Marie De Fréminville - Cybersecurity and Decision Makers

165 153

166 154

167 155

168 156

169 157

170 158

171 159

172 160

173 161

174 162

175 163

176 164

177 165

178 166

179 167

180 169

181 170

182 171

183 173

184 174

185 175

186 176

187 177

188 179

189 180

190 181

191 183

192 184

193 185

194 186

195 187

196 189

197 190

198 191

199 192

200 193

201 194

202 195

203 196

204 197

205 198

206 199

Marie de Fréminville

First published 2020 in Great Britain and the United States by ISTE Ltd and John Wiley & Sons, Inc.

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licenses issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned address:

ISTE Ltd

27-37 St George’s Road

London SW19 4EU

UK

www.iste.co.uk

John Wiley & Sons, Inc.

111 River Street

Hoboken, NJ 07030

USA

www.wiley.com

© ISTE Ltd 2020

The rights of Marie de Fréminville to be identified as the author of this work have been asserted by her in accordance with the Copyright, Designs and Patents Act 1988.

Library of Congress Control Number: 2019956830

British Library Cataloguing-in-Publication Data

A CIP record for this book is available from the British Library

ISBN 978-1-78630-519-0

Directors and executives are now at the heart of cybersecurity issues. This is my conviction; this is my experience gained by launching one of the first cybersecurity companies in 2005 and by meeting many executives. This is my conviction as the director of a defense company that is particularly exposed to these risks, as well as active in the development of new protection strategies.

Let us make this expertise a driving force for differentiating our companies and France as a safe place to do business. This is where this book written by Marie de Fréminville takes on its full importance.

It brings together five years of work and exchanges between experts and leaders, between the State and industrial actors who forge our conviction that the issue of cybersecurity can no longer remain confined to the circles of geeks, but that it has become a real issue of economic resilience.

The issue is obviously much broader, and corporate governance must address it in all its dimensions: economic resilience, vulnerability of extended business strategies, customer protection, human issues, infrastructure development, insurance policy, crisis management, etc.

The general management and its board of directors must not only be aware of this, but must also each act according to its own responsibility, in order to set up the necessary organizations, risk governance, as well as the company’s protection systems. It is this “call to consciences” that must resonate with the reader, who must then find appropriate solutions: this book will provide you with possible solutions and will enlighten you on the risks to be taken into account to inform your decisions.

As they say in the shift changeover: now it’s up to you to take care of it…

Hervé GUILLOU

President and Chief Executive Officer

Naval Group

The organization of round tables with HEC Gouvernance and workshops with the Swiss Women Directors’ Circle ( Cercle Suisse des Administratrices ) was the starting point of this book for decision makers: managers and directors of companies, public organizations, foundations or associations.

The protection of the company’s strategic data and information systems is the responsibility of the directors and executives, as well as the company’s decision makers, within the operational and functional departments, inside and outside the company.

The comments of the various speakers at these round tables have been included in this book.

In October 2016, “Understanding and preventing cyber-risks: a priority”:

– Hervé Guillou, President and Chief Executive Officer of Naval Group;

– Alain Juillet, Director of Intelligence at the DGSE, Senior Manager for Economic Intelligence at the SGDSN and President of the CDSE (Club des directeurs de sécurité et de sûreté des entreprises);

– Guillaume Poupard, Director General of ANSSI (Agence nationale de la sécurité des systèmes d’information);

– Alain Bouillé, President of CESIN (Club des experts de la sécurité de l’information et du numérique);

– Alexandre Montay, Secretary General of METI (Mouvement des entreprises de taille intermédiaire).

In June 2017, “Cyber-risk: a subject to govern”:

– Yves Bigot, General Manager of TV5 Monde;

– Brigitte Bouquot, President of AMRAE (Association pour le management des risques et des assurances de l’entreprise);

– Frédérick Douzet, Professor of Universities at the IFG (French Institute of Geopolitics) of the University of Paris 8 and Castex Chair in Cyberstrategy;

– Solange Ghernaouti, Professor of Information Security at UNIL (université de Lausanne) and Director of the Swiss Cyber Security Advisory and Research Group;

– Philippe Gaillard, Director of Technical and Cyber-risks at Axa France;

– Alain Robic, Partner Enterprise Risks and Services at Deloitte – Information Systems Security.

In December 2018, “Cybercrime and personal data protection: what good practices for the board of directors and managers?”:

– Isabelle Falque-Pierrotin, President of the CNIL (Commission nationale de l’informatique et des libertés) since 2011, elected in 2017 in Hong Kong, President of the World Conference of Data Protection and Privacy Commissioners;

– Philippe Castagnac, President of the Management Board of Mazars, an international, integrated and independent organization specializing in audit, advice and accounting, tax and legal services;

– Annick Rimlinger, Executive Director of the CDSE (Club des directeurs de sécurité et sûreté des entreprises), founding member of Cercle K2 and member of the board of directors of Hack Academy;

– Éliane Rouyer, independent director, President of the Audit Committee and member of the Compensation Committee of Legrand, independent director of Vigéo Eiris.

I would like to thank all these speakers for their contributions and support, as well as Marc Triboulet (my teammate from HEC Gouvernance, with whom this round table cycle was initiated).

The training I developed within the Airbus group for directors and managers of subsidiaries, the work carried out for these conferences, as well as the exchanges during these round tables, have been supplemented by research work carried out over the past five years, participation in working groups (Switzerland’s cybersecurity strategy, for example), support for several start-ups in the field of cybersecurity, the implementation of training, speeches given at the university of HEC Paris and Swiss management universities and at companies or service providers, the implementation of risk mapping, the definition and deployment of measures to improve compliance with the GDPR (General Data Protection Regulation), not to mention the implementation of cyber programs through companies, associations, foundations and public bodies.