SDBR: CESIN * has just published its annual survey. What should we retain from it?

Alain Bouillé**: Although less reported by the media, cyber-attacks continue to hit businesses and eight out of ten continue to be affected each year, identity theft being the most common mode of attack. Cloud and IoT present higher risks with digital transformation. The massive use of the cloud creates difficulties of non-control especially for access control and the subcontracting chain. CISOs are less confident about their company's ability to cope with cyber risks (51% are confident, -12 points compared to last year) and less than one out of two consider that their company is prepared for managing a massive cyber-attack. Paradoxically, only one out of ten companies has set up a cyber-resilience program...

What’s your assessment, in terms of threats, for 2018?

2018 was less intense than 2017 for the CISOs, although one can imagine that it was a little bit different for the CISOs of Facebook or Exactis who had to manage massive data thefts. We observe carefully these successful attacks that are a consequence of the move towards the concentration of data.For now, these thefts do not worry companies too much because it is Facebook or personal data on commercial sites. It may be a little bit reductive, because the digitization resulting in a concentration of companies’ data in the cloud for a handful of suppliers, the risk is great to see these cloud solutions attacked because there are no invicible fortresses. Without predicting the apocalypse, one can wonder, in light of recent events, about the merits to concentrate all the data of all the big worldwide companies with a tiny number of actors. In 2018, we also learned from the spread of the NotPetya virus: for a few years we experienced the phenomenon of targeted attacks (with the APT) while with NotPetya we are in the presence of collateral damage suffered by chance. St Gobain was not particularly targeted by the attack and was infected by ricochet, because of one of its subsidiaries in Ukraine, which had just suffered a massive ransomware attack.

Even indirectly, the damage was considerable... 

Yes, we are in the presence of massive destruction attacks and we must note that, at St Gobain, nothing has worked as planned in terms of continuity and resilience. All the continuity plans, the computer backup plans, the PRAs, etc., elaborated for many years, prove to be ineffective for this type of attack: when thousands of machines are destroyed and, to restart, they must be manually reformatted one by one, it takes time! And no current rescue plan can solve that. Aramco or Areva have, in the past, experienced this misfortune and took months to clean up their IS infrastructure, but these were targeted attacks. With St Gobain, the new phenomenon is that they are no longer targeted attacks.

Do not you think that cyber-resilience, which is much talked about, is still infancy?

This was the topic of the CESIN congress held in December 2018, a theme that had been suggested since the end of 2017, before this topic was really considered by companies. This is indeed a topic that CISOs must really take into account, regardless of any fashion effect. Today, sophisticated IT back-up plan, which consist of copying all of the company's operations into a back-up located 50 km away, is an excellent vector for the propagation of NotPetya-type viruses, which will spread on the main site but also on the rescue site. The more sophisticated the plans are, the more likely the company will be sensitive to viruses of mass destruction. CISOs and CIOs need to think about how to tackle such a complex and destabilizing subject.

You throw a stone into the small world of consultants who offer cyber-resilience in all advertisements, right?

It is true that there are many service providers but also solutions that have rushed into the breach to offer their help on this topic. I think it is necessary to approach the subject in a pragmatic way without necessarily build a maze. Look at the phenomenon of SOC, which is the first bulwark with the cyber resilience because it makes it possible to see what is going on in the company to be more efficient in reaction mode when the evil entered despite the many layers of protection; all big companies now have a SOC. Questions: is the SOC cyber-resilient when the worst happens to you? Have you organized your SOC so that it is not the first brick hit in case of a global infection? We are not saying that we need to build an umpteenth data center (for the richest) as a back-up device, but we say that we have to look in detail at what the jewels of the company really are. The active directory (AD) is the first target of a Petya attack: a destroyed AD, not re-bootable with classic backups, means the extended shutdown of the company's IT! How, in case of attack, rebuild a healthy AD from a healthy strain and not from already infected backups? It is necessary to ask what IS tips are absolutely necessary in the event of a restart, following a generalized attack, to set up a process guaranteeing absolutely the integrity of the adequate backup.

Yet, do the major software companies not sell solutions that protect everything?

The major providers present serious solutions of course, but sometimes it is necessary to be also interested in the smallest, the startups which offer solutions often more agile and more targeted on subjects where the big ones do not go. The example of the active directory is quite revealing holes in the racket of major publishers: the start-up Alsid has been interested in it successfully… Technological progress often comes from start-ups! We saw this with the shadow IT, whose knowledge by the CISOs has made a lot of progress thanks to start-ups and SMEs which have all been bought by major companies ... The challenge for the CISO members of CESIN is not to wait until the big providers suggest, 5 years later, the solutions that they bought back but rather to go "hunt" to make the technological watch. The CISO should not wait but be agile. Moreover, in 2019 CESIN intends to lead some visible initiatives to innovative start-ups.

Is the digital revolution in France over or just starting?

I think it is only at its beginning. There was a first wave, which consisted for all the actors to apply more or less the same recipes: "I'm digital so I'm in the cloud, if I'm in the cloud I'm at Microsoft, Amazon or Google, I am modern because I have my mail in Office 365, etc. ". The French market has benefited very little from this wave, which has greatly benefited to GAFAM. Those who signed these very promising contracts in terms of ROI are beginning to disillusion. Serious studies show that the Cloud is no cheaper, that the risk of lock-in is well established and that the reversibility of some SaaS solutions will indeed be complicated. In addition, digitalization will come up against the problems mentioned on resilience: when everything is computerized, from floor to ceiling, and everything is outsourced, it is better not to have an incident of access to the Internet, otherwise you cannot even send an email to your office neighbor ... So, after the craze and easy recipes, we will surely observe a time of thinking on the real topics of digitalization.

Is there a shortage of CISO today?

Through the 480 members of the CESIN, we observe that many companies have created the position of CISO for 4 years. In order to fill these new positions, employers often search through the SSI teams from large companies with a lot of security engineers in their teams who can move to smaller companies’ CISO positions. For managers, the sector is self-supplying. The problem is in large companies, to continue to provide for the replacement of CISOs that go out. There is a competition between big companies, firms and state, even if the latter is not always at the level of market prices. Coming out of engineering schools that have provided security training, students have the choice. In addition, we see career changes of production engineers, network engineers or systems, who undergo conversion courses in CISO and balance the shortage of profiles. But at the rate of digitization, there will be a shortage of human resources. It is of course necessary to increase the number of initial training courses in CISO, but also that, in non-specialized initial courses such as business schools, future business leaders receive training for cybersecurity problems: this is not currently the case. It is up to us, at CESIN, to perhaps help convince these schools and future leaders.

Alain Establier

* www.cesin.fr The full barometer Opinion Way / CESIN

** Alain Bouillé is Cybersecurity Director of the Caisse des Dépôts Group