Antonin, when you joined Veepee as CISO, what were the main security issues you had to deal with?
Antonin Garcia: In 2019, on the strength of its external and European growth strategy implemented since 2016, vente-privee. com has renewed its brand image to become Veepee, a global brand present in 10 countries.
When I took over, all the acquired and historic entities were in the convergence phase. This included new infrastructures, web platforms, back office, but also logistics services, warehouses and various associated support services.
Veepee also hosts, deploys and develops virtually all its services in-house. This gives us a high degree of autonomy, supported by experts capable of maintaining our own services and innovations.
One of our major challenges was to unify all these entities towards a common vision of cybersecurity in this particular context.
How did you go about thinking about your cyber strategy at the time?
A.G : It’s crucial to recognize that complying with cyber best practices alone is not enough to guarantee a company’s security. In fact, this was made even more difficult by the fact that several cultures coexist as a result of external growth. Complying with best practice is all well and good, but hacking your own company means taking a more realistic, proactive approach. It was therefore essential to set up bug bounty programs and red team tests to ensure a relevant cyber strategy adapted to Veepee’s evolutions.
Bug bounty enables a company to mobilize a community of external security experts to actively identify potential vulnerabilities in systems. It’s a collaborative approach that exposes weaknesses that malicious actors could exploit. On the other hand, red team testing simulates realistic attacks to assess the resilience of systems and security teams. These simulations go beyond the usual best practices and aim to reveal the real weak points that need to be corrected.
In fact, this year you strengthened your cyber stack with the installation of an EDR. How did you convince your management to equip themselves with this tool?
A.G : We have highlighted the evolution of cyber threats, as evidenced by the numerous attacks that regularly receive media coverage, bringing hospitals, local authorities and even all public and private entities to a standstill. These examples called for an adaptation of our cyber posture.
We presentedEDR as an essential key to dealing with these threats. Its ability to detect suspicious behavior at an early stage, and to improve our responsiveness in the event of an incident, was a key point in our sales pitch to get all our teams on board.
If you were given 30% extra budget tomorrow, where would you put it first?
A.G: First and foremost, I would focus on our teams, seeking to continue to attract and retain people who are passionate and committed to their work, but above all humble profiles with a sense of service and a critical mind. This includes maintaining an environment conducive to autonomy where they have the time they need to work properly, without undue pressure.
Secondly, a significant proportion of this budget should be allocated to maintaining and developing our services and applications. It’s vital to ensure that services keep pace with business needs, thereby reducing the risk of workarounds. We need to encourage innovation and create an environment conducive to creativity, without hampering our agility. Rather than adopting restrictive measures that could slow down our operations, we aim to strike a balance between security and operations, fostering a dynamic and proactive cyber corporate culture.
In short, I would concentrate this additional budget on strengthening our teams, integrating needs into IT services and promoting a corporate culture focused on innovation, while maintaining continuous vigilance against cyber threats, and less on pure cybersecurity services. I’m convinced that investing in people and their IT reduces cyber costs while maintaining a robust, scalable defense strategy in line with our company’s needs.
What skills do you look for in a candidate when hiring for your team?
A.G : I’m looking for people who are passionate and curious. I pay almost no attention to academic background, preferring experience and passion for the job.
I’m looking for hackers in the truest sense of the word: geeks in the broadest sense of the word, immersed in technology, who like to spend time understanding the inner workings and purposes of the business, and who above all have a desire to solve problems. Humility is also essential. Our field is extremely complex, and we are constantly faced with new challenges to overcome. One of the pitfalls of cyber is to position oneself as a judge, rather than as a contributor to the objectives of other departments and the company as a whole.
You and your teams are regularly certified. Is this a necessary part of today’s cyber industry?
A.G : Cybersecurity certifications are not a prerequisite for progress, but they do provide significant value on the job market. Beyond their role in enhancing skills, they also help to solidify our professional profiles and convey an image of expertise. What’s more, they offer the opportunity to acquire new skills within the team, without necessarily having to look for talent outside the company.
When we invest in the certifications and skills of our cybersecurity team, we create a culture of learning and growth within the organization. This goes beyond simply accumulating certificates; it’s a move to offer our teams the challenges and experiences they would potentially seek elsewhere. By providing professional development opportunities, we satisfy their thirst for new issues and continuous learning. It’s a way of maintaining the enthusiasm and commitment of our team, while ensuring constantly updated and relevant expertise, but above all, it’s a way of ensuring that teams don’t have to look elsewhere for what we can already offer them in-house.
You are a member of the SecAtScale association, dedicated to the cybersecurity of tech organizations. What’s in it for you?
A.G : You can’t manage the cyber strategy of a company with tens of thousands of employees in the same way as a company with 5,000 people, or even a company with a few hundred employees. However, we share the same target: to protect the company against cyber attacks and threats.
By talking to other CISOs, we realized that we were encountering common operational problems, and it’s precisely these issues, initiatives and, above all, the solutions we’d come up with that we’re looking to share within the SecAtScale association. It’s become a great source of reflection and sharing.