How can CISOs be everywhere?

Organization: one of the cornerstones of cybersecurity

As cybersecurity is a cross-functional issue, it requires both monitoring what's going on in all areas of a company's activity, and an overview of the big picture. Well-chosen tools and processes are the CISO's best allies.

What tools can CISOs rely on on a day-to-day basis? The ANSSI's guide to IT hygiene undoubtedly provides an excellent starting point for identifying the tools needed to achieve a "standard" or even "reinforced" level of security.

On this basis, the CISO can select the most appropriate tools to implement in each of the areas under his protection:

• scoring tools (such as SecurityScorecard or Bit Sight) for subsidiaries ;
• a tool to assess the maturity of service providers in terms of cybersecurity management (such as Cybervadis);
• e-learning and employee testing...

Whatever the tools chosen, the implementation of a genuine solutions catalog has the advantage of harmonizing solutions within the company. By presenting itself as a "recipe" to be followed, it also encourages buy-in from all stakeholders, especially those whose interests might be antagonistic.

Knowing everything about everything: this is one of the primary needs of CISOs, requiring them to keep constantly abreast of what their teams are doing. This means setting up processes, such as updating the supplier directory and keeping the CISOinformed in real time.

But is simple information enough? The answer is no! To quote the first piece of advice given in the 2021 edition of CEIDIG's guide "Digital security essentials for managers", security is "much simpler and more effective when it's put in place at the very start of projects ".

It is therefore up to the CISO to make proposals and intervene as far upstream as possible, seeking to establish fruitful collaboration with all departments (legal and HR, of course, but also the business lines). By way of example, the CISO has a key role to play in the supplier selection procedure: this is the best way of eliminating service providers who do not meet requirements, and ensuring that a uniform level of security is achieved across the entire area to be protected.

Support, an essential lever for protecting your business

Tools and processes are good, but getting them adopted is even better! As cybersecurity is everyone's business within organizations, its effectiveness depends more than ever on the human support available to the CISO. However, the support and goodwill of employees must be earned...

Unsurprisingly, every single employee represents a gateway to the information system, with serious consequences for the company in the event of negligence or human error (business stoppage, damage to reputation, etc.).

According to an IFOP survey published in November 2019 at the request of IDESCI ("Employees and data security at work"), 47% of employees have already been victims of phishing. What's more, 34% of them have access to, store or share sensitive or confidential documents (accounting data, personal documents...).

At the same time, teams are expressing their concern about cybersecurity and their need for support. The survey reveals that 25% of employees do not use certain IT tools for fear of security or confidentiality problems. In addition, 86% of employees believe that managing the security of professional data on an individual basis would limit the risk of the company being hacked.

While CISOs can't be everywhere, they can create points of contact with employees, encouraging them to play their part in protecting the organization. As a first step, why not set up a security desk, where employees can report suspicious information or get answers to their questions?

In addition to raising awareness, employees need resources and tools that are intuitive, easy to learn and use. In the case of phishing attempts, for example, a simple and effective solution is to integrate a plug-in into mailboxes so that everyone can immediately report any suspicious e-mails.