Is there internal reluctance for executives to tackle digital subjects and to carry on with it within their company?
As seen from the side of the business manager, IT, digitalizing means always more costs of protection and budget, but let us recognize that the counterpart of digitization means more turnover, more information available, and more productivity. They are, therefore, gains to support these costs.
Digital means it should be complex and the natural tendency is to leave it to specialists: the IT or outsourcing department, SDI – CISO. However, these are players who are rarely integrated into the heart of the company’s decision boards and councils (Codir, Comex council administration).
If we see it from the side of the IT department, the main part of the job consists of dealing with emergencies, being focused on productivity service, solving bugs and unavailability.
With very tight staff, these priorities are done to the detriment of more structuring and yet essential tasks, such as updating IS, training users, raising awareness of risks, and typical tasks that enable avoiding cyberattacks or fixing them with as little damage as possible.
As seen under the prism of governance, digital technology, for twenty years, permitted a corporate culture focused on the search for transversality and the fluidity/availability of information, to the detriment of a culture of secrecy.
Moreover, employees are less aware of the risks and the value of information that they hold.
The classification of documents (industrial secret, confidential company, etc.) seems to have disappeared from many companies.
What are the Solutions?
We have measured, during exchanges with leaders that digital subjects from the angle of risk and vulnerability, remain a subject with which business leaders and boards of directors are not comfortable with. Many administrators call for the creation of digital committees so that these subjects are addressed with more pedagogy so that all decision-makers measure the issues better.
The challenges are twofold: to draw up an inventory of the company and its subsidiaries (in the short term), and why not of its main suppliers, and to focus on people by training employees to deal with the culture of the company (a long-term goal).
A 360° Inventory Including An Internal R’u Safe Scoring On Bank Communication Applications
Companies face some awareness issues when it comes to measuring the vulnerability of their company toward external attacks but also toward the risks of internal fraud; and the latter mainly concerns the treasury departments and executives who, detecting a vulnerability, decide to take advantage of it without necessarily having premeditated their act which is not in accordance with the law.
Companies that have suffered ransomware attacks and have difficulty recovering their data and their level of activity are generally ill-prepared companies that buried their heads in the sand or were in denial with the pretense that: “It happens to others!”. For medium-sized companies with a CIO or CISO, the latter is considered an external diagnosis, as an intrusion likely to demonstrate rather than support its recommendations, and budgets commensurate with the challenges with its general management.
It is on the strength of this analysis that we, at R’U SAFE, have developed diagnostics with assessment tools, giving a clear picture of the risk, clearly understandable to general management.
For this awareness to take place, we have combined five areas of expertise within the “PACK R’U SAFE” diagnosis to paint a faithful picture of the state of maturity of the structures. We assess both the quality of the shell but also the corporate culture, the quality of human factors being identifiable by an analysis of the application of the GDPR within the company.
This combination and the links we establish between expertise and the application of ISO 27001 methodologies are unique. 7 days to put it all on the table!
Our “FOCUS R’U SAFE” diagnosis focuses on the two most neglected areas of expertise in the company, even though they concentrate on the greatest vulnerabilities in cash management security scoring and the measurement of maturity and the impact of cybersecurity.
The challenges we identify are to rebalance the circulation of information in companies while maintaining a spirit of sharing. There is too much circulation of sensitive information “unknown” in the company. Just consider this: how many unopened and unclassified files do we have in our mailbox; these are sometimes emails we are in copy, as a report or “just in case, information that we hold “without knowing it” but we are responsible for.
The return to a more selective or confidential culture requires time and a training effort for all employees. It is all about creating a virtuous circle to place the data in a better-controlled environment.It is important to be well trained, and we identify three poles of teaching.
Called data security, the first one concerns cybersecurity issues (iso 27001 and cash management). Some courses are for everyone in order to better share a common language with digital specialists, the others are more dedicated to the IS department and lead to a certification.
The second pole of teaching deals with the respect for employees and customers, leading to the voluntary restriction of personal data: called data compliance. The course is all about principles linked to the European GDPR (General Data Protection Rules).
The third one, and most innovative, concerns data governance, or data management. We envision it for decision-makers and strategists.
More aware, members of committees and boards of directors will better identify the strategic nature of the budgets requested by IS.
The fight against cyber threat has resulted in many companies accumulating protection systems, technical solutions, yet it does not allow the invulnerability of the citadel. Any company is likely to be attacked, it is the resilience and education of employees that must now be given priority.
Considering that security is mainly the business of specialists, i.e. the IS department, is to take the risk of demobilizing or, worse, of not feeling individually concerned by this. In this matter the D&IM will provide new insights to the governance.
The New Function of Companies Entering the Digital Economy Profile – Document and Information Manager (D&IM)
With regard to entrepreneurial responsibilities, the CEO must be omnipresent and omniscient. The impossibility of such an exercise has forced them, since the creation of the first public limited companies around 1865 depending on the country, to delegate their powers according to internal professions that they all had to assume together. Having become overwhelming, these strategic, technical, and coordinating functions of the CEO forced them to delegate what was becoming too complex for one man to assume. Thus, born were COOs, CFOs, CCOs, CTOs, CMOs, etc.
On the threshold of the 2000s, never had upheaval been as sudden and abundant as that of multimedia. In a kind of panic related to new emerging issues, organization, and infinitely advanced technologies, companies have organized themselves by expanding or subdividing existing functions. This “off the cuff” movement does not respond to the problem of Documents and Information (D&I), which requires a height of view, a vision in perspective, and an authority that the 16 main information functions counted in different organizations do not satisfy. And the CEO remains responsible without being able to act with the aplomb or the accuracy necessary to preserve – inescapably and confidentiality, the need to know, the quality of information; and recently, disinformation whose inflation is galloping.
The Substance Justifies the Form
Essentially, it is only by precisely understanding the role and position of D&IM that we appreciate its dimension, which is absent from related professions. On the form side, what does the D&IM function add to the existing one to be more successful?
There are three possibilities:
- The consideration and implementation of the D&IM function by the CEO
- The addition of the function within the CODIR,
- Outsourcing to a consulting partner
What exactly is the D&IM and its function?
- The D&IM function aims to identify, enhance, and control documentary processes in the organization.
- The D&IM is an actor in the governance of the company and a leader at the service of the operational departments in their internal and external activities.
- The D&IM is a change management professional.
- The D&IM is working on the urbanization of the D&I system. It formalizes the organization’s documentary policy by verbalizing the cognitive loads, processes, and life cycles of the D&I to guarantee the company with regard to its environment.
- The D&IM works in conjunction with the company’s support functions: DOI, DSI, DAF, RM, RSSI, HRD, etc.
General Principles – The Function of D&IM
The D&IM performs a transversal function of the organization. Today, it imposes itself on the company by:
- The competitive advantage provided by the control of Documents and Information (D&I)
- The growing volume and complexity of information, digital, and paper media to be mastered within the organization
- The criticality of the documents in the organization’s environment (technical, legal, regulatory, capital value, disinformation, etc.)
- The control of costs and risks (creation, production, software and hardware tools, flows, reuse, use and authorization, restitution, destruction, etc.)
- The technical and economic obligation to control the life cycles of documents
- The complexity of today’s organizations (VUCA) regardless of their size
The D&IM does not necessarily have a direct hierarchical position, vis-à-vis the various actors of the organization, but always a role of governance. They exercise local and international leadership on all D&I matters. The hierarchical position of the D&IM in the organizational chart of the organization is a direct or functional attachment to the general management which entrusts it with its mission. They are aware of and can participate in the definition of the company’s overall strategy.
They are the guarantors of the application of a D&I policy in line with the strategy of the organization.
The function of the D&IM is recognized as essential for the governance of the organization by the general management and by the operational departments.
Since the D&IM is the link between the actors involved who are responsible for the operational implementation of the D&I strategy and the actors concerned who are the users of the information assets:
- The D&IM belongs to the general management. As members of the Management Committee, they are directly involved in the company’s strategy. They are committed to the result.
- The D&IM intervenes at the level of the operational departments. They participate in the project launch committee and in the steering committee. However, they are not responsible for the operational implementation, nor for the management of the operational teams, or for the budgets of the departments involved.
The missions of the D&IM are thus to guarantee the correct identification of documentary sources, their uses, the risks, constraints, and challenges; to define the D&I strategy in line with the company’s overall strategy.
The D&IM declines the D&I strategy for the entire “D&I Network”, the organization, and for each operational department. He steers the implementation of the D&I strategy and reports to General Management and the “D&I Network”. Therefore:
- The D&IM issues a detailed opinion on the technical and legal tools of the “D&I Network”
- The D&IM qualifies and guarantees control of the D&I relationship with the organization’s third parties
- monitors the implementation and compliance with the guidelines
- proposes areas for improvement and be a vector of documentary innovation
At the level of the operational departments:
The D&I strategy is broken down into an action program for each operational department (tactics for the implementation of the D&I strategy) materialized by measurable objectives in the short and medium terms, achieved in collaboration with operational departments and third parties. Dashboards are set up, including performance indicators (KPIs) and monitoring of the achievement of objectives/performance).
This strategy is updated according to the indicators (human, time, financial, etc.). It oversees the D&I coordination of the departments with their operational departments (equivalent to a D&I steering committee). It exercises monitoring and control of D&I action programs (guarantor of compliance with the strategy), such as participation in steering committees, monitoring of dashboards, etc. It monitors compliance with common D&I standards.
- The D&IM animates the D&I network. It is a role of federating actors: communication, promotion, and education of the function, with the establishment of a D&I community of practice and rights of use to be reserved for them. The D&IM proposes and holds, if necessary, training courses, seminars, webinars, etc.
- Resources and outsourcing
- The D&IM must have the resources in relation to the objectives retained in its missions for the organization. These resources are external, internal, and financial. They include the animation of a network and an ad hoc staff.
- Like all the major departments sitting on the CODIR, the D&IM presents an operating budget (operation, R&D, etc.), and an investment budget correlated with the other departments.
- The D&IM function may be entrusted to a third party, but in order to be operational and able to exercise its right of veto, to any of the departments sitting on the CODIR, other than the CEO. It is, therefore, up to the latter to subcontract the function to an external firm, duly authorized to exercise it and report to it.
What are the limits of the consultant compared to a D&IM
- In large companies, the consultant often only has a fragmented vision of the organization. They will never have the culture of the organization or the links with the various actors. They will also not be aware of opportunities to promote the D&I documentary function. They are present only occasionally and only have an advisory role: they are not a decision-maker and the CEO, to whom they report risks never put the D&I issue at the forefront of decision-making. In essence, nothing will really change but it is a gradual way to persuade the CEO to start the process.
The return to a more selective or confidential culture requires time and a training effort for all employees.
It is all about creating a virtuous circle to place the data in a better-controlled environment. Culture, as well as new tools, will help.
Tackling the Cyber Risks with a three in one automatization
Organizations are subject to strong competition and are looking for levers to increase their productivity, and thus, gain market share.
One of the highlighted areas is the digitization of business processes and working tools, this digitalization results in the transformation of activities within the organization.
This quick digitalization, also called Industry 4.0 in the concerned industries, leads to the adoption of more and more software, and therefore, increasing dependence of the organization on its information system.
This dependence results in strong demand by the organization for its information system, which requires it to deliver the highest level of infrastructure, availability, and business application, while controlling its costs.
Cyber Risks: Damocles’ Sword Hanging Over the Organization
The information system is central and vital for the organization. It becomes a privileged target: industrial espionage, data theft, voluntary destruction, encryption, and ransom. As these cyber risks become increasingly prevalent, many laws and regulations tend to impose the adoption of adequate measures to mitigate risks: Bâle, GDPR (RGPD), SOX, NADCAP, ISO 27001/2, etc.
This triple constraint: company requirements, regulatory requirements, and consideration of cyber risks, oblige the information systems to adopt a virtuous approach, maintaining regularly updated systems and software.
Without going into details and technical considerations, the information systems and their underlying rchitectures are increasingly complex and nested (On-Premise, Cloud, Hybrid, Virtualization, Containerisation, etc.).
Cybersecurity Recommendation: The Critical Importance of Implementing Updates
The complexity of information systems raises the possibility of an increase in risks due to loss of control.
The French Agency for Information Systems Security (ANSSI) supports French companies by providing them with a guide to take back control of their risks and information system.
This guide proposes 42 technical and organizational measures, which can serve as a basis for an action plan to increase the overall information system security level.
The information system security level is equal to the lowest security level of one of its components. This is why mastering the information system urbanism is essential.
One of the essential steps to achieve this mastery is the modeling of an application mapping, allowing to identify the place and the role of all the tangible and intangible assets of the information system, thus the identified data allows the application mapping to conduct impact studies, implement defense strategies, and draw up maintenance and update plans.
More than 40% of global security incidents are caused by a lack of updates on the targeted equipment. With the help of application mapping, it is important to reconcile, on one hand, the economic stakes of the organization and the consequences due to the unavailability of its information system, and on the other hand, scheduling regular updates of all information system equipment.
An organization’s productivity loss caused by the downtime of information systems can be reduced by increasing communication (planning and reminding) between the technical teams and the business teams.
This communication facilitates the acceptance of measures, improves the business’s confidence in the information system, and allows business teams to organize in the absence of their digital tools.
Monitoring the proper application and effectiveness of the measures is essential in order to build a solid safety policy.
These measures, which are central to ISO/IEC 27001 and ISO/IEC 27002, can be implemented in successive iterations, materialized by the famous Plan Do Check Act, and thus limit the burden on the technical teams to implement them.
Regular audit results highlight the strengths and weaknesses of the measures in place, help consider corrective action plans, and identify regressions if they occur.
Internal and external auditors rely on factual evidence to establish their ratings and recommendations. The measures described above strengthen the maturity of the information system and provide the elements of response to the auditors.
When drawing up the Master Plan for the information system, it is essential to integrate the implementation of measures for each project.
Moreover, since the application mapping is central to considering an effective security policy, it is important to transcribe each information system evolution in the application mapping in order to remain accurate.
The Cloud – A Finality?
We observe a process that aims to see many scopes of the organization’s information system migrate from a traditional model, also referred to as on premise, to spaces belonging to third-party entities, also known as the cloud.
Under the generic name cloud, it is necessary to distinguish the two different concepts. On one hand, the remote Datacentre allows hosting all or part of the servers that make up the Enterprise Information System. On the other hand, the SaaS (Software as a Service) and IaaS applications (Infrastructure as a service) are entirely the supplier’s responsibility.
In both cases, the objectives pursued by the companies are transferring the associated risks, responsibilities, and costs, and switching the investment budgets (CAPEX) into the operating budget (OPEX).
The purpose of these suppliers, like any organization, is to lead economic logic to make profits. The choices and investments that are necessary to maintain a high level of security, are often not communicated thoroughly, only through displayed labels which suggest that they follow the main recommendations. At the same time, they face the same difficulties in recruiting and retaining qualified technical profiles.
Finally, they are privileged targets of attackers because they centralize large volumes of data.
The keyword for deciding on a cloud migration of an information system component is pragmatism. Is the tool critical? How long can we do without it? Is the data sensitive or critical for the company, for its activity? Consequently, not all components of the information system are intended to leave the organization.
Take the case of a classic industrial site with production units, quality department, logistics, and finance.
What happens in case of communication loss? Do the degraded procedures ensure, at a minimum, continuity of services and that the company meets its obligations to its customers? Are the business teams prepared for this possibility?
The same questions apply to a healthcare facility where all information and healthcare devices are controlled by the information system?
The hybridization of the information system makes it possible to take advantage of the best of both approaches.
Process Automation: An Essential Tool
The information system maintenance operations, mainly the application of updates, are becoming more and more numerous and complex to apply.
Human intervention must be kept to a bare minimum to ensure a high level of reliability. The adoption of automation tools is now becoming indispensable within the information system.
It allows technical teams to model maintenance operations and also formalize knowledge and practices that were not transcribed but only transmitted orally.
The adoption of automation tools allows the IT department to become more mature, from both, a technical and an organizational point of view.
The choice of tool depends on the organization’s constraints. In a simple scheduler or more advanced orchestrator, the need to control triggers between different sequences and operations is a decisive selection criterion.
However, the development of these processes requires numerous skills:
- Mastery of the technical environments and dedicated technical languages allowing the automation of tasks
- Maintaining a high training level of the involved resources
At the same time, the information system is constantly evolving, meaning that this change requests migrations, promotion of environments, new business tools, etc.
As a result, automation chains must be constantly reviewed and refined to take into account the new constraints.
Any new project within the information system must include an impact analysis and an update cost of the automation task.
The more complex and interwoven the information system is, the more difficult it is to define maintenance processes that take into account the many constraints.
In addition, any need to modify these processes quickly becomes extremely complex.
In this context, Robotic Process Automation (RPA) allows efficient response and sustainably to the modelling of complex environment maintenance processes.
Robotics enables the generation of entire processes without any human intervention, through a no-code approach. The adoption of automation is, thus, facilitated because it requires little technical expertise. The processes obtained are optimized to guarantee a minimum downtime of the business applications.
Whether the Enterprise Information System (EIS) is On-Premise or partially migrated to the Cloud, the mastery of application mapping is a prerequisite for any development of a security policy.
Armed with this mapping, the analysis of data flows of the information system serves as the basis for the writing of all processes that will allow keeping all equipment up to date.
The adoption of a scheduler or an orchestrator makes it possible to automate all the sequences and operations that contribute to maintain operations. To overcome the complexities of setting up and supporting automation, the use of robotics will ensure that processing times are reduced, the error rate is reduced and security is strengthened.
The solution published and distributed by xSécu makes it possible to put in place concrete measures, check their proper application, and measure their effects:
- Application mapping
- Robotics and Orchestration of maintenance processes
- Automatic communication of maintenance schedules to the business teams
- Ongoing audit of key equipment control points
- Automatic alert on thresholds crossed or events detected
- Reports being provided to publishers to disassemble the implementation of the measures