Throughout Cybersecurity Month, we will introduce you to our experts. They will talk about what they are passionate about, their expertise and how they are helping to build a safer digital society.
Passionate about IT and customer support, Aïcha Mir, consultant and audit manager consulting and audit, tells us about her daily life
I am a consultant in the Consulting and Audit Unit, working on support assignments with clients. Consulting specifically means risk analysis, audits in relation to compliance benchmarks, reviews before implementing solutions.
We have a wide range of clients: small town halls, major listed companies, large industrial groups, banks... Our mission covers technical, organizational, and regulatory aspects.
The aim is to anticipate risk: "anticipation avoids datastrophes." So your work with clients starts with what is known as a diagnosis?
Absolutely! We call it a diagnosis or an audit. We start there: we get to know the client and we need to know what is done, what is not done, what are the things that are missing.
You referred to different sizes of clients in a wide range of sectors. Is that your main challenge: adapting to the type of client?
Yes, one of the main qualities required is an ability to adapt to the client’s situation, their size, their limitations, their needs, their budgets. I often say that we are a bit like our clients’ therapists. They tell us their problems, and we must understand them, translate them, and respond. We try to analyze as closely as possible, to listen. Listening is crucial. We offer a tailored service.
There are some “packaged” services, e.g., awareness activities, but securing an information system requires a thorough analysis and tailored responses.
Is there a different level of awareness and preparation depending on the client’s profile?
Yes, we call that the “level of maturity.” Some sectors are further behind than others, e.g., manufacturing. A commonly targeted sector but far behind. Although regulations have changed a lot recently, with the GDPR (General Data Protection Regulation), the Military Planning Law, which has allowed us to catch up over the years. Digitalization of all services, in all sectors, has made this compliance crucial.
You talk about supporting your client. What are the steps taken following a diagnosis?
We carry out different types of assignment. It always starts with a diagnosis. What are the weaknesses? Weak passwords? Remote access management? Updates not applied? Lack of maturity among staff? From there, we propose an action plan, which can be picked up by their internal teams if they are able, but that's rare. So, we stay to offer support to implement this plan, based on a schedule that we implement, with priorities. And we can then get several Orange Cyberdefense services involved. For example, in terms of maturity, we offer several modules ranging from simple awareness to training between or within companies. We are an approved training center.
If we talk about security and digital maturity now, across all sectors, what are the main sticking points for companies today?
I would say that the major problem is identifying risks. Often, we apply standards without getting some perspective on our own data and our actual risks. The GDPR has helped a lot to finally establish a risk map. We must ask questions about data: what has value? What does not? What must we protect, and how? That is essential. Risk analysis must go one step further than just compliance, and carefully consider the threat environment compared to the business.
We spoke about maturity. In the current geopolitical context, with new regulations and media coverage of cyber risks, are we seeing people become aware more quickly?
Yes, we are called in more and more. Major groups, of course, but also an increasing number of SMEs. Any company can be at risk today.
Do you feel like it’s a race against time?
Yes, there are more and more attacks but above all, more complex and sophisticated attacks. Hackers are getting organized and professional. The more complex IS (information systems) become, the more complex attacks become.
You work in a very male-dominated environment. Jobs linked to digital and cybersecurity are just starting to open up to women. What is your view on diversity?
When I started to work twelve years ago, there were very, very few women. I started out in a team which only had guys! It was not very easy to be the only woman, even though my colleagues were very welcoming, I was lucky. In technical departments it was even worse, there were some raised eyebrows when I walked in. But that is changing now. We are giving more talks to more young girls, in schools, at universities. And there are more women who they can identify with. If my experience could help encourage girls...
Adapting to constant changes: threats, attacks, information systems, technological developments... You have to constantly stay on top of things: if you fall behind, you're dead. It is very disappointing to try and fix something when you're too late. You always need to be one step ahead.