Are managers the weak link when it comes to cyber?
At least, that’s what a study conducted by SoSafe in 2023 reveals: “60% of executives are more likely to click on malicious links, a significantly higher rate compared to other user groups.”
Awareness-raising is one of the pillars of security, but while we often talk about raising employee awareness, decision-makers also deserve the utmost attention!
A dozen experts share essential tips and best practices for securing an Information System. So, what would be THE cyber tip they would give to a CEO or CIO?
“The best way to design a cyber defense system is to think of protection in terms of remediation. In other words, you always have to ask yourself what can be put in place to react to what is detected. In short, you need to be able to identify what can be put in place in relation to the type of threats or risks that are a priority for the organization, and then define your strategy and choose the right tools.”Guillaume Djourabtchi CMO of Managed Services - Advens
“My top tip for a decision-maker, whether CEO or CIO, would be to prioritize cybersecurity awareness at all levels of the organization: invest in effective solutions, raise staff awareness of the latest threats, and encourage a security culture where everyone feels responsible for protecting the company’s data. This approach involving both technical and human resources significantly increases the organization’s level of security.”Sofiane Benou CRO - Scalair
“We shouldn’t be thinking in terms of solutions or products, but rather in terms of support and service provision, with a stakeholder who truly understands the challenges and context of his customer. Awareness-raising also remains crucial, insofar as the human flaw is the primary vector of attack. Beyond tools and technologies, education is one of the pillars of cybersecurity.”Jonathan Meraoubi Cybersecurity Manager - Atheo
“Having good control over your IS helps minimize cyber risks. The EDR enables excellent visibility over IS and it also hasthe ability to block threats in real time. But it’s important to remember that it’s not magic. EDR requires a trained security teamaround the solution.”Florian Ledoux Principal Security Engineer – Advens
“We have to go way beyond raising awareness. Obviously, we must continue to do so, but we’re reaching the limits. We’re seeing this with AI, which is going to make it increasingly difficult to separate the true from the false, and that’s why we need to reprioritize surveillance. It’s essential that organizations train themselves to manage crises. But if we can train ourselves to get out of a building in the event of fire, we also need to equip ourselves with an alarm system that sounds before the building is devastated by fire, at the time of the incident and not of the crisis. In this sense, surveillance is the key to a defense system that is adapted to today’s and tomorrow’s attacks.”Benjamin Serre CDO - Orange Cyber Défense
“My main advice is to treat security as a priority, not a side project.Organizations have more to lose if they are attacked than they may need to protect themselves.Valentin Paolicelli Micro SOC Analyst - Orange Cyberdefense
“No matter how much you invest in securing an organization, incidents and crises will occur. Defining a corporate strategy to deal with them is paramount.
Corporate resilience is not in the DNA of employees, although some sectors have a culture that offers certain predispositions.
Incidents and crises are effectively managed by well-trained teams who know the plans, but rarely consult them when such situations arise.
It is therefore unreasonable to think that team expertise alone will be sufficient to deal with all contingencies.
Nor is it reasonable to believe that drafting strategies and plans without training those who are supposed to apply them will be enough to apprehend all dreaded situations.
Resilience and crisis management are two themes that have strong similarities and share the characteristic of needing to be thought through upstream, integrated into teams as they go along, and above all tested.”Rémy Dutartre Head of Resilience and Crisis Management Consulting - Thales Cyber Solutions
“My advice: externalize the management of cyber tools! There are some players who deal exclusively cyber on a daily basis, and have reached a very advanced level of expertise. To effectively protect an Information System, it’s a good idea to draw on this expertise by outsourcing the management of cybersecurity solutions.”Damien Vignault CEO – Scalair
“IT decision-makers need to equip themselves with the means to to supervise security equipment. Cybersecurity is not just a matter of deployment, but of monitoring the tools put in place.”Anasse Ghira SOC Manager - Monaco Cyber Sécurité
“Protecting the IS is essential, but you also need to supervise the outside world and take a holistic approach to security. holistic approach to security to anticipate risks wherever they may come from.
This holistic prevention approach requires optimal use of the solutions chosen by the organization, as well as the recruitment and training of cyber teams, over and above the tools.”Florent Grosso Cybersecurity Manager - Abicom
“You have to vary your defense techniques. No protection is inviolable. No means of detection is infallible. Only an intelligent combination of appropriate security measures can effectively protect against the main cyber risks. This defense in depth combined with good computer hygiene will allow you to sleep (almost) soundly.”Stéphane Locatelli Director of IT Security - Hexanet
“Today, the ABCs of security are no longer antivirus, but EDR. If investment in a solution becomes unavoidable, it must be possible to operate it afterwards. If there is the slightest doubt about your ability to manage EDR in-house, you need to rely on a managed service. Today, EDR does the job by escalating alerts, but I still see too many teams that can’t deal with them in time because of a lack of resources or expertise.
The same applies to pentestsIt’s the same with pentests, those essential tests that are all too often overlooked for lack of time or resources. Here again, don’t hesitate to call in external professionals!
Finally, to limit risks, employee awareness remains crucial.”Nicolas Zisswiller Managing Director and Partner - Aktea
“My cyber advice is first and foremost to go back to basics and take time to master your perimeter, including:
– deploy cyber protection solutions ;
– activate multi-factor authentication on all deployed software solutions;
– establish a network diagram;
– identify the software solutions used;
– setting up a CMDB ;
– implement a patch management solution to guarantee the deployment of security updates.”Cédric Maurugeon Head of SOC & CSIRT – Filhet Allard
Need help convincing your board of your cyber strategy?
Here’s a case study to help you combat preconceived ideas about cybersecurity: