In conversation with Fabrice Wynants –
A few times a year I meet with the topical experts at Cegeka. Today I am joined once again by Fabrice Wynants, Global Director of Cybersecurity. We’re talking about:
- what (too) many companies are still not doing to protect themselves from cybercrime
- what exactly C-SOR2C stands for;
- the question that most CEOs ask when it comes to cybercrime;
- what CISOs can do to get their budgets approved;
- the most remarkable trend of the past year;
- where that army of unused security specialists may be!
Fabrice, the number of cybercrime incidents has increased sharply recently. What has caused this?
Fabrice Wynants: “There are several reasons for this. In many companies, basic cyber-hygiene is still not in order. This is nothing new: the last time we spoke, I said exactly the same thing (laughs). People are still buying based on gut instinct. They invest in fancy point solutions that only address one aspect of their cybersecurity. But if they haven’t got the foundation right yet, this is not a good strategy. It is better to spread your security budget as widely as possible rather than buying one state-of-the-art point solution.”
People are still buying based on gut instinct. They invest in fancy point solutions that only address one aspect of their cybersecurity.
“In addition, we are seeing that many organisations still lack a clear understanding of precisely what the weak points in their business are: what you might call their crown jewels, assets that need to be protected at all costs. These are the things that could cause a company to go down and suffer major financial, operational or reputational damage, but what exactly are they? Administration? Supply chain? Stock management? After you have properly set up the basics, you should focus on establishing that. That’s point two.”
“And three: we see that a lot is spent on prevention and detection – I would even say too much – but far less is spent on response and recovery. The analogy is, why invest in an expensive fire alarm system if you don’t link it to the fire brigade? The few seconds that you might gain with that finely tuned, expensive system are lost in minutes because the fire brigade have not been alerted automatically. It’s overkill and a waste of money.”
Is this why Cegeka launched C-SOR2C this year?
Fabrice Wynants: “That’s right. The name C-SOR2C stands for how we at Cegeka look at modern cybersecurity operations: with a lot of emphasis on the 2 Rs – response and recovery. Today, detection can be automated to a large extent, including with using machine learning, which is what a traditional SOC does. For response and recovery, you need experts. But a SOC that can quickly detect a problem only to throw it over the fence – catch and dispatch – is of no use whatsoever to the customer. ”
A SOC that can quickly detect a problem only to throw it over the fence is of no use whatsoever to the customer.
“With our C-SOR2C, every threat detected is followed by a fast and appropriate response, and if necessary, recovery activities. We don’t just call our customers to tell them that we have identified a problem; we call to tell them that we have identified a problem, that we have contained it, whatever it may be, and we then advise them on the preventative steps that they may need to take themselves, including what other suppliers within their ecosystem may still need to do or be able to do. Our strength is that we can link a broad set of IT expertise to security operations. ”
What question are you most often asked by non-technical C-level executives?
Fabrice Wynants: “There is still a lot of reasoning based on the famous FUD: fear, uncertainty and doubt. People allow themselves to be frightened. I am often asked by CEOs what they should do to protect themselves against nation-state cybercrime… cyber activity sponsored by a state to cause political instability, for example. My answer to that is that there is not much you can do about it. It is an unequal battle and there is no point in letting yourself be led by it.”
CEOs often ask me what they should do to protect themselves against nation-state cybercrime.
“It is far better to invest defensively as a company: have your basic cyber-hygiene in order, gain insight into critical processes and your “crown jewels” and make sure that you protect them properly, work on awareness among all employees, gain a high-level understanding of how an attack pattern works, and so on. The chance of something going wrong because one of these factors has not been attended to is much greater than the chance of being hacked by a random rogue nation.”
More and more budget is being allocated to cybersecurity. Have you noticed this?
Fabrice Wynants: “Yes, but as I mentioned earlier, it is not always used in the most sensible way. Plus, I often meet CISOs who are still having a hard time getting those budgets approved by the management board. ‘What do we get in return?’ seems to be the most common question they get asked by the board. Security is still often seen as a kind of insurance, while in actuality it is an investment. We often talk about ‘ROSI’, Return on Security Investment. That’s why we are in the process of creating a work package for all CISOs that will make it easier for them to convince their boards to make the right decisions when it comes to cybersecurity and resilience. ”
What is the most important development that you see happening now?
Fabrice Wynants: “The convergence of IT and security operations. The two have lived side by side for a long time: infrastructure was set up, applications were developed, and on top of that came a layer of security as a kind of add-on. Nowadays, we are seeing more and more that security is integral – everything is secure by design, or at least 70% of it is. Security is becoming more and more implicit and invisible, which is exactly how it should be.”
Security is becoming more and more implicit and invisible, which is how it should be.
“This convergence is taking place partly due to the impetus from legislation. I like to make a comparison with cars: not so long ago, cars had no seatbelts, and when seatbelts were fitted as standard, it was by no means compulsory to wear them. That was until legislation got involved. It’s the same with security: it’s the law that requires that certain critical IT services must be secure by design. If that is not the case, you as a company will most likely not purchase those services. Just like you wouldn’t get into a car if you saw that it didn’t have seatbelts.”
What is the biggest challenge in your field?
Fabrice Wynants: “People. As I said, you can automate some security services very well and very cost-effectively with, amongst other tools, machine learning and workflow automation. But you still need good people. You can recruit them – if you can find them – or you can choose to work with an external SOC. At Cegeka, we provide the whole package, both the tools and the people, with our modern C-SOR2C.”
“By the way, one of my personal hobbyhorses is that security is looked from far too much of an academic and intellectual point of view. Most cybersecurity people have a master’s degree, me included (laughs), yet my experience tells me that there are many people who have had a technical secondary education who have got everything it takes to be great, driven IT and security engineers. We are underusing an army of potential security specialists! If we want to win the War for Talent, we will have to take a broader view of the pool of creativity.”