- il y a 5 semaines
Looking to Reduce Cyber Risks? Check Your Supply Chain & Third-Party Vendors
Catégorie
🤖
TechnologieTranscription
00:01Bonjour à tous, merci d'être ici avec moi et d'être ici à Viva Tech.
00:05Je suis l'impression que je suis le premier speaker de l'année,
00:07donc je vais vous donner un peu de forme.
00:10Donc, je vais vous donner un peu d'entretien,
00:12et je vais vous donner quelques jocs qui fonctionnent avec vous.
00:15Je suis en train de faire quelques jocs, apparemment.
00:19Il me semble bien d'être là-bas,
00:20parce que je suis born un peu près de kilomètres d'ici,
00:23donc c'est tout de suite pour moi.
00:26Et je vais vous parler de ma préférée,
00:28c'est un très important topic,
00:29cyber security,
00:30cyber security in the supply chain.
00:33So, in case you wonder where this is,
00:34the black stage,
00:35that's because cyber is the new black.
00:37So, hopefully,
00:39you get that one sentence at some point.
00:41I'm Stefan Lenko,
00:42I'm the Chief Information Security Officer of TALUS.
00:45Previously,
00:45I did the same role at Airbus for a number of years.
00:49I worked at NASA as an engineer,
00:51that is my basic training.
00:53You can probably tell from the aircraft that I've got
00:56utterly passionate about our space.
00:58And my goal today is to tell you my journey
01:00about trying to secure the supply chain,
01:02how not to overdo it,
01:04how to stumble,
01:05how to get up,
01:06how to stumble again,
01:08et cetera, et cetera.
01:09And this resonates a lot with the start-ups
01:11that you're going to see.
01:13Why is cyber security of the supply chain important?
01:17Well, first of all,
01:18if you look at
01:19whether the World Economic Forum,
01:21ENISA,
01:22it comes quite on top of the concerns
01:24you should be having.
01:26ENISA and the threat 2030 horizon
01:29is quoting number one,
01:31the cyber security of the supply chain in software.
01:34So, yes,
01:35that does resonate with events like SolarWinds
01:37as an incident with a malicious intent.
01:40you probably remember the CrowdStrike incident,
01:42which was an incident
01:43and not a cyber security incident.
01:45But definitely the impact on software supply chain is huge.
01:48We can already see what this gives
01:51on a few random samples.
01:54When you look in the bottom right corner of that slide,
01:59how do you secure this?
02:00You basically end up with a couple of solutions.
02:03You're trying to make due diligence,
02:05you're trying to make compliance efforts, et cetera.
02:08But what's scary for me,
02:09in the census that ENISA did for the NIS2,
02:13the network and information security directive number two
02:16for the supply chain cybersecurity,
02:18because it is one of the mandatory items we need to do,
02:2241% said they require some kind of certification
02:25from their suppliers.
02:26So, a way to ensure cybersecurity would be by companies
02:31to do certification.
02:32Second item is to use security rating services
02:35to know whether that company is good or not.
02:3837% typically do due diligence,
02:42make some kind of security assessment,
02:43and there's somewhere around 10% that do nothing.
02:46So, it's a bit widespread.
02:49There doesn't seem to be a secret sauce of any kind,
02:52and yet it is mandatory and it is scary horizon.
02:56Another reason why I do put a lot of ENISA
02:58is because I happen to be an advisory group member too,
03:01ENISA, so you'll forgive the bias.
03:05So, looking at this the way that I am,
03:07as an engineer, how do I want to engage with that topic?
03:14For me, managing the supply chain is trying to build bridges
03:19in a digital era.
03:20Why am I taking that bridge image?
03:23It's because you are crossing over to another party.
03:27Another party that can be a supplier, a customer, a school,
03:32another partner in a collaborative environment for our products.
03:35And your goal is to get data materials,
03:38go back and forth across that bridge.
03:42In short, as a CISO, I am a bridge builder.
03:45So, I can build small bridges or big bridges,
03:48depending on how big is the thing I need to build.
03:51But that's how I started thinking around how do I need to connect.
03:57That being said, unfortunately, I'm an engineer.
04:02So, I have to think in terms of building a nice thing
04:06is not just the only thing you want to do.
04:08You need to build something that's actually useful.
04:10It needs to be adapted because a very nice bridge in the middle of nowhere
04:13doesn't really serve a purpose, to be honest.
04:18Okay.
04:19Middle of nowhere, one thing.
04:22When you look at the partner, and to give a reference,
04:26we've got something around 25,000 suppliers for TALIS as a group.
04:31There is a wide variety of suppliers.
04:35So, how do you measure size the bridge?
04:40How wide do you want it?
04:42How big is the information that you want to do?
04:44Are you getting trucks on this?
04:45Are you getting cars?
04:46Are you getting bicycles, pedestrians, etc?
04:51What's on the other side of the bridge is something that is outside your span of control.
04:55The stuff that I do for my own company, I master.
04:58I can go to literally anyone, ask the question, change the policy, change the tooling,
05:03and I will make it work.
05:05But I'm on the other side with my partners.
05:08I don't know what they're doing.
05:10I really can't influence as much as I'd want.
05:16So, the question is, how do I get a good picture of what's on the other side?
05:21I don't have the drones that actually fly over like you've seen probably on TikTok and others
05:27from pictures of North Korean cities on the other side of China, right?
05:31I just can't do that.
05:32That would be quite intrusive.
05:36And a last concern that you will see is quite dominant in all the logic that I've tried to pursue
05:42is how to avoid overburdening the other party.
05:47Because, yeah, let's face it, I'm big.
05:49I don't know if I'm physically big, but as a company, I'm big.
05:52I have a large number of SMEs in the partners that I've got.
05:56So, as a big company, I probably have more means.
05:58I have a CISO that makes funny or not so funny jokes.
06:01I've got somebody that buys tools, performs a number of things.
06:05When you're an SME, sometimes the person that does the CISO job is the CEO.
06:10And hopefully, I'm not their only customer.
06:13So, you probably have another big company that plays different jokes,
06:18but has the same constraints, but plays it differently.
06:21So, that ends up being quite unmanageable when you're a small company on the other side.
06:28So, engineering, analytics, you will start by doing it by the book.
06:33The easy answer, you write a lot of paper and you will make it nice to progress.
06:40So, let's build a security annex.
06:44You can pick the size of the book you want to build to make sure that your closet is balanced.
06:52Make sure that it is legally reviewed over and over.
06:55That it fulfills each and every mean, method, objective that you have with literally anyone that you've got.
07:01And you've got a monster of a dictionary.
07:03And this is part of your security annex to any contract.
07:07Therefore, everybody must comply.
07:09But trust but verify, you will send audits to verify that whatever you've said in the annex will be working,
07:15right?
07:16So, on paper, absolutely wonderful.
07:20You've done your end-to-end review of everything you need to do.
07:23You've phrased it nicely. Everybody cross-reviewed it.
07:26And you can check that it is effectively operating on the other side.
07:32And that's the first shock.
07:34That doesn't work.
07:37Massive failure.
07:39Why does it not work?
07:41It doesn't work because it doesn't scale.
07:45As I said, if you end up being short because you want to be understandable.
07:49And a few years ago, if you remember your clauses on online services,
07:54there was an effort to try and make it understandable and not being legal mumbo-jumbo.
07:58It was simplified, but it becomes very generic and blurry and you don't exactly know.
08:03So, you've got a tendency to either reduce to the maximum and not really understand what's inside,
08:07or make it so descriptive that it is too long that you wonder whether the party has read it.
08:11So, for an SME, short is beautiful because you don't necessarily have that.
08:15But for big companies, you end up with certification, cross-checking,
08:18whether that particular clause is part of your security policy or isn't, etc.
08:22So, the one-size-fits-all of the big book of everything you can hate about cybersecurity in a contract
08:31doesn't really work for SMEs and it doesn't really work for big actors.
08:36If I stretch this into a number of online services,
08:39you traditionally deal with a large number of customers.
08:42The effort to try and pick up the security annex for a contract by your customer,
08:48pushed by your customer versus having a nice standardized item that you push toward your customers is just huge.
08:55So, if you go to an AWS, Microsoft or Google, no matter how big I am,
08:59and I say, I want this in my security annex, they'll say, yeah, well, you're just one of them.
09:04So, this is what I do.
09:05And you end up spending an awful lot of time for the small companies to explain that what you put
09:12in writing in there is not that difficult.
09:14You just had to make very long sentences to explain it, and at the other end to try and mix
09:20and match with large corporations
09:22to ensure that what you said, which is generally common sense,
09:26and that it generally matches up with whatever referential they've got.
09:29So, you spend a lot of time on the small part, a lot of time on the big part.
09:35Ultimately, this is too time-consuming.
09:37You cannot afford this for that large a number of suppliers.
09:41And you know, time equals money, so you obviously don't have enough budget,
09:45in particular if you want to audit everything that's behind.
09:50So, you can stay down and say this is a failure, or you can try and pick yourself up and
09:56get it moving.
09:58So, obviously, I didn't stop there.
10:01I was about to do this, and while you were standing up, reality catches up.
10:08You know your stuff doesn't work, and you get your Digital Transformation Officer,
10:12that comes in and says, well, you know, I've got this big competition with a number of start-ups,
10:16so you've got 15 days to actually evaluate the security of about 150 small companies that we want to do
10:22business with.
10:26Well, so my solution doesn't work, I've got two weeks to find a new solution that gets everything running for
10:33150 suppliers.
10:35Not exactly what you predicted.
10:40If there's one thing that I know as a CISO, that you need to be prepared for the unpredictable,
10:46and you need to rely on everything you've got, your team, your tooling, in order to design the right solution.
10:52So, how did we move forward?
10:55First of all, as I said, understanding that one size didn't fit all, there's no way this is going to
11:00work.
11:01So, picking up from where we left, that wonderful monster of an annex, of questions that we ask suppliers, etc.,
11:08obviously can't work for all sizes.
11:10So, we ended up picking what was really important, not so important, and really nice to have,
11:16and sort them out, and decide consciously, because we are risk-driven, that means that we accept stuff that is
11:22not done,
11:23to actually make our questionnaire lighter for small companies, e.g. the 150 that we need to sort out,
11:31a bit bigger with what we really want for middle-of-the-ground companies, and very exhaustive and comprehensive for
11:39anything that's large.
11:41So, how did we do?
11:43Well, not so bad, actually.
11:45We managed to take that challenge, get the companies that we evaluated as cybersecurity to be adequate, and the security
11:53plan.
11:53So, there's something there.
11:57And because it was in a rush, you probably need to move at the next port of call about what
12:04you want to do.
12:04You cannot stick with, I'm happy, I did 150 suppliers, let's go and have a drink.
12:13So, wondering what was the key points that we can make to leverage in order to accelerate?
12:19What is possibly the things in what we did that we could get faster, quicker, more robust?
12:31If I was today, and I am today, I would say, well, how about trying AI?
12:35But that comes later.
12:38First item.
12:40As a defender, again, Caesars are also defenders of the castle of the companies.
12:45As a defender, I do believe in the strength of unison, comradery, getting together.
12:52I'm just an ant, but I'm incredibly powerful when I'm with other ants.
12:57So, sharing what we did with peers, humbly, and saying, well, actually, we had this challenge.
13:02This is how we ended up, and this is what we did, usually picks up some interest with a number
13:06of other parties.
13:07That gets traction, that gets the network of people that think like you, that will add, collaborate, that will share
13:13the experiences, etc.
13:15The second thing is, obviously, we did this as a crash program, so the next thing you want is industrialize
13:20it.
13:20You want to automate it, industrialize it, make it something that rolls, and not something that you did in an
13:25emergency,
13:25because that was just the deadline.
13:28And we're not in video games, we don't do crunches.
13:32Then, there's the idea that I mentioned, that is part of the census.
13:35Then, how about market ratings, right?
13:37Market ratings is nice.
13:39It's got a grade, a color, a shape, it's like school.
13:42You know, you don't know whether you want a grade, or a color, or a letter,
13:45but basically, it gives you a sense of what the company is about.
13:48How does it work?
13:49A number of those market rating companies have their secret sauce that they will not necessarily disclose completely, obviously,
13:58but they rely on some kind of scan of the internet for whatever is exposed,
14:02a scan of the background of what they did, a mishmash with probably a bit of questions when they can,
14:08a bit of code logic, and you get some magic outcome.
14:12So, on those three items that we tried, the first two actually work.
14:21We've been able to measure, get traction from a number of parties that said,
14:24well, actually, I'll pick up your questionnaire, we'll start using it, and I've got some amendments, etc.
14:28More on this later.
14:30Industrializing also works.
14:31You can put a lot of automation, and at the time when we did that, automation was just automation.
14:37Market ratings, let me do just a feedback on what we did to experiment, and why I'm a bit questioning
14:43the outcome.
14:46We threw a sample of our supply base into market ratings for a few companies,
14:54in order to see whether the grades would be commensurate with what we evaluated on the side,
15:00and understand whether it could accelerate the evaluation process, because that would be simple and easy.
15:05And, yeah, it's not just the picture. There was an utter misalignment.
15:12The issue was that on the sample that we sent, and statistically it was significant in terms of volume,
15:1987% of that basis came back as having a low rating.
15:25Can I afford to get 87% of my potential suppliers out because they don't have decent enough cybersecurity based
15:34on the grades that this market rating company or companies are telling me?
15:38No.
15:40This is completely unmanageable.
15:43Because the one thing I can do is actually pick on the remaining percentage and say,
15:47those are the good ones, I will pick them up.
15:49But do they match what I want to do?
15:51I mean, the suppliers that I've got, the variety of suppliers that I've got is because they're the best at
15:55what they do,
15:56they answer my requirements, they're mature on some items, they're cheaper, they're faster, there are plenty of criteria.
16:02Cybersecurity is just one of them.
16:04So if I end up saying, well, it's got a bad grade but I don't care, that's not necessarily where
16:08I want to go.
16:09Plus the volume that we tried to demonstrate that this is at scale.
16:12So what I would normally do with a couple of suppliers is I would go to them and discuss a
16:16security insurance plan,
16:17how to get you into where I want you.
16:20But I cannot do that for that large a volume.
16:25So this is the proverbial valley of despair.
16:27So I hope you'll enjoy the fact that we're trying to cross or build a bridge across the valley of
16:33despair.
16:35But again, time to pick myself up and get a solution to this issue.
16:41The problem with that rating is that it was not fit for the purpose of the environment.
16:49It is a bland grade on the basis of a common denominator,
16:55whether it's the lowest or the highest, I'll let you decide mathematical terms.
17:00But obviously, if you want to build a bridge to get an aircraft across a road,
17:05you won't build the same bridge as a footbridge across a small patch of water.
17:11So obviously, I will need to customize my questions depending on what the supplier is doing for me,
17:19what's their area of business, etc., etc.
17:21So there is a kind of balance between the purpose that they've got, the way they are, and the need
17:30for standardization.
17:31Because you cannot do custom-made questions for everything.
17:34So where do I go from there?
17:39Ending up with my core questionnaire is actually getting into a tailored questionnaire.
17:45That means that for cloud natives, for instance, there is absolutely zero purpose for me to try and ask them,
17:50oh, by the way, are you securing your data centers?
17:53Are you taking care about making sure that whatever comes in comes out is filtered or whatever?
17:57It is absolutely nonsense.
17:59So I'll remove those questions.
18:01It's absolutely unimportant for them.
18:03When I do IoT, when I do OT, those can be typically either very cutting edge, very embedded, very Raspberry
18:09Pi-esque,
18:11something that you cannot basically super secure.
18:13You'll more look at the envelope.
18:15If I look at OT, you have a number of things that can be pretty outdated.
18:19And again, the aerospace has been there for quite some time.
18:24To give you an order of magnitude, a plane flies for tens of years.
18:27It makes roughly seven years to design a plane.
18:29So you can see that whatever is contributing to this is generally something that has seen a bit of the
18:36years like me, right?
18:37So you will ask security questions that are significantly different than the ones that you would ask for software development,
18:45for instance.
18:46For software development, you're probably more concerned about, are you using STLC?
18:50What are the security controls that you're doing?
18:51Are your developers actually signing their code for making sure that it's the right developers,
18:57so that the build pipeline is taking code that you can trust to build something that you can trust in
19:03the end?
19:04And this tackles the problem of the software supply chain.
19:08If the right developer placed the right code into the right pipeline and you did all the checks, then in
19:12the end you're safe.
19:13Hence the purpose of that.
19:15So we've been able to extend that and tailor it depending on the type of supplier we've got.
19:22Now I mentioned that not everyone is the same.
19:26So what we did is we, today what we do is we calculate a risk exposure.
19:32How do we interact with them?
19:34What's the amount of data that we're exchanging?
19:36What are we providing? Etc.
19:38That gets us into our normal evaluation process as a normal part of the process.
19:42So we're trying not to add to existing process, not to create further delay, but rather capitalize on existing processes.
19:50That leads us to decide whether what we want to share is a questionnaire that's fairly light, around about 50
19:56questions.
19:57It's still a lot, but that is trimmable.
20:01A full questionnaire, which is around about 200 questions.
20:04Or whether we actually want the questions, the evidence and do an on-site audit.
20:08And in any case, at the end, we can evaluate whether there are competitors that are better because cybersecurity is
20:13very important for the call for tender that we're doing or for the ongoing business we've got.
20:17Or whether that's a supplier we actually need.
20:20And I'll go and help them pick up a security insurance plan and follow this up.
20:24So that's the end-to-end process that we're running with a square box in the middle that is basically
20:29built upon the years of experience that I mentioned, which is probably 10 to 12 years.
20:36So this materializes into what are our crossing criteria for the questions that we're having.
20:40What's the business criticality?
20:42What are the impacts on the information system?
20:45What's the history of the partner?
20:46Has it been a long-term partnership, short-term partnership?
20:49Because we probably have already a security insurance plan.
20:51We probably have built a lot of trust.
20:54How big is the company?
20:55Do you have workforce that does cyber specifically?
20:57How much of an effort can you afford to spend?
21:00Which is the type of service or product that you're doing?
21:03As I said, if you're doing software, it's a very different business and concern than if you're doing method sheets
21:08that will end up in manufacturing radar, for instance.
21:12And then ultimately, how it's delivered.
21:14How do we work together?
21:16There's a lot of business that we do where we actually collaborate to the point of being on the same
21:20plateau or virtual plateau.
21:22So we interact quite a lot.
21:23And there are other parts where people build a black box or software component and deliver it for us and
21:28we just integrate it.
21:30So very nice colored matrix that end up in saying, am I small, medium, big, audit, etc., etc.
21:39So I'm happy as a person.
21:42But remember my slide about how do you expand?
21:45You cannot satisfy yourself with a bit of success.
21:50We partnered.
21:51So everything I said, we actually worked with the other partners of the defense industry, in particular in France.
21:57So Albus, Deso Aviation, Safran, ourselves, a number of big OEMs.
22:02And we created AirCyber as a measurement questionnaire, maturity questionnaire that we run together.
22:09So suppliers can go to that place and their answer to one questionnaire is valid for all those parties.
22:17So you can do once, use many.
22:20And because I believe in the power of getting this to the maximum number of people, that questionnaire is actually
22:26open sourced under Creative Commons license.
22:28I mentioned audit.
22:31Industrializing audit.
22:32Making sure that you've got a ready to run package for auditing, that you know the price, that you know
22:36what's done, how long it takes, etc.
22:38What's part as well of the industrialization and this is what we do for big actors.
22:45Where I want to go to and what I want to give you as a takeaway is this is the
22:50state we're in.
22:50We're still working on a number of things typically to amplify.
22:54I talked about aeronautics because, again, this is my bread and butter.
22:57But we're expanding to other sectors.
23:01NIS makes it relevant for any critical industry.
23:05Is it perfect? No.
23:07It is not.
23:08Will it fail? Probably.
23:11But the goal is not to be perfect.
23:13The goal is to raise the bar so that you're only concerned about the stuff that matters.
23:18It is risk driven.
23:21So again, if you're looking for something that says, yeah, nothing will happen ever.
23:27That's wrong.
23:28I do have problems with suppliers on a regular basis with the cybersecurity cause.
23:32But the evaluation allows us to say, well, actually, if the incident happens there, is it important?
23:38Is it not important?
23:38That helps me to decide whether I need involvement, whether I need to help.
23:43I tend to always help, but I can prioritize.
23:48Like a startup.
23:50Try.
23:50If it doesn't work, try again.
23:52And even if it works, try again to challenge yourself because you don't have that.
23:57Remain humble, obviously.
23:59What I've described is my journey.
24:02I'm very satisfied to see that we've picked ourselves up a number of times.
24:06As you could hear, sometimes it was quite disappointing.
24:12But the mantra for Thales is to say, building a future we can all trust.
24:16I think that the important point is, it needs to benefit the greater society.
24:22Digital is everywhere.
24:24The more we live, the more we need to rely on digital.
24:27What you want is to avoid the pressure, the burden.
24:29It needs to be part of the bread and butter.
24:31It needs to be natural.
24:32In order to do that, you need to reduce the amount of burden that is on suppliers.
24:37That you have to think in terms of, where do I want to go?
24:40And that goes through avoiding multiplying the standards.
24:43Because this is killing the supply chain.
24:46For those of you that are geeks, there's a very, very famous XKCD cartoon where one walks to the other
24:51and says,
24:51Well, we've got this particular topic that has like 14 standards.
24:55We should really build one to unify them all.
24:57And the next box is actually, yeah, now we've got 15 standards.
25:01So really, trying to reduce the number of standards, not trying to unify them and create another one that is
25:07all-encompassing,
25:08is really important because that is the best way to actually have a common understanding about where you go.
25:14Be really careful about the use of market ratings.
25:17It is useful.
25:18Don't take me wrong.
25:19That really helps in a number of ways.
25:22But you cannot take the immediate plunge of it's got a good grade or a bad grade and take it
25:27for granted.
25:28The way I use it personally is that it gives me a cue to discuss with the other party and
25:34say,
25:35This is the grade you've got.
25:36Whether good or bad, can you explain?
25:39Because sometimes the expansion is very, very valid.
25:43You can get a bad grade because you've got a lab that you've set up for a customer that was
25:48really in a hurry and you're not doing anything and you happen to be indexed and that gets your grade
25:52down.
25:52Vice versa.
25:53You can get a very good grade because it's only looking at the outside.
25:56It hasn't answered to any inside questions.
25:59And that doesn't necessarily reflect the real solution.
26:01Sometimes getting the human in front of you and discussing with that person will give you a better view about
26:06this and that's probably the thing I want to engage.
26:10When I was smaller, that did happen at some point.
26:14I had people that said, well, you know, you need to make it bite-sized.
26:18People need to go away with what did they retain from whatever you said.
26:22So I'll give you three tidbits to go away with.
26:27The golden gate is great, but that's not what I want you to retain.
26:31First of all, do you have someone that does cybersecurity?
26:34Do you know who that is?
26:36That person will need to have a minimum training.
26:38As I said in SMEs, that can be the CEO, the CFO, the CIO, God knows what.
26:43But knowing who that is, checking whether that person is imbued with the willingness to actually go there, do this,
26:50understand their estate, work on a security insurance plan is super important.
26:56Second question. We live in a world of resilience.
26:59Remember, a few years ago, people were saying it's not a matter of if, it's a matter of when.
27:04Well, now we live in the era of resilience.
27:07It's not a matter of when or if, it's a matter of how long can you pick it up?
27:11How long until you pick it up and resume normal business?
27:13How much can you minimize the impact to your company?
27:16So it's not about having an incident we know it happens.
27:19It's about when you're back into normal business.
27:23Or at least if you're not in normal business, when you resume activities and what you're planning, etc.
27:27And to do that, it's like for emergencies.
27:30You know you want to dial 911 or 119, depending on where you are in the globe.
27:34You want to know who to call.
27:35So the second question to ask to any supplier, if there's only three questions, who do I call in case
27:42of cyber incident?
27:43At your place or a cyber incident that you know happens that you want to call me and my contact
27:47is here.
27:48I've got my computer emergency response team.
27:50Anything goes there.
27:52It's not a matter of calling the security partner that you've got, the procurement agent or whatever.
27:56So if it's a security incident, you dial 911.
28:01And the last question, which is highly effective as a question to ask, if you only want three questions instead
28:07of 50.
28:08Did you ever survive a cyber security incident?
28:12Why?
28:13First of all, because you survived.
28:15There's a general myth that a company that is hit by ransomware, 60% of them will crumble, die, and
28:24the world is going to end.
28:26We know this is not the truth.
28:27You can look by yourself outside.
28:29If 60% of the companies that were hit by ransomware died in the following year, there wouldn't be a
28:34lot of companies because we don't create more than 60% companies on a yearly basis.
28:38So no, this is wrong, this is a misconception, wrong statistics.
28:43You can read the facts.
28:44That is debunked.
28:47However, usually it is an amplifier into existing problems.
28:51But when you manage to survive it, you've identified the weaknesses that you either didn't cover, didn't think about, etc.
28:58You grew stronger.
29:00You know the mantra that says, what doesn't kill me makes me stronger.
29:03That is typically the case for a cyber incident.
29:07So with those three questions, you can get a pretty good idea if you're dealing with a party that has
29:13an idea about cybersecurity, where they want to go, who to call to when there's an emergency, and whether or
29:19not they're really into resilience.
29:22And there's a bit of extra time if you want to actually ask questions.
29:26I can actually do a hand-raised question if you don't mind.
29:32Has any one of you been in a company that survived a cyber incident?
29:36You can raise your hand if you've been there, right?
29:42A little under a quarter of the other people here.
29:44So you know yourself.
29:46You're now super champions.
29:47And now you can actually survive something else.
29:50You've got an experience that is marketable.
29:54I see no's in the room.
29:56So I'm happy to take questions.
29:58We've got five more minutes if you'd like.
30:00Again, I'm not omnipotent.
30:03I'm not omnipotent.
30:04I'm not know everything, but I can certainly share my experience.
30:07And it's a pleasure to come here.
30:11Any questions?
30:12I think if you raise your question, there are ladies with the microphones that I see.
30:22Thank you.
30:24Thank you for the presentation.
30:26It was very good.
30:27I'm interested in one point you were talking about is partnering with different companies
30:33in the sector of defense to build this questionnaire.
30:39It seems very good and not easy.
30:42And I'm interested in having your point of view of is it was easy like, hey guys, let's
30:49do it.
30:50We are around the table or I have an interest to go with probably competitor and work with
30:56the same thing and how you deal with that.
30:58Thank you for the question.
31:00And I'll try and rephrase and you'll let me know if I got this.
31:02So being in defense, was it easy?
31:05Was it bringing anything?
31:06And how difficult was it versus this?
31:08So first of all, I will say the defense sector is very, very difficult.
31:12There's an entry ticket into making sure that you comply with extra regulations of defense
31:17and the added bonus, which makes it for me the excitement of being in that sector of
31:23business for over 30 years now, which is you get the world's finest or worst, no matter
31:29how you want to put it.
31:30So the risk panels that we're trying to prevent is really the whole spectrum.
31:34You're going from from script kiddies that are just trying stuff and have no real malicious intent
31:39over to mafia type, over to just making money and then to nation states, obviously.
31:44So the difficult part for us was really in that risk acceptance, in that partnership
31:48to try and put the bar at the level where you want it.
31:53And there's a good chunk that I've tried to illustrate that you can cover by doing the 80%.
31:57Just doing hygiene is already quite a lot.
31:59I've seen companies that I won't name where the first discussion was in those 50 questions.
32:04We do ask stuff like, do you have licensed software?
32:06Are you using open source?
32:08Are you maintained?
32:09Are you getting patches?
32:10Do you have an antivirus?
32:12I'm not even talking about EDR or whatever.
32:14And this is already quite a lot.
32:16Most of the incidents that I see in the supply chain, even for defense, are typically ransomware
32:20and opportunistic.
32:22I'm not saying it's all of it, but really doing that chunk would really raise the bar
32:26for society altogether.
32:28So defense has constraints.
32:30They're written.
32:31They are must do.
32:32So it's almost easy.
32:33But again, the entry price for smaller companies is quite hard.
32:36And for us, as Thales, as an aggregator, we try and get to the place where we're trying to get
32:42the partner
32:43not to be exposed completely to this and to say, well, we'll super check this because it's our duty
32:47and that will help you be in the supply chain for defense.
32:52The other thing that's difficult is that a lot of the programs worldwide are done in collaboration.
32:58So the questions that I mentioned, of course, it looks nice on the slides, but the number of iterations that
33:03you need to do
33:04in order to partner and build that end bridge that I had on one slide is really huge.
33:09You get that one person that suffered a particular experience that will want to focus on, I need security of
33:13Active Directory.
33:14It's so very important, blah, blah, blah.
33:15And in a way, it's right.
33:18But as I said, standardizing also means what's really essential.
33:21So do we agree where the comma and the sentence of the question that we're putting, you've seen that there
33:25has been a fine over for protection
33:28because the European Commission is interpreting the comma as an alliteration, et cetera,
33:34versus the country member which of the gamem was impacted, thought that it was breaking the sentence.
33:41So it's down to these levels.
33:43It's utterly difficult to make.
33:44But we're now, as I said, it's been more than 10 years.
33:47I've stopped counting, to be honest.
33:49So we're now into the cycle where we're tweaking, we're expanding, and there's a solid basis of partners that we
33:56can leverage.
33:57And again, my mantra is really, and I say this quite a lot, you could probably overhear it,
34:01is that I'm obsessed with trying to simplify the life of SMEs that work with us.
34:07If they work with us and they get a questionnaire and they tell me there's another company with another questionnaire
34:11with more or less the same purpose, I'm fed up, I always go to the other company and say,
34:15why don't we try and get the same understanding?
34:19Because at the other side it is not manageable.
34:22So it was not easy.
34:24Defense puts regulation and regulation inside the comply or die.
34:28But what we're trying to do is to get the constraints on the comply or die on our side
34:32and get into the format that you've seen somewhere else.
34:37Thank you very much.
34:38I think I'm out of time.
34:39So I do want to thank you and hopefully I've picked you up for the day
34:44and you will get the next panel with a round of applause.
34:47Thank you so much.
34:48Have a great day.
Commentaires