This Wednesday opens in Marseille the 26th « AMRAE risk meetings », the place to be for those concerned by risk management. With a very attractive digital program, focusing on technologies like […]
This Wednesday opens in Marseille the 26th « AMRAE risk meetings », the place to be for those concerned by risk management. With a very attractive digital program, focusing on technologies like blockchain.
To talk about cyber risks and innovation, I interviewed one of the participants in the meeting, Kevin Heydon, the director of information security director of cosmetics giant L’Occitane, who was recently awarded the 2017 RSSI Grand Prize.
Phocea Tech: Your job title is special, you are in charge of information security and not computer security.
Kevin Heydon: In France, we speak of RSSI (responsible for the security of information systems) while in the United States we speak of CISO (chief information security officer). For example, if two of our directors discuss a potential acquisition in an airport, it is a question of information security, even if it has nothing to do with digital.
I work along three main lines: of course confidentiality, but also the availability and the integrity of information. Talking about availability, we know that today the number one risk identified by companies is business disruption. What makes a business work is its information, if they are not available factories can be blocked. This was clearly seen with the WannaCry and Petya attacks, which forced companies to shut down when they were not targeted by these attacks. Even if you are not targeted, you can be the victim of collateral damage.
Phocea Tech: Does Industry 4.0 and the connected factory in the broad sense particularly affect you?
Kevin Heydon: Yes, since you are connecting devices that were not always designed with security in mind. Solutions exist and they often have to supplement the native security of IoT, which is very rarely enough.
Phocea Tech: Another term of the moment, the GDPR. The data protection regulation requires reporting of data leaks, is this a significant change?
Kevin Heydon: To be able to notify, you have to know that there was a leak. The real difference is the mandatory side, even though a large number of companies already informed their users in the event of a leak. The quality of communication will now be paramount. You are talking about compromised personal data: what data exactly? Are they « just » lost? Did anyone else know about it? And above all, what concrete and applicable advice can you give?
Phocea Tech: Which technology should be the most beneficial in the years to come?
Kevin Heydon: My biggest challenge is the lack of competent resources. Even the IT companies are struggling to meet our demands. On the one hand, it is crucial that I invest in skills internally, including developing them in people interested but coming from other sectors. On the other hand, here comes big data: I have to make sure that my staff can devote their time to the most useful tasks, not to analyze each event, which they can not do anyway.
Take a situation where we know that every morning there are about 20,000 access to files. One day, we see 100,000 accesses for an hour. Should we turn this event into an alert? That’s what big data and machine learning can serve us.
[Version française: « Le premier risque identifié par les entreprises, c’est la business disruption »]