The European Forum for Risk and Insurance professionnals
Guillaume Poupard, General Manager of ANSSI (National Agency for Security Information Systems) , shares insight with us ahead of his panel at FERMA Forum 2019.
I see the digital transformation as a continuous revolution. Our societies and economies are rapidly evolving, often for the best, but with technological progress comes dramatic cybersecurity issues. Take AI and machine learning, for instance. The people working on self-driving cars have made some groundbreaking progress in the past few years. Yet those cars remain easily tricked; subtle changes to a “stop” sign, imperceptible to the human eyes, can cause them to confuse it with a speed limit sign. One can therefore understand why digital security is so deeply integrated with digital transformation.
Like the digital transformation itself, the cyber issue doesn’t belong to any sector in particular. It concerns both the private and the public sectors alike. We therefore need to address these issues as a whole if we want to build resilient societies and economies. Back in 2017, the WannaCry attack indiscriminately paralyzed hospitals, factories and companies across several countries. Besides, considering the growing interconnection of the different actors, the impacts of a cyberattack rarely stay limited to a targeted victim. The worst-case scenario, which is more and more likely, is when the whole supply chain is affected. The effects can impact an entire ecosystem composed of public and private entities.
The cyber risk management has become a strategic issue for a growing number of companies and administrative entities. However, its technical complexity and the necessity to engage all the actors of an organization – from top management to business units – make it quite difficult to handle. Where to start? Which governance is the most relevant? Which and how much resources should I invest? The guide provides a rational approach to follow in order to progressively build and maintain an efficient cyber risk management organization.
I have in mind the example of a small company in the South of France that provides an essential digital service for a French major port. When they realized the importance of the risk for their activity and their major client, they were clueless on how to address it. This is why we came up with the idea of a serious game, designed to help them understand the basics of a cyberattack and the way it could impact them. They were then able to set up a strategy, develop strong security baselines and valorize their investments through a commercial offer. After three years, their cyber risk management organization is now mature, agile and performant.
It has become a common saying that whoever controls the cyberspace controls the world. The Internet has become an essential instrument of war, and it is more and more used as such in the balance of power between countries. Given the rise of tensions in the cyberspace, public and private organizations are all the more likely to be collateral damages in the fights to come, if not targeted directly. This is why there is a need for an “ecosystem” approach of cybersecurity, strengthening both the organisations, their supply chains and their direct environment.
The cyber risk can be managed and mitigated like other risks. A good cybersecurity strategy should aim to place the security at the heart of digital transformation. The guide proposed by ANSSI and AMRAE is providing powerful guidelines to achieve this goal.
In this approach, the key point is to put in place and regularly update a strong risk analysis. For that, I recommend the risk analysis method proposed by ANSSI, named “EBIOS Risk Manager”.
Guillaume Poupard will be on the panel of our Cyber Security and Regulation session at this year’s FERMA Forum.
Find out more about this session here and register to secure your place.