[Cigref Report] Cybersecurity: Visualize, Understand, Decide

23 janvier 2019 | Cigref in english

Today, the pressure of digital transformation and the dematerialization of physical processes means that companies now hardly ever possess any essential functions operating independently of their information systems. It is therefore of vital importance to the company that these systems are protected. Cybersecurity is a response to this protection and trust issue, affecting customers and prospects.

Management demands – and needs to have – trust in the level of security in force for the business activity for which it is responsible. To ensure the appropriate level of investment to cover cyber risks, managers need a presentation or report enabling them to identify risks, qualify them and value them using relevant indicators.

Report

IT security risks must be analysed throughout every function of the company. This is why cyber governance is the responsibility of a manager whose remit includes all of the company’s activities. Depending on the organisation, it may be the Chief Information Officer (CIO), cyber manager or even the risk manager. The mission of this manager is to educate the leaders of companies or public bodies, in a way that applies to their own situation, showing them how a cyberattack can have a significant impact on a company’s business activity, its value, assets and reputation, potentially even putting its survival at risk, and to propose appropriate measures for covering such risk.

The Cigref working group has identified and structured the essential strategic information and indicators in a cybersecurity dashboard to be presented to the Executive Committee and the Board of Directors. By adapting it to the specific context of his/her own company or public organisation, the CIO or cyber-governance manager has the information required to create a report which offers a very brief summary which is accessible to non-specialists and provides decision-makers with the right amount of information. This is based on a balance between current data, qualitative information, consolidated risk analyses, cost information and aggregated quantitative indicators. Its content must always include the following key information:

  • A brief description of the most vulnerable activities and key data pertaining to the information system (IS);
  • The SI’s accessibility from outside, and an overview of its exposure;
  • Level of threat and current information;
  • The company’s key areas of vulnerability;
  • Summarised overview of IT security risks and risk analysis information by company sector;
  • Operational key points;
  • Current and future action plans.

In addition to the question of securing information systems, it is also necessary to consider the issue of resilience. The situation arising in a number of companies in 2017 through attacks such as “NotPetya” has made it clear that even though some cyber risks currently carry a low probability, their occurrence is still a possibility, and companies should start preparing for them right away: we are entering a “cyber-warfare” era in which all companies are potential targets or liable to suffer collateral damage. IT Directors, with the backing of their superiors and the assistance of their operations teams, must prepare now for a crisis resulting from a major successful IT attack, and consider the emergency measures to be implemented in the first minutes/hours. After all, in extreme situations, the direct involvement of the IT Director is the determining factor in the company’s ability to handle the fall-out from such cyber-incidents.

This Cigref report was initially published in French under the title “Cybersécurité : Visualiser, comprendre, décider


Suites collaboratives : Valeur d’usage et alternatives

Suites collaboratives – Le Cigref publie le rapport "Suites collaboratives : Valeur d'usage et alternatives”, issu des réflexions de son groupe de travail piloté par Stéphane Rousseau, Directeur des Systèmes d’Information d’EIFFAGE et Vice-Président du Cigref....

Cigref publishes its 2019/2020 activity report

Cigref publishes a review of its activities for the period 2019/2020, in english. This institutional document presents the life of the association, and in particular its reaction to the health crisis, and reviews the issues raised by the many activities (clubs,...

[Publication] Perspectives Edge Computing et Post-Cloud : opportunités et mises en œuvre

#EdgeComputing - Le Cigref publie le rapport “Perspectives Edge Computing et Post-Cloud : opportunités et mises en œuvre”, issu des réflexions de son groupe de travail piloté par Emmanuel GAUDIN, CIO du groupe Lagardère, avec le support de l’expert technique Kim...

Première plénière pour le French GAIA-X Hub

Le vendredi 22 janvier 2021, le French GAIA-X Hub, porté par le Cigref, l’Académie des Technologies, le Pôle de compétitivité Systematic, la Direction Générale des Entreprises et l’Association GAIA-X, organisait en ligne sa première session plénière. Rassemblant une...

Cigref publishes its 2019/2020 activity report

Cigref publishes a review of its activities for the period 2019/2020, in english. This institutional document presents the life of the association, and in particular its reaction to the health crisis, and reviews the issues raised by the many activities (clubs,...