[Cigref Report] Cybersecurity: Visualize, Understand, Decide

23 janvier 2019 | Cigref in english

Today, the pressure of digital transformation and the dematerialization of physical processes means that companies now hardly ever possess any essential functions operating independently of their information systems. It is therefore of vital importance to the company that these systems are protected. Cybersecurity is a response to this protection and trust issue, affecting customers and prospects.

Management demands – and needs to have – trust in the level of security in force for the business activity for which it is responsible. To ensure the appropriate level of investment to cover cyber risks, managers need a presentation or report enabling them to identify risks, qualify them and value them using relevant indicators.

Report

IT security risks must be analysed throughout every function of the company. This is why cyber governance is the responsibility of a manager whose remit includes all of the company’s activities. Depending on the organisation, it may be the Chief Information Officer (CIO), cyber manager or even the risk manager. The mission of this manager is to educate the leaders of companies or public bodies, in a way that applies to their own situation, showing them how a cyberattack can have a significant impact on a company’s business activity, its value, assets and reputation, potentially even putting its survival at risk, and to propose appropriate measures for covering such risk.

The Cigref working group has identified and structured the essential strategic information and indicators in a cybersecurity dashboard to be presented to the Executive Committee and the Board of Directors. By adapting it to the specific context of his/her own company or public organisation, the CIO or cyber-governance manager has the information required to create a report which offers a very brief summary which is accessible to non-specialists and provides decision-makers with the right amount of information. This is based on a balance between current data, qualitative information, consolidated risk analyses, cost information and aggregated quantitative indicators. Its content must always include the following key information:

  • A brief description of the most vulnerable activities and key data pertaining to the information system (IS);
  • The SI’s accessibility from outside, and an overview of its exposure;
  • Level of threat and current information;
  • The company’s key areas of vulnerability;
  • Summarised overview of IT security risks and risk analysis information by company sector;
  • Operational key points;
  • Current and future action plans.

In addition to the question of securing information systems, it is also necessary to consider the issue of resilience. The situation arising in a number of companies in 2017 through attacks such as « NotPetya » has made it clear that even though some cyber risks currently carry a low probability, their occurrence is still a possibility, and companies should start preparing for them right away: we are entering a « cyber-warfare » era in which all companies are potential targets or liable to suffer collateral damage. IT Directors, with the backing of their superiors and the assistance of their operations teams, must prepare now for a crisis resulting from a major successful IT attack, and consider the emergency measures to be implemented in the first minutes/hours. After all, in extreme situations, the direct involvement of the IT Director is the determining factor in the company’s ability to handle the fall-out from such cyber-incidents.

This Cigref report was initially published in French under the title « Cybersécurité : Visualiser, comprendre, décider« 


Anticiper les cyberattaques : de la surveillance à la gestion de crise

Dans un monde de plus en plus connecté, les entreprises, grandes ou petites, se retrouvent désormais exposées à des cyberattaques de toutes sortes. La numérisation rapide des organisations a considérablement étendu leur surface d'attaque, créant ainsi un défi majeur...

Le Cigref et ses partenaires européens publient un Manifeste pour les élections européennes.

Nos quatre associations, Beltug en Belgique, Cigref en France, CIO Platform Nederland aux Pays-Bas et Voice en Allemagne, qui représentent collectivement plus de mille grandes entreprises européennes utilisatrices de technologies numériques, ont identifié quatre...

L’IA en entreprise : retours d’expérience et bonnes pratiques

Le Cigref a publié, au mois de juillet 2023, une première note d'information et d'actualité intitulée « Recommandations au sujet des IA génératives ». Un peu plus de six mois après, les évolutions particulièrement rapides des solutions intégrant ce type de...

L’IA en entreprise : retours d’expérience et bonnes pratiques

Le Cigref a publié, au mois de juillet 2023, une première note d'information et d'actualité intitulée « Recommandations au sujet des IA génératives ». Un peu plus de six mois après, les évolutions particulièrement rapides des solutions intégrant ce type de...

Les métavers : démystification et chemins à parcourir

Ce rapport sur les métavers, produit par le groupe de travail Cigref piloté par Malika Mir, Directrice des Systèmes d’Information du GROUPE BEL, et Olivier Le Garlantezec, Digital Tech Partnerships Director chez LVMH Group, explore les différents enjeux auxquels sont...