this level that we must devote as many resources as possible and also avoid relying on service providers. We can outsource a lot of things, but we can never be held responsible for a leak of our customers' data.

What does this mean?

In terms of critical and sensitive data, we will therefore deploy reinforced technical resources, with encryption, systematic control, log analysis and monitoring. Implement security tests for our applications, servers, network equipment, based on attacks perpetrated by cybercriminals. Threat intelligence now allows us to analyze and understand their "modus operandi" in order to assess us. Finally, as said before, it is necessary to have a fallback plan, to carry out restoration tests and crisis simulations to allow you to envisage the future a little more serenely. For the rest, which is not critical, we cannot always be allowed to deploy everything for financial reasons or because the operational impact is too heavy. We therefore accept that at this level the security measures are more flexible, and we are therefore resigned to the possibility of losing data.

Isn't distinguishing between what is critical and what is less critical already a complex task?

Yes, definitely. Whether it's regulation or business continuity principles, we are forced to do it. If you want to implement a Zero Trust approach at the technical level, you clearly have to go through it. This work, which may seem tedious, is nevertheless so important. I would also like to highlight the European dynamic in these subjects, which, through regulation, pushes actors to protect what matters most to themselves but also to the security of our Europe, because this makes a major contribution to improving global security. We often criticise the institutions and decisions taken in Brussels, but I think that the European Data Strategy, DORA, the Data Governance Act, the Data Act, the AI Act, NIS2, eDIAS and FIDA are also an asset to bring some order to an increasingly vast and increasingly risky digital world. I think it's important to welcome the positive, even if it's a real headache for some players, especially in sectors that have traditionally never had to implement information security regulations.

When we talk about cybersecurity, the issue of skills often comes up. How can we meet these challenges if we lack talent?

Indeed, we can see that certain skills are rare. Cybersecurity analysts, in particular, don't run the streets. If you want to attract talent, it is important to have a robust and coherent strategy, to which they will want to contribute. Beyond that, it is necessary to be able to meet the aspirations of the younger generation, who want to work, to grow professionally, but also to enjoy a good work-life balance. It is therefore necessary to deploy clear and precise recruitment policies that meet these expectations. In the field of risk management and compliance, there is also a significant need for skills and people capable of apprehending technical risks in the form of financial risks, and I welcome the desire to develop these sectors supported by Luxembourg House Of Cybersecurity and more generally by the Luxembourg government. In addition, for me, there is also a real challenge in feminizing the profession, in attracting more women to these professions that offer great career prospects. We can salute the work carried out by the "Women Cyberforce" association, of which I am a member, and which promotes the role of women in the field of Cyber Security. It is clear that we will need all the talents to meet the demand of Luxembourg companies. Finally, if you have children who want to find an exciting, well-paying job, you know what to advise them to do.

What do you see as the biggest security challenges in the coming months?

?I see two main ones in the short term. On the one hand, there is a regulatory issue, with the review and implementation of the DORA regulation, which requires the mobilization of significant human and technical resources to have the capacity to deliver the expected results by the end of the year. The second is to continue to develop the security strategy and culture, by integrating emerging risks, in this case those related to the development of artificial intelligence and Quantum.

How do you see the CISO function evolving in the future?

Currently, cybersecurity is still too often seen from an IT perspective solely and primarily for compliance purposes. It is important to pass this milestone, so that it is first and foremost managed by and for the business and with regard to operational and financial risks. The role of the CISO is still very vague and does not have consensus. In the short term, I think that regulation will encourage CISOs to take a more strategic role and risk management and thus more or less exit IT. It should have the ability to make regular reports increasingly based on the quantification of risks and opportunities to reduce exposure to them. Finally, as we see more frequently in the United States, I can only validate the fact that CISO is becoming a decision-maker in his own right, since he is increasingly joining the executive committee or even the board of directors. Indeed, the function must position itself as an organ of reflection and apprehension of risk, as the cyber threat becomes more and more important and more and more critical.