[Cigref Report] Cybersecurity: Visualize, Understand, Decide

23 janvier 2019 | Cigref in english

Today, the pressure of digital transformation and the dematerialization of physical processes means that companies now hardly ever possess any essential functions operating independently of their information systems. It is therefore of vital importance to the company that these systems are protected. Cybersecurity is a response to this protection and trust issue, affecting customers and prospects.

Management demands – and needs to have – trust in the level of security in force for the business activity for which it is responsible. To ensure the appropriate level of investment to cover cyber risks, managers need a presentation or report enabling them to identify risks, qualify them and value them using relevant indicators.

Report

IT security risks must be analysed throughout every function of the company. This is why cyber governance is the responsibility of a manager whose remit includes all of the company’s activities. Depending on the organisation, it may be the Chief Information Officer (CIO), cyber manager or even the risk manager. The mission of this manager is to educate the leaders of companies or public bodies, in a way that applies to their own situation, showing them how a cyberattack can have a significant impact on a company’s business activity, its value, assets and reputation, potentially even putting its survival at risk, and to propose appropriate measures for covering such risk.

The Cigref working group has identified and structured the essential strategic information and indicators in a cybersecurity dashboard to be presented to the Executive Committee and the Board of Directors. By adapting it to the specific context of his/her own company or public organisation, the CIO or cyber-governance manager has the information required to create a report which offers a very brief summary which is accessible to non-specialists and provides decision-makers with the right amount of information. This is based on a balance between current data, qualitative information, consolidated risk analyses, cost information and aggregated quantitative indicators. Its content must always include the following key information:

  • A brief description of the most vulnerable activities and key data pertaining to the information system (IS);
  • The SI’s accessibility from outside, and an overview of its exposure;
  • Level of threat and current information;
  • The company’s key areas of vulnerability;
  • Summarised overview of IT security risks and risk analysis information by company sector;
  • Operational key points;
  • Current and future action plans.

In addition to the question of securing information systems, it is also necessary to consider the issue of resilience. The situation arising in a number of companies in 2017 through attacks such as « NotPetya » has made it clear that even though some cyber risks currently carry a low probability, their occurrence is still a possibility, and companies should start preparing for them right away: we are entering a « cyber-warfare » era in which all companies are potential targets or liable to suffer collateral damage. IT Directors, with the backing of their superiors and the assistance of their operations teams, must prepare now for a crisis resulting from a major successful IT attack, and consider the emergency measures to be implemented in the first minutes/hours. After all, in extreme situations, the direct involvement of the IT Director is the determining factor in the company’s ability to handle the fall-out from such cyber-incidents.

This Cigref report was initially published in French under the title « Cybersécurité : Visualiser, comprendre, décider« 


Métiers du numérique : sens et appétence – Recommandations pour orienter les cursus de formation au numérique

Alors que l’écosystème numérique est le plus demandeur de professionnels formés pour ses métiers, les organismes d’enseignement et de formation qui délivrent les connaissances et suscitent les talents sont souvent vus comme de simples éléments du secteur de la...

Convergences numériques : construire une Europe numérique et compétitive.

Les principales organisations et associations professionnelles du numérique s’associent pour mettre le numérique au cœur de la campagne européenne. Télécharger notre manifeste commun...

Saisir les opportunités de l’IA pour un numérique responsable : nouveau rapport disponible !

Numeum, l’Institut G9+, le Cigref, Planet Tech Care et le Hub France IA, ont dévoilé un rapport inédit intitulé « Green AI & AI for green ». Fruit d’une étude qualitative menée auprès de 72 professionnels – Directeurs des Systèmes d'Information (DSI), Chief Data...