[Cigref Report] Cybersecurity: Visualize, Understand, Decide

23 janvier 2019 | Cigref in english

Today, the pressure of digital transformation and the dematerialization of physical processes means that companies now hardly ever possess any essential functions operating independently of their information systems. It is therefore of vital importance to the company that these systems are protected. Cybersecurity is a response to this protection and trust issue, affecting customers and prospects.

Management demands – and needs to have – trust in the level of security in force for the business activity for which it is responsible. To ensure the appropriate level of investment to cover cyber risks, managers need a presentation or report enabling them to identify risks, qualify them and value them using relevant indicators.

Report

IT security risks must be analysed throughout every function of the company. This is why cyber governance is the responsibility of a manager whose remit includes all of the company’s activities. Depending on the organisation, it may be the Chief Information Officer (CIO), cyber manager or even the risk manager. The mission of this manager is to educate the leaders of companies or public bodies, in a way that applies to their own situation, showing them how a cyberattack can have a significant impact on a company’s business activity, its value, assets and reputation, potentially even putting its survival at risk, and to propose appropriate measures for covering such risk.

The Cigref working group has identified and structured the essential strategic information and indicators in a cybersecurity dashboard to be presented to the Executive Committee and the Board of Directors. By adapting it to the specific context of his/her own company or public organisation, the CIO or cyber-governance manager has the information required to create a report which offers a very brief summary which is accessible to non-specialists and provides decision-makers with the right amount of information. This is based on a balance between current data, qualitative information, consolidated risk analyses, cost information and aggregated quantitative indicators. Its content must always include the following key information:

  • A brief description of the most vulnerable activities and key data pertaining to the information system (IS);
  • The SI’s accessibility from outside, and an overview of its exposure;
  • Level of threat and current information;
  • The company’s key areas of vulnerability;
  • Summarised overview of IT security risks and risk analysis information by company sector;
  • Operational key points;
  • Current and future action plans.

In addition to the question of securing information systems, it is also necessary to consider the issue of resilience. The situation arising in a number of companies in 2017 through attacks such as « NotPetya » has made it clear that even though some cyber risks currently carry a low probability, their occurrence is still a possibility, and companies should start preparing for them right away: we are entering a « cyber-warfare » era in which all companies are potential targets or liable to suffer collateral damage. IT Directors, with the backing of their superiors and the assistance of their operations teams, must prepare now for a crisis resulting from a major successful IT attack, and consider the emergency measures to be implemented in the first minutes/hours. After all, in extreme situations, the direct involvement of the IT Director is the determining factor in the company’s ability to handle the fall-out from such cyber-incidents.

This Cigref report was initially published in French under the title « Cybersécurité : Visualiser, comprendre, décider« 


Nomenclature des profils métiers du SI – version 2024

Le Cigref maintient, depuis 1991, une Nomenclature des profils métiers existants dans les Directions du Numérique des entreprises membres du Cigref. Cet outil ne présente pas ce que « doivent » être ou ce que « seront » les métiers des SI mais ce qu’ils sont...

Première édition des cahiers des Rencontres Numériques de Strasbourg – Édition 2024

Lors de la première édition des Rencontres Numériques de Strasbourg, nous avons réussi le pari de rassembler dans l’enceinte du Parlement européen, en plein mois de mars, près de 150 dirigeants du secteur numérique français pour un événement inédit de deux jours et...

Cahier des charges technique à intégrer dans l’appel d’offre cloud de confiance

Un certain nombre de membres du Cigref envisagent de lancer un appel d'offres pour des solutions de cloud de confiance. C'est pourquoi les membres du groupe de travail « cloud de confiance » ont décidé d'œuvrer collectivement à la rédaction de la partie technique d'un...

Cigref memo – AI in business: feedback and best practices

In July 2023, Cigref published its first information and news note titled « Recommendations on generative AI ». Six months later, the particularly rapid development of solutions integrating this type of technology, the experiments and...