CYBERSECURITY IS NOT JUST A TECHNICAL ISSUE!
The adage is now well known: no digital growth without confidence. However, cybersecurity is too often taken from the technological point of view, while the essential is elsewhere.
Safe Harbor retaliated, cyber-attacks against HSBC, Target or Israeli power infrastructure: Given the scale and reality of threats, cybersecurity practitioners within CIOs have a window of fire to demonstrate to their clients that it is much more than a technological problem.
A systemic cybersecurity strategy
It is essential to define a shared strategy, considering all the dimensions of information security (Confidentiality, Integrity, Availability) throughout the entire value chain of the company (operational and support processes of all DRANK). The focus should be on the quantitative and financial assessment of the risks involved, which is often a deterrent when it comes to unlocking the fixed budgets.
An identification of the critical assets (“jewels of the crown” whose compromise can be fatal to the company) must be realized, by mobilizing all the concerned stakeholders: general management, business departments, and CIOs. CNIL and Safe Harbor require, a focus on personal data and regulatory obligations is necessary, remembering that fines can reach 4% of annual turnover in case of default (Digital Republic Bill).
A presence throughout the entire SI life cycle
Cybersecurity must not be the fifth wheel of the SI project coach. From the outset of any reflection, the RSSI must be asked about the application / technical architecture, the choice of technology, the provider, the project practices (development, environments), the methods of data processing and hosting.
Comprehensive tests must be anticipated from the outset: load, resistance, intrusion, data leakage … The same goes for the procedures to be deployed in recurring mode: access and authorization, incident management, PRA / PCA, standby and crisis communication. The legal, financial and purchasing departments must be involved to ensure the coherence and adequacy of the measures taken.
SI architecture maximizing security
The construction modalities of the IS must aim at maximum protection, whether the application or the technical architecture, does not deteriorate the customer experience. In this way, authentication must be given particular attention using an Identity & Access Management (IAM) / Single Sign-On (SSO) module that combines the security and smooth flow of customer journeys. Securing payments must use sparingly 3-D Secure, repellent for lambda users.
The data must be partitioned by a clear separation of Front-Office / Back-Office environments on the one hand and development/ integration/ recipe/pre-production/production on the other hand. The availability of digital assets, capital for the customer experience and revenue generation, requires a redundant architecture to keep the important charges but also DDoS protection to prevent malicious acts.
The management of the IS in production must be based on tools adapted to the detection and response to cyber threats: monitoring probes, supervision … But be careful to keep certain flexibility in the design, because maintain all year an infrastructure capable of holding Black Friday can be more expensive than interrupting a few minutes.
Dissemination throughout the organization
More fundamentally, cybersecurity must infuse throughout the organization. It must be integrated into the competency framework, both on project management and chronic management. Evangelization must be regular, through feedback, establishing bridges between operational / DSI / legal/ finance/procurement, the appointment of local champions guarantors of good practices.
The cybersecurity policy must be formalized, as well as its governance. A global framework of practices, covering the entire Identification / Protection / Detection / Response cycle, should be the foundation for continuous improvement, through frequent audits to position the company on a scale of maturity.