Cybersecurity awareness is a journey to embed secure behaviours in people’s daily lives

To do so, you need to build a strong cyberawareness program, focus on your key cybersecurity themes, that engages your people and respects their uniqueness, with practical positive actions and diverse activities. In other words, a program that meets your ambitions and aims:

• An effective behavioural change
• The development of a security culture in your organization

We developed our TAMAM framework to formalize our strong beliefs about how best to build a cyberawareness framework.

TARGET: set concrete and measurable objectives

AUDIENCE: adapt the approach according to the people concerned

MESSAGE: choose a concise, positive message that calls for action

ACTIONS: set up effective, concrete and various actions

MEASURES: evaluate the program’s impact on behaviour

This article explains the principles, the stakes and the role that TAMAM has to play to support you!

But first, let’s put some contextual elements about cybersecurity awareness…

Why do they keep clicking on these phishing emails?!

• Our journey doing cybersecurity awareness started more than 15 years ago. And things looked quite different back then. It was the time of the new awareness programs, led by newly appointed cybersecurity managers, with little means and yet a key objective to tell people what they must do to protect the information systems. Nothing more, nothing less. It was the time of the Top 10 best practices; the Do’s and Don’ts; the mass training sessions; etc.

• Once said, these messages were considered to be common knowledge and applied by everyone; and just like that awareness was deprioritized and no longer a priority for the cybersecurity managers. It was the rough time of insufficiency and budget cuts.

• Then came the rising number of cyberattacks and the GDPR. With new risks came new appetite for awareness and education of users. Cybersecurity awareness was back in the agenda, yet with variable means and interests. Over the years it remained part of the cybersecurity topics but with great variability between the organizations when it came to effectiveness and efficiency.

• And here we are now: at the beginning of the year 2023 and the same questions remain: “I’ve tried everything but there are still some people who do not perceive the risks– what can I do?”; “I need to keep my people interested in the topic, what new things can you propose?”. Basically, what we notice is simply a lack of consideration of the effectiveness of the program: they seemed to be reaching a glass ceiling. Efforts were put, investments were made, but little change happened. That triggered our attention and led us to discussions and research until we finally came to the evidence: efforts and investment are vain if they don’t aim at effectively changing behaviours and ultimately establishing a culture of cybersecurity. But how do you do that? That’s the focus of this article.

Are you getting everyone on board with cybersecurity?

Based on these observations of the past years of cyberawareness, we developed a framework to build an effective cybersecurity awareness program. We wanted this model to be customizable so that it could be applied to every organization regardless of its size, maturity, budget, or current culture. Not a one-size-fits-all, but a backbone to be adapted to every organization.

Target

Just like with everything, you have to start with the “why”. This serves to define the objectives: a target to reach, a vision of where to go and a path to reach that place.

These objectives must be targeted to your priority battles, i.e., what change you want to see in your organization, precise behaviours that you expect from your people. They do not just represent good intentions – like “raising awareness among my employees” – but precise behaviours that you want to see every day. For instance, if phishing is one of your primary concerns, and it sure is: “How to educate my employees to report phishing attempts and incidents?”. Like this you see your target and the way to reach it.

Precise objectives also enable measurable results. When you define them, you also define the KPIs and metrics that you will use to assess their success. As a rule of thumb: if you are unable to find a measure for your objective, that means it’s more illusional than achievable.

Finally, you share these with your employees. Isn’t it plain fairness that to tell your people from the beginning what you expect from them? This way, you make them actively engaged in the change of behaviour that you expect from them. By giving them the rules of the game, you enable them to play by these rules and to win the game with you, because cybersecurity is a collective win.

This first step is largely overviewed, and few are the organizations that take the necessary time to reflect on their true target when it comes to cyberawareness. However, it is the essential starting point of our journey. Just like with any journey: we can only reach a friend’s house if know their address.

Audience

And who do you want to reach exactly? That is your audience, your population, your people that need awareness, training, and education. A clear identification of these specific audiences will help you define an approach that is meant to reach them. To know these needs you will need to start by differentiating people in clusters – mostly based on their positions in the organization, their closeness to the topic, their expositions to the risks you want to prevent, their role figures, etc. These clusters can gather newcomers, external staff, local ambassadors, IT staff, etc.

For each of these populations, you will want to assess their current level of mastery of the different targets defined. That is basically performing a skills gap to know what topics requires more attention for each population. This information will be essential to customize the program to the needs of these populations (because you understand what they do in life) and their current level of mastery (which you have assessed precisely).

Message

Off we go now with the messages you want to communicate to these people to reach these objectives; the moment where you find this catchy phrase that will be repeated oftentimes. The people with whom you will be communicating also receive numerous other communications for numerous other causes (name it: CSR, compliance, values, etc.). Hence the importance to select your messages wisely and to stay concise. The time and attention available are limited, this is why you will prefer to select a few messages that address key risks and meaningful objectives.

Eventually, the tone used to communicate these messages is crucial as it must be adapted to the organizational culture: funny messages work in some environment while serious ones work better in others. Regardless of the tone used, the messages will need to be positive and call for action. Drop out the negative injunctions (“don’t”) and embrace the positive actions (“act”).

With these first three steps in mind (Target, Audience and Message), you build up the framing of your cyberawareness program: you know what you want to tell, to whom, in order to reach the expected behaviours.

Actions

Now that you have tailored your messages for your specific audiences to reach the defined objectives, time has come to identify the actions that you will implement in this framing. Although you now open the catalogue of action, you must be focus and pragmatic. The principle when doing so is to think of the effectiveness of the chosen action in your journey to reach your objectives. Creativity and innovation are surely important to keep people motivated but is not the sole success factor. You want to make cybersecurity practical for people, to bring the topic closer to their life and to involve them in their learning (e.g., practical activities, application of the behaviour expected, etc.) on top of a more theoretical top-down approach.

The way you implement these activities is also an essential success factor, with the right resources, people and planning to enforce the selected messages:

• Who is the bearer of these messages? Internal or external?
• How to repeat them in different ways (as different people will respond to different stimuli that can be practical, visual, spoken, etc.)
• From what angles and with what activities should these issues be addressed in order to raise awareness among employees in the most appropriate way?

With few selected messages, you build different activities, at different moments, with different approaches, to embed these behaviours in your audiences’ daily lives.

Measures

Finally, this whole program needs to be evaluated in order to say if it actually allows to change behaviours – for the management that will ask to see the value delivered for its investment, or for the awareness team that will want to show tangible results from its efforts.

In your quest to raise awareness, you must focus on the effectiveness of what you implement, beyond the implementation itself. All too frequently, organizations focus on numbers of activities or people addressed. But these figures seldom provide a real understanding of the change of behaviours happening.

When building your evaluation plan, you need to include quantitative measures and qualitative feedback to obtain a comprehensive understanding of the achievement of your objectives. Perhaps this will require new ways to gather this information – like getting the helpdesk involved, or even obtaining fresh data from the SOC – but the outcome will bring terrific value to your program as it will allow you to review it and keep it continuously adapted to your objectives; which can also be subject to adaptations if the organizational context changes.

Oh, and don’t forget one last thing if you want to create a positive trend in awareness: communicate your achievements and celebrate the victories with everyone. You deserve it.

Take the first letter of these 5 principles and you obtain TAMAM. It is no coincidence if the world translates into “all right” in Turkish; this is what you want from your people: an adherence to your objectives and an agreement to onboard your journey to more secure behaviours.

Where to start?

Now that you have a better understanding of the iterative journey to build a strong awareness program, you must find yourself in the middle on a strong questioning: where do I stand in that and how do I lean more towards what you’ve just said?

A first action to take is probably to take a step back to look at your current maturity level in cyberawareness. You will need to have a clear and honest understanding of how your organization addresses this topic in order to define a path towards a greater maturity.

The power of TAMAM resides notably in its ability to be used regardless of your maturity level, because its principles are adaptable and true to different situations.

Do you TAMAM?

When you TAMAM, you:

• Visualize a clear and precise target – behaviours – that you want to reach
• Tailor your approach around the need of your specific clusters of people
• Define the few messages you want communicate to your audience on these objectives
• Select the best manner to communicate your messages with activities that focus on effectiveness
• Monitor and assess this effectiveness to adapt your approach and finetune your whole program

This article is only a glimpse of what TAMAM can bring to your cyberawareness program. Contact us for a full understanding of how our framework can help you step up your awareness!

Contact us

Cet article Are you ready to TAMAM your cybersecurity awareness? est apparu en premier sur RiskInsight.

Why launch the “Women Entrepreneurs in Tech” award?

The goal of the “Women Entrepreneurs in Tech” award is to highlight a female director or founder of a startup or scale-up. In particular, we’re looking for B2B or B2B2C startups with strong innovation potential that Shake’Up could support in their development.

By launching this ‘Women Entrepreneurs in Tech’ award, the Shake’Up teams wanted to highlight the firm’s technological DNA and contribute to its CSR commitment regarding gender equality”, explains Mathilde Peyret, co-lead of the firm’s Shake’Up asset.

To ensure the best possible sourcing, in addition to the startups and scale-ups in our database (from our Radars, Calls for Projects and Vivatech Screening), we will be relying on our various partners (BPI, France Digitale…) as well as the vast network of Les Echos newspaper. And, of course, your suggestions!

A 1st edition dedicated to cyber

For this first edition, we’ve decided to focus on the theme of cybersecurity, on a European perimeter (see precise criteria at the bottom of the article). Noëmie Honoré, head of Wavestone’s Belgian office, and very committed to the theme of “Women in Cyber”, was a natural choice to sponsor this initiative alongside Charlie Perreau, head of the Tech-Médias-Start-up department at Les Echos.

The winner will be selected by a jury comprising two members of Wavestone (Gérôme Billois and Noémie Honoré) and two key journalists from Les Echos (Charlie Perreau and Florian Debes). They will assess the quality of the project, the relevance of the solution for market needs, and the suitability of the startup/scale-up in terms of the support it could receive from Shake’ Up.

The award ceremony will take place on March 5 at Wavestone’s offices in La Défense, in the presence of the firm’s partners and associations from the world of cyber. One of the five finalists invited for the occasion will be awarded the prize.

How to apply?

Are you a woman entrepreneur in the cyber world and does your organization meet the selection criteria? Please submit your application via this form:

Click here to submit a candidate

Award selection criteria

The prize will be awarded to a (co)founder or (co)director of a European cyber startup or scale-up (Europe in the geographical sense).

Startups and scale-ups must be headquartered in Europe, and sales of security products must represent at least 50% of their turnover.

Startups must be less than 7 years old and have fewer than 35 employees.

Scale-ups must meet at least one of the following two financial conditions:

– either have received financing over 3 years by raising funds of at least €10M in one go.

– or have sales of at least €2.5M and annual growth in excess of 25% over the last 3 fiscal years.

This financial condition must be coupled with a consolidated workforce of less than 250 employees.

If the company is linked to another (over 25% shareholding), this consolidation is the combination of its own workforce and:

– If the holding is between 25% and 50%, the workforce of the holding company is added on a pro rata basis.

– If the holding exceeds 50%, the full workforce of the holding company is added.

About Shake’Up

Since its launch in 2016, Shake’Up’s aim has been to help our teams learn about offers, solutions and innovations from the startup ecosystem in order to bring value to our customers. To date, Shake’Up has supported 50 companies, including Yuka, Phoenix Mobility, Isahit, Olvid, Hackuity and Néolithe.

About Les Echos

Founded in 1908, Les Echos is now France’s leading provider of business news. The brand helps decision-makers and entrepreneurs stay one step ahead. Every day, it offers them a global vision of world events and the economy. It deciphers corporate strategies and captures major emerging trends. It stimulates public debate with a plurality of opinions and contributions for a responsible economy. Les Echos reaches 9 million readers a month.

Cet article Shake’Up and Les Echos launches the 1st edition of their “Women Entrepreneurs in Tech” Prize est apparu en premier sur RiskInsight.

Recruiting in cybersecurity is increasingly challenging, with 4 million jobs currently unfilled – a 13% rise from 2022 (ISC2 2023). As studies over the past three years have confirms, this challenge is only deepening, leaving CISOs struggling to recruit, manage, and retain skilled professionals. Diversifying the talent pool is also a priority, with women making up only 25% of the workforce.

At Wavestone, we’ve been actively following this subject and have developed a benchmark to assess companies’ maturity level on this subject. With data from more than 20 organizations, we’re ready to share our insights.

In this article, we’ll dive into the results and focus on key topics such as career path, recruitment, trainings, and retention plans. And for those who stick around till the end, there’s a little surprise waiting for you.

If you’re a CISO looking for practical solutions or just interested in cybersecurity talent management, this article is for you. Let’s tackle this challenge together.

A Global Maturity Score of 45% in Cyber Talent Management

Current Cyber Talent Management maturity stands at 45%, indicating significant room for improvement in this emerging field. The gap between the lowest and highest scores ranges from 27% to 62%.

On a positive note, there are strong performers in every area, suggesting that companies can benefit from sharing best practices. Ultimately, the goal is to build skilled and resilient cybersecurity teams.

The Energy sector has the highest maturity level, while Public & Institutions have the lowest. The graph above compares the maturity levels of various sectors on a scale from 0 to 100%. The sectors include Energy (58.2), Luxury & Retail (52.4), Services (50), Finance (45.9), Industry (47.2), and Public & Institutions (36.1).

Developing Career Path to Give Growth Perspectives to Talents

The cybersecurity field is facing a clear talent shortage. In 2023, 4 million cyber jobs were unfilled, and the figure is still increasing. Organizations have a real challenge to retain their cyber talents and to attract new ones. Yet a well-defined career path could help them. From an HR perspective, it empowers individuals to take charge of their own development, serves as a framework for self-assessing competencies and areas for growth, and supports individual fulfilment. However, building an effective career path requires careful planning and can take over a year to implement.

During our interviews with CISOs and Cyber Talent Managers, we observed that while 66% of the organizations have started initiatives to build their first cyber career path, these efforts are not yet fully materialized.

Real-world example based on a client assignment…

• In a client project, after several phases of reviews and workshops on cyber jobs and skills frameworks, we identified 11 new cyber skills and 6 cyber jobs and integrated them into the repositories. This then led to the creation of an initial career path dedicated to cybersecurity workforce.

A well-defined career path is the cornerstone of Talent Management and represents a strategic advantage for organizations in retaining and attracting talents, prompting many to take action.

Tips to Diversify Your Recruitment Pool

The cybersecurity talent pool is both limited and lacking in diversity, making recruitment a critical challenge for organizations. Despite women making up 50% of the global population, they represent only 25% of cyber professionals (ISC2 2023). This highlights the urgent need for more inclusive recruitment strategies.

Nowadays, traditional job descriptions often demand too much, deterring potential female candidates. Only 27% of the organizations have adapted them. Studies show men apply if they meet 60% of the criteria, while women tend to wait until they meet 100%. Rewriting descriptions to be more inclusive, with input from female reviewers, can broaden their appeal.

In addition, few companies focus on internal (5%) or external (22%) branding, yet these strategies work. Transparent branding and communication can help to demystify cybersecurity roles, attract a more diverse talent pool and boost internal mobility, making them valuable recruitment tools.

Offering Trainings to Reduce Skills Gaps Within Your Organization

Cybersecurity skills gaps are a major issue, with 92% of professionals reporting deficiencies and 75% finding the current landscape the most challenging ever (ISC2, 2023).

Our benchmark shows only 33% of companies have a skills-mapped training catalogue, and 94% address training reactively, based on demand. This reactive approach misses chances for proactive skills development. Effective training is crucial for equipping employees with the skills needed to handle evolving cybersecurity threats and trends.

Real-world example based on a client assignment…

• Automated Training Paths: implemented an automated tool that can generate personalized training paths based on employees’ needs and skills level.
• Consolidated Training Catalogue: a unified training catalogue, mapped to the 17 new cyber skills and 16 new cyber jobs, offering a clear development roadmap for employees.

Enhancing Retention Through Effective HR Collaboration

Collaborating closely with the HR team to create a robust retention plan is essential for organizational success. While many companies have processes to support talent development, these are often not formalized, leading to challenges in daily management.

Companies need to start by assessing the unique skills and strengths of each team member and determine how to best leverage them for the organization’s goals. Conducting individual interviews is a valuable strategy in this regard. Managers can gain insights into each employee’s current career stage and future aspirations. This information allows them to craft personalized development plans that align with their goals.

However, it’s important to remember that a retention plan is not a one-size-fits-all solution. It should be flexible and adaptable, capable to evolve with the changing needs of your team and the cybersecurity landscape. By working with HR to implement a tailored, adaptive plan, you ensure that your cyber talent feels valued, motivated, and committed. Remember, effective retention is as crucial as attracting top talent, so make strategic collaboration with HR a key component of your talent management strategy.

A²BCⁿ framework: A Framework to Care for your Talents and Secure your Business

In conclusion, caring for talent is essential to securing your business. The A²BCⁿ framework provides a structured approach to achieve this. By focusing on Assessing and Attracting talent, Building Trust with your talents, and Caring and Nurturing your team, this mixed approach, blending cybersecurity and HR strategies, ensures an effective and resilient team ready to meet tomorrow’s challenges.

Cet article Navigating The Cybersecurity Talent Management Maze: A Guide for Talent Management Enthusiasts est apparu en premier sur RiskInsight.

You may have seen the big headlines pointing out talent shortage issues in the latest news – that is sadly not a fake news. The talent war really exists in the cybersecurity market. Over the past months, we read numerous articles, academic papers, reports on this emerging subject; we discussed with CISO and Talent Managers (a real full-time job!) and the 3 main challenges remain the same: how to recruit, manage and nurture our talents?

In this article, we have compiled the different situations, our observations, and the initial lessons we can draw from the actions put in place to meet these challenges.

Take a moment to analyse the strengths and weaknesses of your team to identify the complementary skills and competencies you need to look for…

Beyond just filling the roles, it is essential to gain a strategic vision of the skills to draw up a sustained cyber division. Your mantra for this stage must be: “Getting the right people for today… and tomorrow!”.

When people’ skills match their roles, tasks are performed efficiently, with everyone contributing to a more (cyber)secure organization. I doubt anyone will contradict me here, but it’s often easier said than done.

Here are the first questions you can ask yourself to get moving in the right direction…

Do you know what you need? Have you defined all the cyber activities you need to run? Have you defined your “make or buy” (internalization vs outsourcing) strategy? Have you identified the skills and the people needed to run these activities?

This is a non-exhaustive list of questions that as an organisation you should ask yourself to better capture your need and know your people before launching a roadmap of actions.

Knowing your need and team is important as it: (1) helps for task allocation: before, cyber teams were smaller, therefore, versatility was crucial. Nowadays, bigger cyber teams make specialization possible and facilitate the optimization of complementary skills (2) helps to target training and development: having a clear vision on your team and its activities helps you identify skill gaps and provide the appropriate training and development opportunities to the people who need it the most. With the identified missing skills in one hand, and the identified needs in another hand, you can start seeking for your ideal candidates thanks to a job offer that speaks volumes (but don’t look for purple squirrels, they don’t exist)!

Keep an eye on the upcoming insights and focus on the cyber job descriptions topic!

Fueling Team Today, Attracting Tomorrow: The recipe for Sustained Cyber Teams

That is to concretely explain what cyber is and what its activities are. #transparency

Based on the discussions with CISO and Talent Managers, being transparent on the job description works and gives people a sense of belonging and purpose, which in turns promotes a better teamwork.

Let us share some concrete and easy actions that you can do to get things moving:

• Promote internally the cyber jobs and the people behind the jobs: by explaining concretely what working in cybersecurity means, what the positions available are, and what the people really do, you can inspire people to join your team, increase internal mobilities, strengthen the sense of belonging to the cyber division, and give perspective to your team.
• Promote externally your cybersecurity activities: make yourself visible by participating to cyber associations and key conferences (school events, collaborations with universities, research institutions, or organisations, etc.).
  • Organise/participate to upskilling/reskilling workshops (transferable skills).
• Include inspiring people in your recruitment process and branding (such as CISO, team lead, etc.

Cybersecurity is still an obscure topic for those outside the cyber world. To fix that, everyone needs to start explaining what they do.

Mastering the art of taking care of your people

By now, you must know that it’s a great asset to know who your team is, who your people are, who you really need to run the cyber activities, to have a great branding to attract people. But what will make the difference in the long run is to take good care of your people by offering a safe work environment and giving perspectives of evolution. When what is coming next is clear, it is easier for the people to project themselves in the company in the years to come.

And before taking care of their people, CISOs also need to take care of themselves. 40% of the CISOs say that they experience “high-stress” on a daily basis and 28% of them are close to burn-out (Cyber Workforce Study, ISC²). Tough to take care of people if you don’t take care of yourself first…

To avoid this, CISOs need to build a trusted relationship with their top management in order to be able to define the strategic objectives, prioritize the activities, obtain the resources, etc. And it is essential to know how to surround themselves with reliable individuals to delegate tasks and create an effective operational strategy.

Recruiting is just the beginning of the journey; nurturing is the ultimate goal. Nevertheless, organisations tend to forget (neglect) this last, but perhaps most important point. It’s like getting an ISO 27001 certification, quite easy (of course, it requires work!) but maintaining it, is the real deal.

In order to provide perspectives for team members, we need to establish career paths with their “pathways” and the means available to evolve on these paths: skills required per job and key milestones, training catalogue, internal mobilities, personalized evaluation process, etc.

Nurturing your talents means helping them to develop and strengthen their skills/capabilities through trainings, teamwork with colleagues or with cyber associations, giving them perspective of evolution/growth within your company. As a human-being, we need to know where we stand and where we are going, we need a vision to get us moving (in our life #existentialcrises).

If we take the example of the Maslow’s hierarchy of needs, people need to have a sense of belonging and feel that they are useful. Thus, part of nurturing talents also means creating a “team spirit” via rituals. It is not a secret that a friendly work environment/atmosphere is a crucial criterion when choosing a job and can increase people’ productivity by 12% (University of Warwick, UK), especially for young people nowadays.

Giving perspective of growth/evolution is essential, especially for experts. Many organizations still view management as the only path to success, but in certain sectors like industry, we can observe a shift. Expertise is increasingly valued as an alternative success route to management; some may combine both, but it is not a necessity. Therefore, expertise circles are key to give recognition to experts in and outside of their organisations – give them the opportunity to attend specific cyber events that can also enables them to grow their network and acquire more skills.

In a nutshell, attracting and nurturing talents take time, and talent recruitment emerges as a pivotal element in corporate strategies. By embracing diversity and promoting gender convergence, we venture into new dimensions to build robust, thoughtful, and resilient teams.

We aim to open the cyber field to those unfamiliar, fostering diversity, and creating vocations. Let’s reach out to people; and let’s not wait for them to come to us.

We have created a benchmark tool to explore this multi-faceted topic (along with the ongoing research) and assess organisation’s maturity. Reach out to us if you would like to be part of it! We would be very delighted to share with you the good ideas we have collected on the market… and the traps to avoid.

Unicorns (don’t misunderstand me, I am not talking about start-ups), Purple Squirrels, Ninja, Rockstars, don’t exist but if we combine diverse profiles, we can get this highly qualified team!

Cet article The Quest for Cybersecurity’s Purple Squirrels: How to Find and Keep Them est apparu en premier sur RiskInsight.

Given that human-risk remains significant, with human error accounting for 82% of data breaches according to the 2022 Verizon Data Breach Investigations Report, no wonder CISOs across European organizations are aiming for the most innovative and ground-breaking activities during this crucial time of the year.

Once key risks have been identified, it’s go-time: spread priority secure behaviors throughout your organization using the ultimate medium: gamification.

Fail to play, fail the Cyber Month game

From football matches to Monopoly fights, there is a game for everyone, and whichever your preference goes to, the chosen one will always elicit enthusiasm.

It is then only logical that when meeting an opportunity to learn secure behaviors, employees will favor a game rather than an e-learning that they will have to – let’s face it – painfully sit through.

Gamification is a winner, and although there are many reasons behind this fact, we have selected seven striking pieces of rationale that will shed a light on the benefits that gamification presents in a learning environment.

Gamification increases engagement dramatically

To feel involved in an activity, and therefore reach the holy grail component of attention, interactivity is key.

Games require action from the participant, which transforms the latter into a moving cog of their own learning process.

Additionally, the element of competition, whether between teams or against a fictitious villain, present in games serves as a powerful motivator, further promoting engagement.

Practice beats theory in a learning context

Practice accounts for 70% of the learning process. Why so? Because practice allows to make the materials tangible and embed them into real-life situations, that employees can directly link to their everyday practices.

Feedback and rewards stimulate positive behaviors

Games imply prizes and rewards to be earned. Not only does it contribute to foster motivation, but it also allows employees to access direct positive feedback about their actions and decisions, which comes with a sense of accomplishment and progress, further embedding the targeted secure behavior.

Games revamp the image of your cyber team

Cyberawareness games have the power to shift the perception that staff hold of your cyber team. Indeed, cybersecurity may seem like an obscure and complex area for many employees.

Offering games helps to make security concepts more tangible, accessible, and applicable into everyday life.

Further, if they are held in-person, they allow your cyber team to gain visibility with end-users and bring a sense of recognition and trust, which in turn will boost the impact of future awareness actions.

Learning together increases team cohesion

As if learning more effectively wasn’t enough, gamification also offers the valuable benefit of boosting team spirit.

Many awareness games provide the opportunity to work collaboratively to attain success. This way, employees leave with fond memories and appreciation on top of precious security tips.

Games allow repetition of security messages in novel and fun ways

When aiming to embed secure behaviors across an organization, repetition is crucial to ensure integration and implementation.

However, repeating awareness communications through the same channels may decrease the attention that employees pay to them.

Games constitute an innovative and enjoyable experience to reinforce security messages, making them stick over time.

Bonus: You collect valuable feedback and inputs from end-users

By interacting with staff through awareness games, your cyber team gets the unique opportunity to collect information on the most urgent security questions that employees ask themselves and uncover which are their biggest challenges in terms of security in their daily activities. This feedback is then useful to prioritise future awareness messages and review or implement processes to facilitate employees’ work life. For example, if staff repeatedly bring up the fact that they may see suspicious-looking emails but don’t know how to report them, this may lead to a special awareness campaign meant to remind employees of the way to report phishing emails, and the implementation of a phishing report button to facilitate the reporting process.

Leveraging gamification: The musts for organizing successful awareness games

Prior to establishing the success factors of an awareness game, let’s pinpoint what makes a fruitful one.

In order to prove truly effective, an awareness game should see its participants leave the activity with a clear idea of the security behaviors that they will change in their own office life.

To achieve this goal, we have identified a set of five key criteria:

A solid game will cover a priority awareness topic, based on the risks identified for the organization and ranked accordingly.

Then, the right level of complexity must be found, based on the level of knowledge of your staff.

Staff who already have a high level of maturity in terms of security behaviors will – at best – not learn anything new during an easy game, and – at worst – be bored or resentful towards the security awareness team for taking away some of their working time to cover elements they already know.

The reverse scenario would also be problematic: confronting beginner staff with a difficult game would only leave them confused.

Having an understanding of the level of security maturity of your target audience is therefore key to adapt the game for optimal results.

Thirdly, the game must have at its center a compelling story. The scenario must be intriguing and should unfold seamlessly. Additionally, it should be adapted to the context of the organization so participants relate to the events happening in the game.

To truly catch, and most importantly, retain employees’ attention, the game will have a strong focus on interactivity. Interactions can happen between the game master(s) and the players, but also between players themselves when collaborating in the context of the activity.

To further exploit this concept, the game may stimulate the 5 senses to render it even more engaging and immersive.

The final key element to an effective game resides in providing a good incentive. Again, there are multiple ways to achieve this: you can for example establish a scoring system to foster playful competition between teams, and implement rewards. Rewards may come in the form of goodies, prizes such as individual or team experiences, or even donations to the charitable organization of the participants’ choice. A solid incentive will boost voluntary participation to the activity, and a decision to participate that comes from the genuine willingness of staff will also be synonymous with higher motivation and involvement in the game for better retention of the shared secure behaviors.

Which awareness game is made for you?

To make your Cyber Month gamification dreams come true, let’s jump from theory to practice!

Take the quiz below to find out which cyberawareness game is tailored to your needs and objectives for maximal impact.

Loading…

Cet article How to activate gamification for an impactful Cyber Month est apparu en premier sur RiskInsight.

Yes, experts are not exempt from awareness initiatives… let me tell you a story, I’m hoping that it will help you to get the message across to your organization.

It all started on a Tuesday at 3:34 pm. I received a WhatsApp from my CEO (or that’s what I think at the time!). The message read:

“Hi Noémie, are you available? I need to talk with you about a confidential acquisition in Belgium. Pascal”.

I picked up the message 10 minutes later and replied that I could free up my time and have that call. In my head, I asked myself a few questions: an acquisition, but who could it be? at what stage of the discussions are they? our priority areas are the US and UK, so it would be a bigger firm?… In short, the stress level was rising but I wanted to know more. At this stage, nothing indicated the slightest hint of a fraud or scam and I didn’t see any particular risk. I was more intrigued by the opportunity…

 2 minutes after my message, the following answer appeared:

“No need, but I will need you to prepare a transfer quickly, I will send you the bank information in a few minutes. Thanks”

At that moment, it all clicked into place. One thing was clear: it was a trap! It was urgent that I did nothing

I then decided to investigate because something wasn’t right in this situation:

• The phone number of the WhatsApp contact was not the one I have in my phonebook
• The photo is indeed Pascal’s but it’s a common photo, so easy to get

I then sent 2 messages in parallel:

• The first one to my CEO, to the number registered in my directory. I took a screenshot of the WhatsApp discussion and asked him “Hello Pascal, obviously it’s not you! Can you confirm?”
• The second was to the mystery sender on WhatsApp: “Are you testing me?”

The response on WhatsApp soon arrived, “Well done!”, and a more comprehensive message then followed which clarified:

• This was a campaign to raise awareness about Fake President Fraud.
• That the cases are unfortunately frequent and that several attackers have tried to impersonate a member of the executive management, by SMS, social networks or email by simply changing a photo or name
• What Fake President Fraud is and the objective of the attackers: to make you believe that they have a priority and confidential matter for you to deal with, such as an acquisition, which requires an urgent payment out of the normal processes.
• Rules to follow in case of an attack, clues to thwart attacks, and the security contact to alert.

As you can see, this story has a happy ending. In the cold light of day, you might think that it is quite simple to thwart the attack, but unfortunately that is not always the case.   

Beyond the example, it is the management of emotions that I want to emphasise. This exercise was well done and very credible; it first gave me confidence with an important request but without asking me to take any risky or suspicious actions. The importance of the request generated questions and a little stress – emotions I needed to master in order to keep my decisions and actions logical and reasonable. I am personally familiar with this subject; I know the theory, but I assure you that the real-life situation was very different! I now know that a flood of emotions appears (although they won’t be so new next time!), but I am reassured that my common sense allowed me to keep a level head and investigate without rushing. I thanked my CISO after the exercise – I understand the benefits of practice and this experience was a good test, especially for those experts who may feel safe as they know what to do (to be clear: I don’t put myself in that category!). It tested in a very realistic way whether they would know how to put the theory into practice and recognise the messages for what they were: a scam.

Training your people, even the experts, allows them to be better, to be ready (although not necessarily to be perfect!), because the situation will no longer be new, and the emotions will not be unknown… To shine on the big day, preparation is an essential ingredient, and this is true for everyone!

Summary

Some key elements of Fake President Fraud:

• Confidence building (photo, tone of voice, choice of words, etc.) by the attacker or climate of authority
• Urgency, stress: emotions that create pressure and disturb lucidity
• Demand for unusual, abnormal actions to be carried out within a short period of time

Cet article Fake President Fraud: almost caught me out! est apparu en premier sur RiskInsight.

Dans un précédent article, on vous racontait tout sur la nouvelle directive européenne NIS et le choix de la Belgique de se baser sur la norme ISO 27001 pour accroître la sécurité des Opérateurs de Services Essentiels (OSE) avec tout ce que ça entraînait pour les organisations nouvellement désignées.

Qui dit directive européenne ne dit pas règlement européen : il revient donc à chaque pays membre de transposer les exigences de la directive NIS dans son droit national. La Belgique a fait le choix d’un standard existant (la norme ISO 27001) alors que certains de ses voisins, dont la France, ont choisi une approche basée sur la définition d’un référentiel d’exigences précis mêlant à la fois des mesures techniques et de gouvernance (SI d’administration, cloisonnement, démarche d’homologation, etc.).

Intéressons-nous aujourd’hui à ce que ça implique pour les OSE belges, et plus largement pour toutes les organisations attirées par les normes internationales, de suivre les exigences de la norme ISO 27001.

La norme ISO 27001, adulée par certains et critiquée par d’autres

Des voix se lèvent contre la référence du milieu, fustigeant notamment son aspect bureaucratique et sa paperasserie qui, pourtant, peuvent aider à mettre en place un référentiel utile à la continuité des services et la formation des personnes via le partage des pratiques – surtout lorsqu’il est pensé avec pragmatisme. Les critiques vont également bon train sur le niveau de complexité ajouté, encore plus présent pour les plus petites structures. Là encore, la règle est au pragmatisme et les mesures doivent être adaptées à la taille de l’organisation et s’intégrer à l’existant pour éviter les structures ex nihilo trop lourdes à gérer.

Enfin, certains aprioris ont la vie dure et réduisent souvent une conformité ISO 27001 à une liste de cases à cocher, dépourvues d’implications réelles sur la sécurité de l’organisation. Mais la fameuse déclaration d’applicabilité (DdA), exigée par la norme ISO 27001 à tous ceux qui visent une certification, ne revient pas uniquement à lister tous les contrôles de la norme ISO 27002. Elle demande une véritable évaluation au regard des enjeux et des risques. De quoi apporter des éléments concrets pour la sécurité de l’organisation.

ISO 27001, ISO 27002, il y en a beaucoup comme ça ?

Dans la famille des ISO, beaucoup, vraiment beaucoup. En revanche pour la cybersécurité, ce sont bien ces deux-là qui sont les plus utilisées, avec l’ISO 27005 pour la gestion des risques (si c’est la protection des données qui vous intéresse, lisez aussi notre article sur la nouvelle venue ISO 27701).

La norme ISO 27001 apporte un cadre à la cybersécurité et vise à mettre en place un SMSI (Système de Management de la Sécurité de l’Information). Pour aider les organisations dans cette direction, elle est accompagnée de la norme ISO 27002 qui détaille les bonnes pratiques sécurité présentées dans l’annexe A de l’ISO 27001. La certification (le graal des OSE belges) porte sur la norme ISO 27001 mais les deux normes fonctionnent bien de pair.

La certification s’obtient sur un périmètre délimité d’un point de vue métier et IT sur lequel les principaux risques sont identifiés. Cette évaluation par les risques, mêlée à la prise en compte du contexte de l’organisation, aide à sélectionner les bonnes pratiques ISO 27002 pertinentes pour formaliser la Déclaration d’Applicabilité (DdA) et à exclure les contrôles qui ne sont pas applicables (attention à bien justifier ces exclusions : elles seront analysées par l’organisme de certification). Si on peut retirer des pratiques moins utiles, on peut aussi en rajouter d’autres : l’organisation peut ainsi compléter la liste existante des 114 mesures de sécurité au regard de ses risques. La norme ISO 27002 n’adresse pas l’exhaustivité des mesures de sécurité possibles. C’est là qu’une expertise cybersécurité prend tout son sens.

5 conseils pour trouver le bon équilibre et réussir sa mise en conformité ISO 27001

Bien entendu, vu dans son ensemble, un programme de mise en conformité à la norme ISO 27001 peut rapidement donner le vertige… Voici 5 réflexes à avoir en tête pour faciliter le lancement d’un SMSI et le maintien de ses performances dans le temps :

1. Identifier un sponsor investi au service de l’objectif de sécurisation. Comme pour le cinéma, il n’y a pas de film sans réalisateur, et pas de réalisateur sans le soutien du producteur. Le match parfait doit avoir pleine conscience de la valeur ajoutée de la mise en conformité à la norme ISO 27001 pour améliorer le niveau de sécurité, au-delà de la pure conformité au cadre légal. Il doit utiliser les cadres normatifs au profit d’un meilleur niveau de sécurité et doit donc voir ce projet comme un chantier de sécurisation plutôt qu’un chantier de conformité.

Implémenter un SMSI pérenne demande des ressources et moyens humains, organisationnels, physiques et financiers. Le pilotage du projet de mise en conformité ne fonctionnera que s’il est soutenu par un responsable qui a le pouvoir d’allouer les ressources et les moyens nécessaires pour piloter les risques et assurer un niveau de sécurité acceptable au regard des enjeux métier. Le respect de la directive NIS, à l’échelle européenne ou à l’échelle belge via une mise en conformité à la norme ISO 27001, constitue avant tout un moyen d’augmenter le niveau de sécurité et non une fin en soi.

2. Piloter par les risques. C’est la base de la sécurité ; le concept clé à toujours garder en tête. Ce pilotage permet d’identifier les risques du périmètre et de s’assurer que les enjeux métier sont bien pris en compte. La gestion des risques ne s’arrête pas à leur identification et au traitement initial. Elle demande la mobilisation des équipes et des activités pour traiter les risques existants et suivre l’évolution des risques (existants et nouveaux qui apparaissent) et leurs traitements, via une mise à jour périodique et lors d’évènements majeurs sur le périmètre.

Par la mise en place de cette démarche globale des risques, l’organisation s’assure une vision transverse des risques qui permet de focaliser les efforts des mesures de sécurité là où il y a le plus d’enjeux. Cette validation et cet arbitrage doivent se faire en concertation avec les propriétaires des risques (métier ou IT) qui portent la responsabilité du risque sur leurs périmètres et doivent se positionner sur les traitements possibles (acceptation, réduction, transfert ou évitement). Un pilotage affiné et resserré des risques permet ainsi de prendre de véritables décisions éclairées, par des acteurs parfois éloignés de la sécurité.

3. Constituer un référentiel documentaire pragmatique. Cette étape aide à définir et documenter les pratiques et ainsi favoriser la continuité des opérations, leur contrôle et leur amélioration continue. Cette documentation doit être le reflet de la réalité tout en assurant la cohérence avec les exigences de la norme ISO 27001 pour aider à définir les pratiques à mettre en œuvre et les gérer au quotidien (implémentation et mises à jour au gré des évolutions, etc.).

Les maîtres-mots lors de la constitution de ce référentiel sont pragmatisme et utilité : il doit s’intégrer à l’existant en complétant les procédures existantes et en en créant de nouvelles qui manquaient ; il ne doit pas compliquer inutilement la situation mais se baser sur une interprétation pertinente de la norme ; il doit être utile aux équipes qui assurent les activités pour permettre le maintien des opérations. Evitez donc les copier-coller des exigences des normes. Ils créent un référentiel inutile aux équipes terrain et attiseront la curiosité de vos auditeurs qui douteront alors de l’effectivité des mesures…

4. Évaluer régulièrement les performances. Tout système de management qui se respecte nécessite une boucle de contrôle pour évaluer ses performances et, dans le cas du SMSI, ses non-conformités à la norme ISO 27001 et au référentiel en place dans l’organisation (synthétisé dans la DdA). L’identification de ces non-conformités doit permettre de remonter jusqu’à leur source et d’initier la réflexion sur la meilleure manière de les gérer. La réflexion à mener doit porter sur la manière dont la non-conformité va être résolue pour assurer l’augmentation du niveau de sécurité tout en s’assurant que les mesures correspondent aux exigences de la norme et sont adaptées au contexte, aux risques et aux enjeux de l’organisation.

Les différents niveaux de contrôles (auto-contrôles par les équipes, audits internes/externes, revues de direction) doivent tous garder l’objectif d’amélioration du niveau de sécurité en tête en utilisant de manière pragmatique les exigences de la norme et le référentiel de l’entreprise, et au besoin faire évoluer ce dernier au regard de la réalité pratique de l’organisation. Il s’agit de trouver le bon équilibre entre le contexte de l’organisation et la gestion des risques identifiés. Si vos enjeux portent essentiellement sur la disponibilité d’une activité, focalisez vos efforts (mesures et contrôles) sur cet enjeu en priorité. Pour être pertinent, ce cycle d’évaluation doit distribuer les efforts sur les périmètres les plus pertinents pour l’organisation (selon ses risques et enjeux) et alimenter les prochaines étapes du cylce de vie du SMSI.

5. Engager les équipes. Un projet de mise en place d’un SMSI n’est pas uniquement l’apanage du RSSI ou d’une équipe de documentalistes. Il s’agit avant tout d’un projet d’envergure qui demande un large éventail d’expertises allant de la cybersécurité au business en passant par l’IT, le juridique, les achats, les ressources humaines, etc. C’est une véritable conduite du changement qui est à organiser avec l’implication pleine et complète des différentes équipes et du management de l’organisation pour assurer un SMSI qui sert l’amélioration durable du niveau de sécurité pour l’ensemble du périmètre.

La certification ISO 27001, oui mais pragmatique !

La véritable force de la certification ISO 27001 est avant tout d’enclencher une dynamique de sécurité dans l’organisation. La documentation peut certes alourdir les pratiques mais n’enlève rien de la philosophie d’amélioration continue du niveau de sécurité. Par l’apport d’un socle minimal pour la cybersécurité, sans définir des exigences strictes, la norme laisse à l’organisation le choix de placer le curseur sécurité à un niveau qui lui est adapté et d’obtenir des résultats positifs – à condition de s’entourer de bonnes personnes sensibilisées au sujet !

Traitée avec un regard critique et pragmatique, la norme apporte ainsi un cadre pour installer la gouvernance de la cybersécurité au sein de chaque organisation en mobilisant les concepts clés tout en laissant la marge nécessaire pour proposer des mesures complémentaires qui, ensemble, servent l’amélioration du niveau de sécurité.

Au-delà de l’approche traditionnelle de la conformité, la mise en conformité à la norme ISO 27001 doit servir de boîte à outils à toute les équipes et non constituer une fin en soi.

La liberté de mise en œuvre de la directive NIS au niveau européen offre un nouveau terrain d’expérimentation où se mêlent cultures différentes et visions divergentes de la cybersécurité. Seul l’avenir pourra nous dire ce qui fonctionne au niveau européen, mais l’approche belge démontre une nouvelle fois la culture du compromis entre cadre strict et liberté de mouvement. Pour les OSE belges comme pour les organismes de certification, l’inconnue demeure avant tout sur le positionnement du curseur entre les deux extrêmes.

Il leur faudra alors éviter une approche scolaire et mettre à profit une interprétation utile et pragmatique de la norme en gardant l’objectif final en tête : plus de cybersécurité.

Cet article OSE belges et ISO 27001 : quel chemin vers plus de cybersécurité ? est apparu en premier sur RiskInsight.

In a previous article, we told you all about the new European NIS directive and Belgium’s choice to use the ISO 27001 standard as a basis for increasing the security of Essential Service Operators (ESOs) with all that it entailed for the newly designated organizations.

A European directive does not mean a European regulation: it is therefore up to each member country to transpose the requirements of the NIS directive into its national law. Belgium has chosen to use an existing standard (ISO 27001), while some of its neighbours, including France, have chosen an approach based on the definition of a precise reference system of requirements combining both technical and governance measures (administrative IS, partitioning, approval process, etc.).

Today, let’s try to understand what it means for Belgian ESOs, and more broadly for all organizations attracted by international standards, to follow the requirements of ISO 27001.

The ISO 27001 standard, adulated by some and criticized by others

Some voices are rising up against the reference in the field, castigating in particular its bureaucratic aspect and its red tape which, however, can help to set up a useful reference system for the continuity of services and the training of people through the sharing of practices – especially when it is thought out pragmatically. Criticism is also rife about the added level of complexity, which is even more present for smaller structures. Here again, pragmatism is the rule, and measures must be adapted to the size of the organization and integrated into existing structures to avoid ex nihilo structures that are too cumbersome to manage.

Finally, some preconceptions have a hard time and often reduce ISO 27001 compliance to a list of checkboxes, with no real implications for the security of the organization. But the famous Declaration of Applicability (DoA), required by ISO 27001 for all those seeking certification, is not the same as listing all the controls of ISO 27002. It requires a real assessment regarding the issues and risks. This will provide concrete elements for the security of the organization.

ISO 27001, ISO 27002, are there many like that?

In the ISO family, a lot, really a lot. For cybersecurity, on the other hand, it is these two that are the most used, with ISO 27005 for risk management (if it is data protection that interests you, read also our article on the newcomer ISO 27701).

The ISO 27001 standard provides a framework for cybersecurity and aims to set up an ISMS (Information Security Management System). To help organizations in this direction, it is accompanied by the ISO 27002 standard which details the good security practices presented in Annex A of ISO 27001. The certification (the Belgian ESOs’ holy grail) is based on the ISO 27001 standard but the two standards work well together.

Certification is obtained on a perimeter defined from a business and IT point of view on which the main risks are identified. This risk assessment, combined with the consideration of the organization’s context, helps to select the relevant ISO 27002 good practices to formalize the Declaration of Applicability (DoA) and to exclude controls that are not applicable (be careful to justify these exclusions: they will be analyzed by the certification body). If less useful practices can be removed, other practices can also be added: the organization can thus complete the existing list of 114 security measures regarding its risks. The ISO 27002 standard does not address the exhaustiveness of possible security measures. This is where cybersecurity expertise comes into its own.

5 tips to find the right balance and achieve ISO 27001 compliance

Of course, seen as a whole, an ISO 27001 compliance program can quickly make you dizzy… Here are 5 reflexes to keep in mind to facilitate the launch of an ISMS and the maintenance of its performance over time:

1. Identify a sponsor invested in the service of the security objective. As with cinema, there is no film without a director, and no director without the support of the producer. The perfect match must be fully aware of the added value of compliance with ISO 27001 to improve the security level, beyond pure compliance with the legal framework. He must use normative frameworks for the benefit of a better security level and must therefore see this project as a security project rather than a compliance project.

Implementing a sustainable ISMS requires human, organizational, physical and financial resources and means. Steering the compliance project will only work if it is supported by a manager who has the authority to allocate the resources and means necessary to manage the risks and ensure an acceptable level of security regarding the business challenges. Compliance with the NIS directive, at European or Belgian level through compliance with the ISO 27001 standard, is above all a means of increasing the security level and not an end in itself.

2. Manage by risk. This is the basis of security; the key concept to always keep in mind. This management makes it possible to identify the risks within the perimeter and to ensure that the business challenges are considered. Risk management does not stop at the identification and initial treatment of risks. It requires the mobilization of teams and activities to deal with existing risks and monitor the evolution of risks (existing and new risks that emerge) and their treatment, through periodic updates and during major events within the scope.

By implementing this global approach to risks, the organization ensures a cross-functional vision of risks that allows it to focus its security measures where the stakes are highest. This validation and arbitration must be carried out in consultation with the owners of the risks (business or IT) who are responsible for the risk within their perimeters and must position themselves on the possible treatments (acceptance, reduction, transfer or avoidance). Refined and tightened risk management thus enables real, informed decisions to be taken, by players who are sometimes far removed from security.

3. Establish a pragmatic documentary repository. This step helps to define and document practices and thus promote business continuity, control and continuous improvement. This documentation must reflect reality while ensuring consistency with the requirements of the ISO 27001 standard to help define the practices to be implemented and manage them on a daily basis (implementation and updates as changes occur, etc.).

The key words when setting up this reference system are pragmatism and usefulness: it must be integrated into the existing system by completing existing procedures and creating new ones that were missing; it must not unnecessarily complicate the situation but be based on a relevant interpretation of the standard; it must be useful to the teams carrying out the activities to enable operations to be maintained. Therefore, avoid copying and pasting requirements from the standards. They create a useless referential for the field teams and will arouse the curiosity of your auditors who will then doubt the effectiveness of the measures…

4. Regularly evaluate performance. Any self-respecting management system requires a control loop to assess its performance and, in the case of ISMS, its non-compliance with the ISO 27001 standard and with the reference system in place in the organization (summarized in the DoA). The identification of these non-conformities must make it possible to trace them back to their source and initiate reflection on the best way to manage them. The reflection to be carried out must focus on how the non-conformity will be resolved to ensure an increase in the level of security while ensuring that the measures correspond to the requirements of the standard and are adapted to the context, the risks and the stakes of the organization.

The different levels of control (self-monitoring by the teams, internal/external audits, management reviews) must all keep the objective of improving the security level in mind by pragmatically using the requirements of the standard and the company’s reference framework, and if necessary, make the latter evolve in the light of the practical reality of the organization. It is a question of finding the right balance between the context of the organization and the management of the identified risks. If your challenges are mainly related to the availability of an activity, focus your efforts (measures and controls) on this issue as a priority. To be relevant, this assessment cycle must distribute efforts on the most relevant perimeters for the organization (according to its risks and impacts) and feed the next steps of the ISMS life cycle.

5. Engage the teams. An ISMS implementation project is not only the prerogative of the CISO or a team of documentalists. It is first and foremost a large-scale project that requires a wide range of expertise, from cyber security to business, IT, legal, procurement, human resources, etc. It is a real change management process that needs to be organized with the full and complete involvement of the various teams and the organization’s management to ensure an ISMS that serves the sustainable improvement of the security level for the entire perimeter.

ISO 27001 certification, yes but pragmatic!

The real strength of ISO 27001 certification is above all to trigger a security dynamic within the organization. Documentation can certainly make practices more cumbersome but does not detract from the philosophy of continuous improvement of the level of security. By providing a minimal basis for cybersecurity, without defining strict requirements, the standard leaves the organization the choice of placing the security cursor at a level that is suitable and to obtain positive results – as long as you surround yourself with good people who are aware of the topic.

Treated with a critical and pragmatic eye, the standard thus provides a framework for installing cybersecurity governance within each organization by mobilizing key concepts while leaving the necessary room to propose complementary measures that, together, serve to improve the level of security.

The free implementation of the NIS Directive at the European level offers a new testing ground where different cultures and different visions of cybersecurity are mixed. Only the future will be able to tell us what works at European level, but the Belgian approach once again demonstrates the culture of compromise between strict framework and freedom of movement. For Belgian ESOs and certification bodies alike, the unknown is above

Cet article Belgian ESO and ISO 27001: which way to more cyber security? est apparu en premier sur RiskInsight.

OSE, acteur clef des services essentiels économiques et sociétaux belges

Si votre organisation a été désignée comme OSE, c’est parce qu’elle fournit un ou plusieurs services essentiels au maintien d’activités sociétales et économiques critiques, pour la Belgique, et plus largement pour l’Union Européenne (UE). En effet, la Directive Européenne NIS publiée en 2016 (security of network and information systems – UE 2016/1148), a pour objectif d’assurer un niveau commun élevé de sécurité des réseaux et des systèmes d’information au sein de l’UE. Cette directive a été transposée dans le droit belge en mai 2019 et permet de désigner une entité publique ou privée comme OSE si elle répond aux critères suivants :

Depuis novembre 2019, les notifications de désignation s’établissent dans les secteurs de l’énergie, du transport aérien et de la finance. Le secteur de la santé, quant à lui, a annoncé qu’aucun OSE ne sera désigné en 2020.

Votre entreprise coche toutes ces cases ? Sachez que l’autorité sectorielle peut ajouter des critères spécifiques afin de juger du degré de criticité des services : par exemple, la part de marché de l’entreprise, ou l’ampleur de la zone géographique susceptible d’être touchée par un incident. (Loi 2019-04-07/15. Art.13).

Quelles obligations après sa notification ?

Être désigné OSE implique de protéger les systèmes d’information qui permettent la fourniture du ou des services essentiels identifiés. Sécuriser un service essentiel revient à s’assurer de la disponibilité, la confidentialité et l’intégrité des systèmes d’information dont il est tributaire (Loi 2019-04-07/15. Art.24). Pour ce faire, la Belgique demande aux OSE de faire certifier leurs systèmes d’information critiques à la norme ISO 27001 (Loi 2019-04-07/15. Art.22). Cette norme demande la création d’un Système de Management de la Sécurité de l’Information (SMSI) avec la mise en œuvre de processus et de mesures de sécurité.

Les principales étapes et échéances de la loi NIS belge

La Loi du 7 avril 2019 établissant un cadre pour la sécurité des réseaux et des systèmes d’information d’intérêt général pour la sécurité publique, dite Loi NIS belge, prévoit un délai de mise en conformité en 3 ans et 2 mois et demi maximum après la notification de désignation de l’OSE. La loi prévoit ainsi différentes étapes et échéances précises :

3 mois après la désignation, l’OSE doit fournir :

• Une description détaillée des systèmes d’information dont ses services essentiels sont tributaires. La toute première chose à faire est donc de délimiter le périmètre des services essentiels au niveau business et IT, (Loi 2019-04-07/15. Art.16)
• Un point de contact (Loi 2019-04-07/15. Art.23)

Au plus tard 12 mois après la notification de désignation : l’OSE initie une Politique de Sécurité Informatique (PSI) (rt.21) et réalise un premier audit interne sous 3 mois.

24 mois après le premier audit interne (soit environ 3 ans après la notification de désignation), c’est le grand jour : un audit externe doit être conduit en vue de l’obtention de la certification ISO 27001.

Comment se déroule une mise en conformité ISO 27001 ?

Comme tout système de management, le SMSI doit garantir l’application de la méthode PDCA « Plan-Do-Check-Act », aussi appelée « Roue de Deming », pour assurer l’amélioration continue des performances. 6 activités fondamentales se dégagent de la norme ISO 27001 :

De manière pragmatique, la norme ISO 27001 requiert des livrables et des validations à plusieurs étapes clefs du processus de mise en conformité. Ci-dessous, nous vous proposons une chronologie des actions à réaliser avec les livrables associés, ainsi qu’une estimation du temps nécessaire pour chaque étape du parcours de mise en conformité.

Plus précisément, les étapes se déroulent comme suit :

1 – Définition du périmètre (sous quelques semaines) : c’est la première étape clef pour déterminer le domaine d’application sur lequel les exigences de la norme vont porter. L’étendue du service essentiel est alors définie d’un point de vue business et IT, détaillant les activités, les équipes et les systèmes concernés.

2 – Phase de cadrage du SMSI (entre 2 et 6 mois) :

• 2.1 – Réaliser le bilan de conformité en comparant, sur le périmètre identifié, les pratiques réalisées aux exigences des normes ISO 27001 et ISO 27002 afin de relever les écarts. Le résultat de cette étape donne à la fois le niveau global de maturité de sécurité du périmètre et la feuille de route de mise en conformité par volet sécurité.
• 2.2 – Conduire l’analyse de risques. Cette étape se concrétise en trois actions.
• A – Définir la méthodologie de l’analyse de risques (si celle-ci n’existe pas). Afin de pouvoir piloter les risques dans la durée, elle doit être reproductible (mise à jour annuelle et en cas de changement majeur sur le périmètre). La méthodologie définit des échelles de probabilité, d’impact, et des seuils d’acceptation des risques en fonction des enjeux business et IT présents sur le périmètre du service essentiel.
• B – Conduire la 1ère analyse de risques sur le périmètre du service essentiel. Sur la base d’entretiens avec des interlocuteurs business et IT, l’analyse permet à la fois d’identifier les enjeux, les menaces et les vulnérabilités pour déterminer les risques du périmètre et permettre la définition du plan de traitement des risques.
• C – Déterminer le Plan de Traitements des Risques (PTR) destiné à organiser l’implémentation des mesures de sécurité. En collaboration avec l’équipe sécurité, les propriétaires de risques sont identifiés et doivent, pour chaque risque, décider du traitement (réduction, transfert ou acceptation) et valider le plan d’action associé. L’ensemble de ces mesures identifiées constitue le Plan de Traitement des Risques (PTR), établissant les traitements prioritaires à réaliser, en estimant notamment les ressources nécessaires et le planning de mise en oeuvre. Après validation des actions du PTR, le niveau de risques résiduels est alors complété dans l’analyse de risques.
• 2.3 – Valider le périmètre de certification. Cette étape met fin à la phase de cadrage et se concrétise par deux livrables : un descriptif précis du service essentiel du point de vue business et IT et la déclaration d’applicabilité (DdA). La DdA correspond à la liste des mesures de sécurité de la norme ISO 27002 retenues pour répondre aux besoins de mise en conformité du SMSI selon les enjeux et les risques identifiés. Pour les mesures non retenues, l’OSE doit justifier l’exclusion de ces mesures. La DdA sert par la suite de référentiel pour les audits.

3 – Phase d’implémentation (entre 9 mois et 2 ans selon le périmètre défini et le niveau de maturité de sécurité existant)

• 3.1 – Définir la PSI (Politique de Sécurité des Systèmes et des Réseaux d’Information). Ce document a deux fonctions : il sert à la fois à lister les grands objectifs de sécurité de l’information établis par l’organisation sur un périmètre donné ainsi que les mesures à mettre en place pour les réaliser, mais il fait aussi office de preuve d’engagement de l’entreprise à satisfaire les exigences de la norme et à œuvrer pour l’amélioration continue du SMSI. Ce document, une fois émis, doit être disponible et diffusé au sein de l’organisation et doit également être mis à disposition de toutes les parties prenantes.
• 3.2 – Définir, documenter et mettre en œuvre les processus clefs ISO 27001 : gestion des risques, gestion de l’exploitation, gestion des incidents, communication et sensibilisation, gestion du référentiel documentaire, gestion de l’amélioration continue, etc. Des pratiques à définir avec une attention particulière à les intégrer dans le contexte existant pour une meilleure appropriation par les équipes.
• 3.3 – Mettre en œuvre les chantiers sécurité selon le PTR
• 3.4 – Conduire un premier cycle de contrôle, à savoir : suivre les indicateurs de performance dans un tableau de bord et mesurer l’atteinte des objectifs de sécurité, réaliser des audits internes sur les périmètres à forts enjeux afin d’identifier les écarts entre les pratiques et les exigences de la norme et du référentiel du SMSI. Enfin, assurer la ou les premières revues de direction pour présenter les résultats du SMSI, valider les orientations et prendre les décisions pour traiter les non-conformités et opportunités d’amélioration continue (agenda prévu par la norme)
• 3.5 – Piloter l’amélioration continue du SMSI jusqu’à l’audit externe : au fur et à mesure des incidents, des résultats du tableau de bord et de ceux des audits internes, l’OSE identifie les non-conformités résiduelles et détecte les opportunités d’amélioration continue à faire valider par l’équipe SMSI

4 – Audit externe : c’est l’évaluation décisive pour l’obtention de la certification. Cette étape se décompose de façon prévisible en 3 actions : préparer les équipes à l’audit externe, participer à l’audit externe et… obtenir la certification !

L’audit externe est mené par un organisme de certification qui examine, sur la base des référentiels de la loi NIS belge (Loi 2019-04-07/15), de la norme ISO 27001, de la PSI et de la DdA validée par l’OSE, que les pratiques et la documentation sont bien conformes aux exigences indiquées et effectivement appliquées selon le principe de l’amélioration continue des systèmes de management.

Vous en savez désormais plus sur la Loi NIS belge et la norme ISO 27001, on espère que vous vous sentez plus armé pour mettre en oeuvre votre SMSI. Dans un prochain article, vous découvrirez quelques conseils issus de nos retours d’expérience pour réussir votre certification ISO 27001 et la maintenir dans la durée.

Cet article OSE belges : comment réussir votre mise en conformité NIS et obtenir votre certification ISO 27001 ? est apparu en premier sur RiskInsight.