Cybersecurity is everybody’s business.
- Is it enough to have found a rare gem: an excellent Chief Information Security Officer (CISO)? How does this person interact with the business’s core and support functions? How is he or she “connected” to the executive committee and the board of directors?
- How do companies interact with suppliers, clients, partners, IT providers and operators?
When it comes to cybersecurity, all parties must assume their own responsibilities. These parties are not limited to the board of directors, managers, CIO and CISO. They include core and support functions, employees, the extended company (suppliers, subcontractors and IT providers), and, of course, the state (infrastructure, education, investigations, standards, certifications and regulations).
The Director of Cybersecurity is an essential part of the system, but his or her efficiency and performance depend on the organisation as a whole and its interaction with the company’s main internal and external players.
This individual is in dialogue with the executive committee and the board of directors, sometimes via the audit and risk committee, providing information on the company’s exposure to risks, incidents and measures to put in place.
Many organisations ensure the independence of their Director of Cybersecurity by tying this position to the Secretary General, Director of Safety, Director of Risk or Managing Director, and not the CIO, who is in charge of digital transformation.
The Director of Cybersecurity must be well-informed of projects and involved in operational and functional departments (e.g. purchasing; mergers and acquisitions) in order to contribute a cross-cutting vision from all angles, determine the efficiency of the systems in place and subsequently adjust strategies and action plans.
The Director of Cybersecurity relies on a chain of CISOs within the company (branches and subsidiaries), establishes the applicable security policy in the group, spreads awareness of it and ensures that it is applied in collaboration with the internal audit department.
The human link is the strong one, but it can also be the weak one. Everybody must be trained, from top to bottom and from bottom to top!
Some companies have made their Director of Cybersecurity a member of their executive committee; others have created a digital committee on their board of directors.
The scope of the position is broad, as it is concerned with all information systems — industrial, managerial and commercial — as well as protection of sites and the extended company: suppliers, subcontractors, providers and subsidiaries in all countries where the group is active (with some “cyber deaths” occurring among SMEs that cannot escape digitisation but do not always have the means to secure their operations).
Finding trusted partners, ensuring the company’s resilience with limited resources and budgets, and protecting strategic and personal data are challenges that cybersecurity professionals must tackle against a backdrop of cost reduction, automation and optimisation. They have many missions falling under the larger scope of developing and maintaining the digital trust that stakeholders (clients, suppliers, employees, shareholders, partners, etc.) ascribe to the company and its products and services:
- To protect the company’s strategic, financial and personal information, starting from the design phase (privacy and security by design);
- To advise the business on developing applications and services that enable digital activity and value creation, thereby rendering it a trusted partner of long-standing and new clients;
- To contribute to compliance, especially under the GDPR and the NIS directive; and
- To summarise cyber risks, assigning them relative levels of potential impact (a lack of security in industrial systems may have much more serious consequences for a company than a leak of non-strategic or non-sensitive data!).
Marie de Fréminville