Guillaume Dubuc is CISO at Altitude Infra, France’s 3rd largest fiber optic infrastructure operator. How do you convince your board, raise employee awareness and steer your cyber strategy towards quick wins? Guillaume Dubuc answers our questions.
What were your first actions when you took up your position as CISO?
Guillaume Dubuc: When I joined the company 5 years ago, there was still a lot of work to be done in the area of cyber, whether in terms of the network, machines or software development. So I had to work hard to change long-established habits, and win the trust of both staff and management. The second challenge was to raise awareness of cyber issues. This is essential if employees are to understand the role of CISOs.
How do you put in place an effective cybersecurity policy when there’s so much to do, and so few human resources?
G.D: You have to take it one step at a time.
For me, there are two ways of implementing a cybersecurity policy.
The first is what I call the “academic” method. In other words, we study the information system in depth, mapping workstations, servers, the network, etc., and then we determine how to reduce the risk, or its impact. It’s a classic risk study.
Or, the second option, the one I chose when I joined Altitude Infra, is to first manage the emergency. What we’re trying to do is put ourselves in the attacker’s shoes, find out where he can get in, and close the door on him.
This means using vulnerability scanners and identifying quick wins: what can be fixed quickly and with a high impact on risk reduction? The MITRE ATT&CK matrix is a great tool for this. For example, if the attacker can enter a given server, but we make it impossible to move sideways, he won’t be able to get to the PCs and backups. We unplug a server as much as possible, so the impact of all attacks is automatically reduced.
So that’s the emergency, and then, of course, we can go back to the academic method.
You spoke of the importance of raising awareness of cyber issues to gain the trust of employees. How do you go about this?
G.D: Raising awareness is a long-term process. Regularly, when new people join the company, I give them a training session, in groups of around 10.
What works well is using role-playing. I tell them they’re all hackers, and assign each one a specialty. One specializes in e-mails, another in USB sticks, another in websites… And then we hack into dummy company websites that I’ve created. I’ve also created fake LinkedIn profiles of employees. From the information we find on these fake employees, we use software to crack pass words, and…it always ends up working! I can assure you that when people come out of this training course, they go straight to changing all their passwords. It makes them realize that hacking an account isn’t that complicated, because they can do it themselves with the right tools. And that hackers who are a little more professional can attack any company.
On your LinkedIn profile you describe yourself as “Curious about everything, a specialist in multicasquetting, with a knack for finding loopholes and above all a propagator of healthy paranoia”: is that what being a good CISO is all about?
G.D: As for the “curious about everything and multicasquetting” aspect, my experience means that I have a wide range of technical skills. I know how to manage servers, APIs, websites, intranets… This gives me a global vision of systems, and I can see when I can optimize a process, or automate a task.
For example, I’ve created a bot that sends me alerts from my EDR in the Teams application. I can receive alerts when an unauthorized user manipulates a server, for example. It’s not an attack, but it gives me excellent visibility of IS activity. I also use APIs to monitor the actions of my system administrators. If they install a new server and forget to install aEDR agent, for example, I receive an alert within 5 minutes.
So yes, having these very varied skills does help me in my job as CISO.
And what does “propagator of healthy paranoia” mean? Do you have to be scary when you’re a CISO?
G.D: For me, of course, everything is a risk. My job is to identify it and try to reduce it, or its impact. But the real question is how to explain this risk to decision-makers. So yes, I’m talking about healthy paranoia, because I keep a lot of it to myself, but I’m obliged to pass on a small part of it to those I want to convince, so that they can act with full knowledge of the facts.
How to convince and educate?
G.D : Let me give you an example: when I wanted to move from a EPP to EDR, and I had to convince my COMEX.
I explained to them that the antivirus is an encyclopedia, and every time there’s a new file on the computer, the tool looks page by page in this encyclopedia to see if the file corresponds to a known virus, out of a billion pages. So if the virus puts on a fake moustache, it won’t be detected.
They then understand that if the attack is made specifically for the company, it won’t be in the encyclopedia, and we won’t be able to defend ourselves. At that point, the problem is identified and understood, and I’ve installed that famous “healthy paranoia”.
I then explain what EDR is all about, and that it’s not based on files, but on actions. That for each action, the tool will evaluate the probability of a computer intrusion, and raise alerts in the event of danger. Generally speaking, after this educational effort, decision-makers have understood the need, and I offer a solution that quite simply solves the problem.
What are your next steps to maintain and enhance your company’s security?
G.D : Today, cyber tools are relatively mature. As far as I’m concerned, most vulnerabilities come from users. So, as soon as we have the minimum tools necessary for a secure IS, what remains to be done is essentially to raise awareness among employees, and to train system and network administrators, and so on.
This year, I’ve continued my efforts to educate our staff, particularly those responsible for the server side of things. And for next year, the objective is to secure the software code running on our machines. We’re going to systematize security audits on these applications, and also call in a training center to teach DevOps staff how to secure their code. That’s one of the next big cyber issues that awaits me…
Want to know how HarfangLab protects Altitude Infra from cyber attacks?
Click here to find out more: