Building Cyber-Resilient Organizations
Arnaud Tanguy is AXA Group Chief Security Officer. He leads information security, physical security, health&safety and operational resilience of the Group. He previously was the Chief Information Security Officer (CISO) at AXA Investment Managers in charge of the global information security program across all lines of business. Prior to joining AXA, Arnaud was a Senior Manager at PwC and EY specialized in information security and IT strategy. He began his career as an officer in the French Navy leading the department in charge of IT, telecommunications, and information security at the naval base of Brest.
With software vulnerabilities, insider threats and employees disregarding security measures, organizations face cyber risks related both to their own personnel and to outside threats.
What does cyber resilience mean for organizations?
Cyber resilience requires anticipation and a systematic and rigorous approach to be ready to face the unknown. Being resilient not only means avoiding incidents, but also being ready to recover from the worst-case scenario. Cyber resilience is definitively a challenge in a cyber space where things are moving so fast. All organizations in the future must be capable to serve their customers, employees, and investors regardless of the cyber challenges they may face.
What are the concrete implications of a cyber-attack for a company, a data theft for example?
A data breach occurs when individuals get access to data that they then can leak, sell and use for identity theft, so the first risk is really to the people that the data belongs. The second risk is for the company, as it can fail to comply with regulations that now typically include mandatory notification of individuals whose data has been compromised for example. Reputation is another issue: while the company is the victim, its name is the one that appears in the media and this can lead to issues with customers’ trust and missed opportunities. The legal risk relates to the fact that many contracts do not yet include security clauses that describe the security measures that have to be put in place by the client, creating legal loopholes. Finally, the financial impacts of an attack are numerous, as quickly remediating the vulnerabilities, communicating with the media and customers, possibly millions of them, compensating customers and sometimes even paying fines, can all generate important costs.
Security-by-design is how we now need to conceive every project in the company.
What measures do private organizations take to limit cyber risks?
Threats are increasingly complex and professionally led, so security issues need to be embraced in a holistic and strategic manner. It starts with people, whose awareness and preparedness can be raised through internal communications, mandatory training or even fake phishing campaigns. We train our employees as cyber citizens and hope they will discuss it with their friends and families, so that we participate in training society at large, through our own people.
Finding a balance between security and business priorities can remain a challenge but there is now a good awareness in executive boards. It helps taking the right decisions on security measures while supporting the business means.
Security teams must find the right security level from the inception of each project, a principle we call ‘security-by-design’. In addition, any third part of a company could be subject to an attack, and security clauses are needed in provider agreements. The tech side implements technical measures, procedures and standards to anticipate ‘traditional’ malwares and more novel attacks, leveraging innovation such as artificial intelligence, and monitors activity to ensure our security measures are adequate. Finally, we build plans to react and recover from attacks as quickly as possible.
The same principles apply everywhere. Whether or not there is a dedicated internal team in the company, there must always be someone responsible and accountable.
For a company, it is really advantageous to engage early with regulators, to be transparent and build trust, as it helps in solving issues faster.
How are regulators helping to guide corporations towards more security?
Regulators are embracing cyber issues, especially since the European General Data Protection Regulation (known as ‘GDPR’) was put in place. Almost everywhere, we went from incentives to mandatory measures, for example regarding the notification of incidents or data breaches. For a company, it is advantageous to engage early with regulators, to be transparent and build trust, as it helps in solving issues faster. Of course, this can be a challenge for multinationals: AXA for example works with 64 different countries and we engage with 64 regulators that each work differently.
Some companies specialize in providing cyber security services to their clients, for example organizing audits and providing security tools. What is their role in building a more cyber resilient world?
For a private company whose main business is not related to cyber, for example a supply chain company, collaboration with cyber security providers is key. Indeed, there is a real arms race, with the speed and scope of attacks growing rapidly but we haven’t, as a society, trained enough people in the cyber domain and the cyber security workforce market is very competitive. Companies that provide cyber security services are able to pool these talents, to bring advanced capacities in cyber defense, such as automation. In short, cyber security service providers help organize the ecosystem efficiently.
Providers bring knowledge of the attacks, data collection and threat intelligence as well as innovations in the services they provide, while internal teams know their business in depth, the sector, and the history of the company. These internal teams are also hybrid ones, as they are composed of IT experts and of business people who make the link between the assets that need to be protected and the protection measures that the company uses. Working in partnership across the board is a necessity.