Faced with ever more numerous and sophisticated cyber threats, CISOs need to multiply the layers of security to protect information systems against the risks of compromise.
A proliferation of technological tools adds operational complexity to the day-to-day difficulties of managing cyber risk.
Add to this an increasingly dense regulatory framework, with ever more stringent compliance requirements such as DORA, the Cyber resilience Act, RGPD and soon NIS 2. All these texts now impose obligations that are no longer limited to the implementation of security measures, but concern aspects of documentation and traceability.
In this context, managing cybersecurity can be a complicated task for the CISO, and poor management can lead to additional costs for the company. What are these costs? How can they be anticipated and avoided?
INCREASINGLY COMPLEX AND COSTLY CYBER MANAGEMENT
New requirements
Whereas in the past, system protection often came down to simple preventive measures, the diversity and sophistication of today's threats call for more elaborate strategies.
As Baptiste David, Head Of Market Strategy at Tenacy , explains: " Not only are cybercriminals demonstrating a strong capacity for innovation, they also seem to have fewer and fewer ethical limits. This is obvious when you see institutions such as the Red Cross or hospitals being attacked in the midst of the COVID-19 crisis ".
This paradigm shift requires companies to adapt. Whereas 10 to 15 years ago, companies adopted a minimalist approach, installing antivirus software without any follow-up action, this is no longer sufficient today. Antivirus, among many other tools, now requires documentation and monitoring, and must be part of a broader cybersecurity strategy. Baptiste David insists on this point: " Compliance is about doing, but it's also about letting people know, and it's also about tracking and documenting ".
In a context of manpower shortages and under the weight of these regulatory constraints, managing cybersecurity seems a perilous mission. At best, the result is a fragmented view of the information system, and at worst, an increase in risk for the company.
Unnecessary stacking of solutions
The first effect of poor management is to lead to heavy investment in security solutions which, instead of offering adequate protection, are simply stacked on top of each other.
A commonly observed case is that of investing in several anti-malware protection solutions in the hope of benefiting from a double barrier, when in reality these tools could conflict and reduce detection efficiency.
Non-compliance risks
Compliance means documenting and maintaining the cybersecurity solutions used within the company. Without good cyber steering, it's difficult to assess where an organization stands in terms of regulatory compliance.
This is particularly the case for operators of vital importance (OIV), who are required to comply with the French Military Planning Law (LPM ) or face sanctions. To this end, the ANSSI and other government departments can carry out security checks to ensure that the rules are being properly applied. In the event of non-compliance, the operator concerned will receive an injunction to comply. If non-compliance persists, this can result in financial penalties ranging from 150,000 to 750,000 euros.
The prospect of lost business
In a more extreme case, non-compliance can lead to loss of certification and, by extension, loss of business partners. The ISO 27001 standard, for example, is required for calls for tender. The loss of such approvals can make it more difficult to acquire new customers, while at the same time jeopardizing existing business relationships.
Damage to reputation
Public fines or sanctions also damage a company's reputation. Indeed, bad press concerning cybersecurity issues can lead to a loss of confidence among customers, partners and investors. This is particularly the case after a major data breach.
Excessive dependence on a single person
Companies tend to rely heavily on their CISO to manage the cybersecurity of their information systems. However, this dependence can be problematic if no monitoring mechanism is established, leaving the company vulnerable in the absence or unavailability of the CISO.
The importance of good management therefore lies in the implementation of a centralized monitoring tool such as Tenacy : since it does not depend on a single individual, it enables information to be shared within teams. This can result in action plans, indicators and a roadmap offering clear direction. If a CISO leaves the company, or if new members join the team, structured management facilitates the transfer of skills and the integration of these new resources.
HOW TO ANTICIPATE AND LIMIT PILOTING COSTS?
Define your goals and priorities
Each company, depending on its structure, mission and priorities, has specific cybersecurity needs. For some, the focus may be on protecting workstations, while for others it may be more on identity and access management.
Precise identification of the organization's needs enables priority areas to be identified and resources directed. This means that CISOs need to ask themselves a number of questions.
- What are the risks associated with today's information systems?
- How do you measure the effectiveness of safety measures?
- What are the tools and indicators for monitoring, detecting and responding to security incidents?
- Are employees sufficiently trained and aware of potential threats?
- How do safety objectives align with the company's overall objectives?
Once the objectives have been set, they need to be validated by management, and the roles and responsibilities of each party need to be set out in a PGSI(Politique Générale de Sécurité de l'Information - General Information Security Policy).
Basing cyber steering on facts
An information system is a constantly evolving environment, requiring CISOs to adapt constantly.
As Baptiste David points out, " CISOs should not rely exclusively on their instincts or convictions. Even if lessons learned from previous experiences are important, we must bear in mind that what has worked in the past in a given context is not always transposable to another company."
It's all about a fact-based, data-driven approach.
If we take the example of an antivirus solution, simply buying one is not enough. You need :
- ensure its deployment ;
- monitor efficiency in real time;
- establish clear indicators to assess functional coverage and the level of protection within the company, such as the number of attacks recorded or the number of malware stopped.
Now more than ever, CISOs need to use tools to manage their company's cybersecurity actions. To this end, the Tenacy solution offers a range of functions for monitoring security objectives and actions in real time, via dedicated dashboards.