Security is not an obstacle

I hurry to laugh at everything, for fear of having to cry about it.
Pierre DAC


There are three main areas of information systems security (ISS): awareness, physical security and information technology (implementation ways).
About awareness, here is a small selection of sentences I have already heard over the past twenty years (unfortunately, this is not an exhaustive list):

  • Security is useless and expensive!
  • There’s nothing secret about what we do.
  • It’s complicated!
  • You’re frankly paranoid…
  • Regarding the complexity of passwords, we’re going to take it easy: first the password length and then we’ll diversify the alphabet.
  • A privacy filter? It is useless.

I spare you the far-fetched opinions on encryption, password complexity, unprotected backups without proof of integrity, exchange and storage of login/authenticator pairs, unlocked work sessions, etc. We all know an “expert” who knows everything about everything, who has an opinion about everything, who doesn’t work in the field but who talks about it ex professo, right?
Security (and by transition, awareness) is important since there are certain obligations – legal, contractual and in some cases, ethical obligations – but especially because there are risks (exponential growth of attacks in more than 10 years). We do not drive a car without brakes, right? In terms of ISS, cyber attacks are now a major challenge.
Indeed, the second report of the French Ministry of the Interior on the digital threat state in 2018 clearly shows that: “most companies are affected by cyber attacks; almost 80% of them reported at least one attack in 2017” ([01]). I hope that in 2017 the ransomware wave (and their disconcerting ease to infiltrate companies) alerted the public about the cyber world risks. Furthermore, it is clear that a cyber attack can also have more or less dramatic consequences on people (SME bankruptcies, suicides, etc.).
My goal is not to indulge myself in an anxious atmosphere, but it seems important to me that cybersecurity and the good practices arising therefrom are adopted by everyone. Today, it is inconceivable that the state-of-the-art rules are not adopted, especially in the professional environment. The role of a CISO is to set the rules in the organization, with the approval of the Management.
It must be noted that we must be in a continuous defensive position, the attacker (who may come from the inside, it is not necessarily a bearded man with a metal T-shirt skilfully trained in camouflage and intrusion techniques) will take advantage of our weaknesses to “hit” where he wants and when he wants. So, let’s not make it easier for him and not offer ourselves to him without defending ourselves, shall we?
Indeed, cyber attacks do not happen magically. Security is like everything else, it can be learned from a very early age. Then, it must be maintained. Therefore, reminders must often be made…
I recognize that today, compared to twenty years ago, in the management departments of SMEs and large groups, they are talking less about the cost of ISS but rather about ISS investment.
Cybersecurity is not very complicated (with all due respect to some people). Its objective is not to stop you from working, nor to complicate your life, but to protect you and your organization’s information assets (source code, customer data, accounting data, etc.).
In the personal context, you can act as you wish (this is not my problem, as long as there is a real separation with the professional context) but, in the professional environment, you must follow the rules dictated by a trained and generally competent professional.
For the reader who has reached the end of my diatribe, here are some common sense tips:

  • Listen to the CISO because he is not the enemy of users
  • Do not curse the CISO because he has removed administrator rights from users
  • Love the CISO because he sweats blood and water for his users

References
[01] https://www.interieur.gouv.fr/content/download/110309/879759/file/rapport-etat-menace-2018-vf.pdf