The case for a unified vision of cybersecurity

Author: Gael Prado, Senior Consultant

In the wake of the numerous cyber-attacks targeting local authorities, hospitals, and businesses of all sizes since 2020, the facts are clear: the level of cybersecurity is inadequate when compared to the threat landscape.

On the eve of the introduction of cybersecurity as a legal obligation with the transposition of the NIS2 Directive, we'll look at the reasons why a paradigm shift in how cybersecurity is perceived is urgently needed and how it could take form: integration within business processes, development of cybersecurity culture and education, association with compliance, privacy and quality activities, representation at the executive level, etc.

Let’s be clear: cybersecurity has changed over the past few years. Cyberattacks are on the rise, more and more businesses are targeted (in size as well as in activity sectors), and it is now common to read about topics such as resilience, continuity, crisis management and their consequences in the news (links to ANSSI Etat de la menace 2022 and ENISA Threat Landscape 2023).

A quick analysis of these cyberattacks – for example, the cybersecurity programme France Relance sponsored by the French government following the COVID-19 crisis – revealed that the cybersecurity maturity level of many victims was simply not adequate for the threat landscape. A common weakness we observe regularly is the lack of governance regarding cybersecurity in many medium sized entities (both public as well as private): while the technical aspects are usually covered by IT teams, the organisational aspects are quite often ignored, or at least judged less important in these entities with a low to medium cybersecurity maturity level.

As cybersecurity becomes a legal obligation for many entities across Europe, this situation must change. Which actions can - or should - be taken to rethink the way in which cybersecurity is approached within organisations? With the coming paradigm shift, cybersecurity is a global business issue and must be understood as such.

In many organisations, the issue of cybersecurity is dealt with by the IT department, and the CISO often reports directly to the CIO. This can lead to potential conflicts between departments within an entity, with the issue of cybersecurity being perceived simply as an offshoot of IT activities. This understanding is however easily challenged when conducting cyber crisis simulations; it is on these occasions that business processes owners begin to understand the interactions between the processes and cybersecurity and the need to bridge the gap between the IT department and the other departments.

The CISO must be able to reach out to all the departments in an organisation and must be able to address the business issues across all of them, whether by conducting awareness training, by taking part in the selection of business applications or by making sure that cybersecurity is included in the business processes.

It is legitimate to ask the question of the strategic positioning of the cybersecurity activity within the organisation chart. While the role of the Data Protection Officer has been defined in Regulation 2016/679 (GDPR) and their hierarchical independence clearly spelled out, it is regrettable that the same is not true of the CISO's role. Maybe a similar role can be implemented in certain organisations, but it certainly requires a high level of maturity, and it should not be done too eagerly, as many organisations would profit more from a more technical approach to cybersecurity first.

A complementary aspect to the role of the Chief Information Security Officer (CISO) is a recommendation frequently emphasized during our maturity audits: executives should be equipped with strategic indicators regarding the risks and challenges in cybersecurity.

With the forthcoming transposition of the NIS2 Directive, this recommendation becomes a regulatory requirement, accompanied by a training obligation for these same executives as they will be expected to be held accountable for the cybersecurity risk measures implemented across their organisations.

While a risk-based approach is usually the norm in the cybersecurity domain, it is not totally adopted for the top management, and even less when considering the specific cyber risks.

In this new model of cybersecurity, it seems necessary to redefine the framework within which cybersecurity is dealt with, so that it is no longer approached simply by means of periodic indicators, but as a strategic tool with a dedicated sponsor.

Having access to the top-management of the organisation as well as access (and some form of authority) across all the departments of an organisation appear to be two important aspects to address first in the new cybersecurity paradigm: the matter of cybersecurity is a transverse topic with a clear strategic value for organisations of all sizes.

When the question of business continuity is raised, it is common to be told that a list of applications is necessary or critical. In the same way, the question of existing maps in the entities is rarely answered holistically: when a map of the Information System exists, it rarely shows the links with the processes supported by the IS assets.

With the advent of the NIS2 Directive and the paradigm shift it demands for the essential and important entities, a top-down approach is needed to identify an organisation’s priority sectors: starting from the strategic mission, assigning priorities must be based on the existing processes within each department or service. It is by studying these processes that the business continuity roadmap can be built, and it is in this way that the security needs can be identified, notably by highlighting the hidden interconnections and adhesions between the processes on one hand and the IS assets on the other hand. For example, it is not enough to define a single application as a critical component; it is necessary to identify all the processes that call on it to identify the upstream and downstream points of failure, as well as the applications that will supply its inputs or use its outputs.

Once again, cybersecurity is not simply an activity that belongs to the IT department but must be thought as a part of the business processes and requires a deep insight into how these processes are articulated together.

Having said everything up to now, we need to clarify one key point: while it is necessary to rethink cybersecurity, there is no need to invent new ways of integrating it. As a relatively recent concept, it is understandable that it is still treated separately from other business activities that have not experienced the same acceleration towards digital technology. However, when a quality approach in the ISO 9001 sense is in place, or when a compliance department exists, it may be useful to build on existing activities so as not to create unnecessary redundancy that would run counter to the adoption of a culture of cybersecurity.

One example could be GDPR compliance. Once they have reached a satisfactory maturity level, organisations have put in place means of identifying the processing of personal data - no doubt using business processes, questionnaires to assess the compliance of subcontractors, a methodology for integrating privacy into projects, etc. When taking cybersecurity into account becomes a regulatory requirement in the same sense as taking personal data protection into account, it may be possible to start from these foundations: the data handled in the processes can thus be qualified in terms of both privacy and cybersecurity, third party assessment can cover all the regulatory requirements (as long as it is accompanied by the required audits) and the project methodology avoids redundancies and makes it possible to deal with both privacy and cybersecurity issues at the same time.

This situation is what the Directive is about. Cybersecurity is not a matter of compliance with a checklist of measures to be implemented, but a wake-up call for many organizations across the wider community. Cybersecurity is necessary – mandatory even – and it needs to be addressed as a holistic process.

Once the Directive has been transposed, many entities will have to understand how to integrate cybersecurity within their activities. This is a real paradigm shift through which it is essential to understand that cybersecurity is not only a technical activity but a real part of the business activity.

Now is the time to reflect on how it can be done, to anticipate, and to prepare.

The goal is a higher common level of cybersecurity and a safer digital society.