How companies can take control of their cybersecurity
In this Help Net Security interview, Baya Lonqueux, CEO at Reciproc-IT, discusses the evolving cybersecurity landscape and the essential skillsets needed for teams working in this field. The interview highlights the shift from technical expertise to a focus on organizational and governance skills for managing business cybersecurity risks.
Lonqueux also addresses the proactive measures required to mitigate cybersecurity risks, emphasizing the importance of identifying security needs, ensuring compliance, and simulating risks for prioritized actions.
Even the most skilled teams can find it overwhelming to manage cybersecurity. What skillsets are most crucial for teams to have in this ever-changing landscape?
More generally, teams dealing with cybersecurity risks are mainly operational, more technical. This field has long been seen as a purely IT subject, and education has provided and continues to provide technical resources. What remains to be filled today is the organizational, governance and management of cyber security risks. These are the skills that need to be mainstreamed in business.
How have the methods and objectives of cyber attackers evolved, and what does this mean for enterprise protection strategies?
Cyber attackers evolve rapidly, anticipating the measures taken and to be taken by companies. Cyber attackers constantly recognize and monitor their victims, enabling them to stay one step ahead. Companies, for their part, need to target their protection strategy, securing what is sensitive, isolating critical assets to avoid massive surveillance protections that encourage error.
Proactive action is key for mitigating cybersecurity risks. What proactive measures should companies be implementing?
- Ensure that the company is aware of its security needs, and clearly define them by involving business managers: the main objective of this action is to target the asset to be protected.
- Based on the expression of this need, verify the level of compliance: are the security measures required to meet this need correctly applied?
- This simply involves carrying out a gap analysis on your information system to determine the level of maturity of the measures already applied,
- Do these measures comply with the state of the art, with a corporate standard (regulatory or internal)?
- Based on these results, simulate the risks to check whether the company could potentially be attacked.
- Risk scenarios and their level of probability are defined. The most probable scenarios are prioritized for corrective action.
How does compliance fit into the broader strategy of cybersecurity risk management? Is it a driver or a byproduct of a solid cybersecurity strategy?
Compliance is undoubtedly one of the driving forces behind a solid cyber security strategy.
Companies must constantly question their level of compliance with security standards. This compliance-based approach will facilitate the implementation of a continuous improvement process. A winning solution for successful resilience.
Can you talk about some global regulations impacting how companies manage cybersecurity risks and how they should be accounted for in an end-to-end protection strategy?
To date, the only regulation that has really had an impact and raised awareness among businesses of all fields and sizes is GDPR, the protection of European citizens’ personal data. This regulation, which dates from 2018, has shaken things up. Companies are forced to know what data they need to protect, where it is stored and how to protect it. As a result, companies have started to take security seriously and understand what’s at stake.
Regulation is a good way of raising companies’ level of maturity when it comes to security. The forthcoming European regulations, NIS2 and DORA, will have a significant impact. They will affect a large proportion of businesses and will address end-to-end information security at organizational, functional, and operational levels. And that’s where it gets interesting!
What advice do you have for organizations looking to improve their end-to-end management of cybersecurity risks?
My answer is almost implicit in all the previous answers.
To provide security that meets the challenges it faces, a company needs to be pragmatic, to secure what is necessary and critical, and to prioritize its actions. You can’t secure everything and anything. Risk analysis must be an essential tool, and it is this approach that must guide good security practices. Buying cybersecurity tools without knowing where to plug them in makes no sense.
- Identify your critical assets
- Check your level of compliance
- Simulate and analyze your risks
- Apply the necessary measures corresponding to the risks identified
- Monitor the action plan linked to these measures