Thursday, 10th of March 2022. Twenty CIOs and CISOs, turn up in a stylish restaurant in Liège for the first "live" session of 'Les rencontres de CIONET', a series of three events for French-speaking Digital leaders in Belgium and Luxembourg.
This CIO gathering takes place at the restaurant 'La Linière' in the quarter of Saint Léonard in Liège. The restaurant's name and its magnificent brick vaults refer to a past as a linen weaving mill in a building purchased by John Cockerill in the first half of the 19e century and converted to the model of the English early industrial buildings. CIONET invites the guests to join three speakers, CIO – DPO - CISO, over dinner to brainstorm how an organisation can proactively and structurally prepare for the worst-case scenario of a cyber attack.
The kick-off of the get-together consists of short personal testimonies of three seasoned CIO/CISOs, namely Philippe Cornette, Head of Security & Systems at John Cockerill, Alain De Maght, CISO and DPO of the IRIS hospital group in Brussels and Cedric Cantillon, DPO & Conseiller en Sécurisation et Gestion des Risques at the RTBF.
All three speakers are unanimous on two principles. Firstly, that - given the recent explosive evolution in the frequency and intensity of cyberattacks - the core of a cyber strategy should not only lie in avoiding or repelling a cyberattack but in the plan to put the organisation in a position to resume its work after a cyber incident with the least possible disruption. And secondly: the primacy of a cyber security strategy must lie with the business; the assessment of the business risks must be the yardstick by which the investment of people and resources in the cyber security plan is decided.
Alain De Maght reported on his 'evangelisation mission' within the hospital. A hospital and its medical management see their core mission in treating patients. And rightly so. However, the crucial role that IT and cyber security play in this is not self-evident. During his awareness-raising sessions at the hospital, Alain liked to use the analogy of a fire plan. One will not accept that a fire brigade called out to a fire only decides on arrival to invest in appropriate material such as a fire ladder or extinguishing equipment... A proactive and structured approach is therefore crucial. To set up such a plan, there are, according to him, sufficient good reference frameworks such as, for example, the NIST framework and, of course, ISO27001. These frameworks help an organisation in its cyber security risk management by organising information, enabling risk management decisions, addressing threats and making improvements by learning from previous activities. They also align with existing incident management methodologies and help demonstrate the impact of cyber security investments. For example, investments in planning and exercises support timely response and recovery actions, thus reducing the impact on service delivery.
Cyber security is no longer a mere IT issue. Your cyber security plan should also contain a chapter on 'change management'. The objective of the latter is not only to make the (business) organisation aware of the strategic importance of a sound cyber strategy, but also to ensure that all teams (business and IT) are perfectly aligned and drilled and know exactly what to do to guide the whole organisation through a cyber incident in one piece.
Our second speaker, Philippe Cornette, testified how only a very pragmatic approach could yield concrete results in an industrial environment such as John Cockerill. Also, in cyber security, work is done around the three axes of people, technology and processes. The biggest challenge is the people: working on a cultural change to make people realise that industrial processes have also become data-dependent, thus turning the entire company cyber security-sensitive.
The third speaker, Cedric Cantillon, also underlined the importance of a business-oriented security approach. After all, Cedric saw himself forced to revise the cyber strategy at the RTBF as the existing one was too digitally oriented and reactive in nature. A cyber security strategy must first and foremost be business risk-based. The first task is to map out the essential business services that the organisation must guarantee at all times. For the RTBF, for example, the news broadcasts on radio and television. Take this as a starting point and then examine which functions are crucial to making those essential services possible. Your support services - such as finance, HR or logistics - can sometimes come up with surprisingly simple 'manual' solutions that easily absorb or temporarily circumvent the problem (of energy or IT outage, for example). Your inventory of vital business services, potential risks and impacts, and the possible fall-back scenarios are, therefore, the backbone of your cyber security strategy.
The event of 10 March was indeed the first in a series of three meetings under the title 'Les Rencontres de CIONET', a French-speaking programme made possible by the support and commitment of our programme partners: Deloitte, Denodo and NEO4J. Our first 'Rencontre' took place in Liège on cyber security. On 17 May, CIONET will hold a similar exercise in Namur on the cloud as a driver for innovation. And on 13 October, our French-speaking community is expected near Louvain-la-Neuve for a debate on AI and data governance. If interested, you can already register for these Rencontres right here.