The Digital Transformation and the Role of the CISO
Cybersecurity needs to be at the heart of the digital transformation, but organisational models will have to evolve
Cybersecurity is in the process of becoming an essential component of any organisation’s digital transformation journey. There is no way around this, especially as policymakers start dipping their toes into privacy and security issues, and societal norms are shifting on the topic.
But increasingly, security and privacy become intertwined, and it makes little sense from a corporate governance perspective to allow a new privacy organisation under a DPO to grow in parallel to – or in conflict with – existing security structures.
JC Gaillard, former CISO and leading consultant and expert on the topic, re-examines how to organise and manage security in large firms, to face major digital transformation challenges and in the wake of the GDPR.Read More
Cyber Security: The Lost Decade
A Security Governance Handbook for the CISO and the CIO
This is a compilation of the best cyber security management, organisation and governance articles published on the Corix Partners blog between 2015 and 2017.
They offer a truly alternative view on how to organise and manage security in large firms, inspired by the direct field experience of their author JC Gaillard, former CISO and leading consultant and expert on the topic.
35 easy to read, bitesize articles which cover all key managerial aspects around information security, from the reporting line of the CISO to the role of the Board, and how to make it work in real life.Read More
Revue TELECOM 185 – Editorial par Jean-Christophe Gaillard
Depuis plusieurs mois, les réseaux sociaux et Internet sont envahis par une immense quantité d’articles et de contenus autour du thème du Règlement sur la Protection des Données Personnelles (RPGD), la nouvelle règlementation européenne sur la Protection des données personnelles qui entrera en vigueur le 25 mai 2018.
Juristes, cabinets de conseil grands et petits, et même éditeurs de logiciels et fournisseurs de service informatiques se précipitent sur le segment, et de fait, la nouvelle réglementation a la capacité d’être un véritable catalyseur autour de la Protection des données personnelles et de la sécurité.
Elle s’inscrit dans un contexte où les données personnelles des consommateurs et des citoyens sont en train de devenir un enjeu économique et politique de premier plan.
Mais il est essentiel de la placer dans le contexte juste et d’aller au-delà des clichés court-termistes.Read More
Bridging the Gap Between IT Security and IT Operations
Life for a CISO could be better. Too many today look out over an landscape overrun by poorly-deployed security tools consuming too many scarce resources, and a dynamic between IT and security that is skeptical at best and distrustful at worst.Read More
Ransomware: 5 practical tips to deal with attacks, and why good practices matter more than ever
Ransomware attacks have become one of the most dominant forms of cyber-attacks over the past few years. There is no doubt that those can be very disruptive, essentially when targeting key systems, critical data, or large populations of senior executives who have to be given emergency – secure – replacement devices to continue working, and might have lost highly valuable or sensitive data in the attack. For large firms, losses can easily run into the tens of millions by the time everything is added up. At the other end of the scale, there are also many ransomware attacks targeting isolated users with low ransoms, which as a result often get paid “to get rid of the problem quickly” so that the affected individual can resume normal work.Read More
Cyber insurance: what do you think you’re buying?
In reality, the market is still maturing and presents significant blockages that are confusing brokers, underwriters and regulators, and may limit the value many clients can get from products.Read More
The board strikes back
Recent data breaches have scared Board members – in particular the TalkTalk incident in October 2015, and the aggressive media coverage that surrounded it.
Still, even in response to Board level demands, many large organisations continue to focus on IT point solutions, looking for some imaginary tactical silver bullet that would make the problem disappear.
In our opinion, this is a problem deeply rooted in corporate governance, organisational and cultural matters, which requires a fundamental rethinking and rewiring of information security practices, driven by the Board itself.
This article from Corix Partners was featured in the New Statesman Cyber Security supplement published on 26th February 2016. Other contributors to the supplement included Ed Vaizey, minister for the Digital Economy; Malcolm Marshall, global leader for cyber security at KPMG and Dr Adrian Davis, managing director for Europe, Middle East and Africa at (ISC)2.Read More
4 Tips for CIOs to Deal Efficiently with Shadow IT
Dealing with Shadow IT embodies the evolution of the role of the CIO, from being primarily a technologist and a problem solver to being an influencer and a risk manager. Thinking about Shadow IT as a “problem” and something that should be banned is not the right start. Embracing it without controls as the way forward is equally wrong. This is just part of a different way of working around technology and security.Read More
Cyber Security: Board of Directors Need to ask the Real Questions
In August 2014, the US-based Institute of Internal Auditors Research Foundation published (together with ISACA at their 2014 GRC joint conference) a research report focused on what the Board of Directors needs to ask in relation to Cyber Security.
As approach the 2015 GRC Conference – to be held in Phoenix, AZ on 17-19 August – J.C. Gaillard of Corix Partners offers his views on the 2014 report, and his own take on the key questions the Board of Directors should consider around Cyber Security.Read More
More Control, Less Risk
This article discusses the importance of technologists focusing more on threats and controls and less on risk in order to build an effective Cyber Security Practice.
It shines a light on the typically risk focused nature of the industry and why shifting that focus onto the implementation of effective controls to protect an organisation against real threats is key in effective Cyber Security. It also discuss the disconnect in viewpoints between technologists and business users – and how this can lead to a dangerous position, whereby an organisation develops a false sense of protection against cyber threats and cyber-crime.Read More