[Cigref Report] Cybersecurity: Visualize, Understand, Decide

23 janvier 2019 | Cigref in english

Today, the pressure of digital transformation and the dematerialization of physical processes means that companies now hardly ever possess any essential functions operating independently of their information systems. It is therefore of vital importance to the company that these systems are protected. Cybersecurity is a response to this protection and trust issue, affecting customers and prospects.

Management demands – and needs to have – trust in the level of security in force for the business activity for which it is responsible. To ensure the appropriate level of investment to cover cyber risks, managers need a presentation or report enabling them to identify risks, qualify them and value them using relevant indicators.

Report

IT security risks must be analysed throughout every function of the company. This is why cyber governance is the responsibility of a manager whose remit includes all of the company’s activities. Depending on the organisation, it may be the Chief Information Officer (CIO), cyber manager or even the risk manager. The mission of this manager is to educate the leaders of companies or public bodies, in a way that applies to their own situation, showing them how a cyberattack can have a significant impact on a company’s business activity, its value, assets and reputation, potentially even putting its survival at risk, and to propose appropriate measures for covering such risk.

The Cigref working group has identified and structured the essential strategic information and indicators in a cybersecurity dashboard to be presented to the Executive Committee and the Board of Directors. By adapting it to the specific context of his/her own company or public organisation, the CIO or cyber-governance manager has the information required to create a report which offers a very brief summary which is accessible to non-specialists and provides decision-makers with the right amount of information. This is based on a balance between current data, qualitative information, consolidated risk analyses, cost information and aggregated quantitative indicators. Its content must always include the following key information:

  • A brief description of the most vulnerable activities and key data pertaining to the information system (IS);
  • The SI’s accessibility from outside, and an overview of its exposure;
  • Level of threat and current information;
  • The company’s key areas of vulnerability;
  • Summarised overview of IT security risks and risk analysis information by company sector;
  • Operational key points;
  • Current and future action plans.

In addition to the question of securing information systems, it is also necessary to consider the issue of resilience. The situation arising in a number of companies in 2017 through attacks such as « NotPetya » has made it clear that even though some cyber risks currently carry a low probability, their occurrence is still a possibility, and companies should start preparing for them right away: we are entering a « cyber-warfare » era in which all companies are potential targets or liable to suffer collateral damage. IT Directors, with the backing of their superiors and the assistance of their operations teams, must prepare now for a crisis resulting from a major successful IT attack, and consider the emergency measures to be implemented in the first minutes/hours. After all, in extreme situations, the direct involvement of the IT Director is the determining factor in the company’s ability to handle the fall-out from such cyber-incidents.

This Cigref report was initially published in French under the title « Cybersécurité : Visualiser, comprendre, décider« 


Panorama des règlements européens sur le numérique : Comprendre les réglementations applicables

En réponse à l’évolution et au développement constant des technologies numériques, l’Union européenne s’est dotée d’une « Stratégie numérique pour l’Europe pour la décennie 2020-2030 ». C’est dans le cadre de cette Stratégie que la Commission européenne a proposé...

IT Department performance:
financial, but not only…

The digital transformation of businesses has never been so rapid, whether it's to meet their growing needs, to better manage and exploit company data or to offer an improved customer experience. This transformation is generating an ever-increasing number of projects...

Cigref memo: Recommendations on generative AI

When the ChatGPT (Chat Generative Pre-trained Transformer) application was made available to the general public in November 2022, it created a media storm in the field of artificial intelligence technologies and generated a veritable craze. ChatGPT made visible the...

Cigref memo: Recommendations on generative AI

When the ChatGPT (Chat Generative Pre-trained Transformer) application was made available to the general public in November 2022, it created a media storm in the field of artificial intelligence technologies and generated a veritable craze. ChatGPT made visible the...