When it comes to computer security, a technology solution alone will no longer suffice. If companies wish to avoid the pitfalls that come with systematic protection, they need to go back to the human element.
If you want to protect your company effectively you need to go beyond mere technology. Some 35% of all security incidents are due to in-house failings by staff. In a book entitled ‘Cybersécurité, au delà de la technologie’ (Cybersecurity: Beyond Technology), Philippe Trouchaud, who is a partner at multinational professional services network PwC, explains why cybersecurity is first and foremost a question of organisation, human resources and information. The right approach, he argues, is a) careful identification of the risks and b) training people to be aware of the potential risks.
Interview with Philippe Trouchaud, a partner at PwC, cybersecurity expert and author of ‘Cybersécurité au delà de la technologie’(Cybersecurity: Beyond Technology), published by Odile Jacob.
Some 35% of security incidents are due to in-house failings by staff. In your book you urge readers to take back responsibility for cybersecurity, to restore the role played by human beings.
Philippe Trouchaud: Well, I started out from a basic observation. At PwC we’ve had the opportunity to look into quite a number of security incidents at our client companies. And in the end our conclusion was never that the technology was at fault. It’s always an organisational problem, or a problem of behaviour. For instance…maybe the passwords people are using to access their smartphones aren’t very secure.
“Often the main problem is staff behaviour. People just don’t understand potential threats or risks”
It’s regrettable that the market is led by the technology giants, who are talented at marketing, but fail to explain the full extent of the issues to client companies.
There’s a lot of literature on cybersecurity. Paradoxically, there’s a plethora of technologically-oriented books on the subject, but very little on the management science aspect.
You write that ‘Refusing to re-think your cybersecurity is a form of disconnect’. Are companies now starting to wake up to the issues?
At [the World Economic Forum annual meeting in] Davos, we poll CEOs to find out what’s on their minds. And they all have the same priority: investing in digital technology. They believe that their company data is their prime asset and yet cybersecurity is only seen as their second or third biggest risk! CEOs feel a bit helpless, they just don’t know how to deal with the issue. And for years, companies have been taking a top-down approach to disseminating security policy, in the hope that their employees would apply the rules correctly. This just isn’t happening.
There’s no such thing as zero risk! And actually the most successful companies are usually the ones where employees buy into the idea of risk protection. It’s not just up to the boss to impose his/her views. Having management directing everything centrally and imposing its approach to cybersecurity everywhere, isn’t, in my view, the right way to go.
At a time of exponential advances in technology, how can cybersecurity keep pace with these advances?
Well, we need to stay with the basics and not get overwhelmed by the technology. Often, when an incident occurs, it turns out that people weren’t aware of what needed protecting. The mantra ‘I protect everything’ is part of French culture. We love to have perimeter walls, like [17th century French military engineer] Vauban’s security principles.
But given what companies are trying to do on the digital front, they also need to regain possession of their information resources. What will enable me to differentiate my offerings on the markets? Where should I be innovating? And as a consequence, which information is the highly confidential data that I ought to be protecting? That’s the starting point, and on that basis you can then look for technological solutions to deal with the situation. And it’s important not to run away with the idea that all digital initiatives are going to be potential security breaches! On the contrary, they provide the impetus to step up security.
Often problems occur when new digital initiatives are connected up to the ‘legacy systems’, as they are known – i.e. the old systems that companies have been using up to now. When new connects with old that creates some very complicated interfaces, leading to extra exposure to security breaches. The first thing a company needs to do is to understand what needs protecting.
So are we going to see a new job description appearing in the near future – Company Data Investigator, a sort of data scientist-cum-data inspector?
Surveillance procedures at a [benchmark French stock market index] CAC 40 company generate around two billion security events per month. This cannot be handled by human beings. And no system will ever announce that there’s been a security incident. They’ll say that “there is a certain amount of statistical evidence which potentially indicates an anomaly.”
So, yes, the challenge for security surveillance is to be able to process huge volumes of data. And we need people who both possess very advanced statistical skills and are also able to use these skills to build up a picture of the potential risks. So I think we can safely say that the future of surveillance in the cybersecurity field will be in the hands of people who know how to use these statistical tools in the context of enormous volumes of data.
Any final comments?
Well, I’m pretty sure that cybersecurity will become a factor for a company’s competitiveness. All company bosses have grasped this fact.
“In the current climate where digitisation is a necessary step in a company’s innovation strategy, internal and external data security represents a major priority for everyone from the State down – large corporations, small & medium-sized businesses and startups in all sectors. The challenge for companies of all sizes is to raise awareness among their staff of the risks associated with cybersecurity – through Cyber Literacy programmes – and to co-develop tailor-made technology solutions in partnership with expert ecosystems comprising startups and academic research centres.”
Yoni Abittan, Digital Strategy Analyst, L’Atelier BNP Paribas