Many companies, particularly SMEs and mid-sized enterprises (ETIs), are highly exposed and vulnerable to cybersecurity threats. To effectively and sustainably manage cyber risk, organizations need an expert in security and IT: the Chief Information Security Officer (CISO), or Responsable de la Sécurité des Systèmes d'Information (RSSI) in French. This professional must understand business challenges to lead essential initiatives and align activities with the company's urgent needs.

 

An Acceleration of Cyber Risk

Cybersecurity: What Are the Stakes for Companies?

  • Growing professionalism of cybercriminals
  • Financial risks arising from the malicious use of data
  • Digitalization of numerous processes, which involve sensitive data
  • Lack of knowledge on the measures and means to deploy to counter these malicious actors.

This risk has become even more significant with the accelerated digitalization of recent years. While digital transformation has allowed companies to capture new markets and become more flexible in meeting stakeholder needs, it has simultaneously increased their exposure to cybercrime. As a result, the proportion of companies attacked, both in France and internationally, continues to rise year after year, and the consequences of these attacks are becoming increasingly severe

Furthermore, the implementation of new regulations, including the GDPR (General Data Protection Regulation), has contributed to increasing the impact of cybersecurity incidents. In the event of a GDPR breach, a company can be fined up to 4% of its global turnover or 20 million euros. Additionally, these issues can create a reputational risk if they are spread through the media or social networks.

 

Securing Your Information Systems: A Strategic Priority

According to the Hiscox / Forrester Consulting 2021 Cyber Risk Report, one in six companies reports that its survival was threatened after suffering a cyber attack. In this context, cybersecurity has become a major issue. Many companies now prioritize this topic, reflected in increased investments, especially in tools to strengthen security. However, a significant issue remains for many companies: security management. The CISO becomes a highly sought-after resource. Unfortunately, due to high demand and a historically under-prioritized sector, this type of resource is scarce.

exposition-au-risque-cyber.png

 

CISO: What Profiles and Skills Are Required?

The CISO must blend technical and business expertise:

  • They must understand the business environment, its challenges and risks, as well as the company's IT organization, to define security objectives and the associated measures.
  • They must also have a solid foundation in governance and organization, to implement security within the company in a sustainable manner.
  • They must understand the legal environment and its security implications (e.g., GDPR). Finally, they should be good communicators and able to discuss security matters with executives, employees, and technicians.

Thus, many economic players face significant difficulties in recruiting or retaining their security management resources. For other companies, their size and security needs do not justify hiring a full-time resource. In light of these challenges, outsourcing the CISO role becomes a viable option.

 

Outsourcing the CISO Role: A Response to Urgency

Outsourced CISO: What Are the Benefits for Companies?

  • Quickly gain expertise on the subject in a context of high demand,
  • Leverage experienced resources specializing in various security-related topics,
  • Keep teams focused on core business activities with higher added value,
  • Better manage the balance between risks and investments/costs: the company allocates a budget for a defined intervention scope that meets its needs,
  • Adaptation of the mission to the scale and pace required to achieve your security objectives,
  • An expert you can consult in case of emergency, "security on demand."

This outsourced model can also be seen as a transitional situation, incorporating the involvement and gradual upskilling of internal resources so that the company can achieve greater autonomy in managing its security in the medium term.

Thus, in the face of an urgent need and a lack of immediate solutions, outsourcing security is an alternative that many companies/organizations can consider to control cyber risk.

 

RSM can support you in the governance of your cyber risk as a CISO for:

  • Assessing your risk (including IT risks) in relation to your exposure and maturity.
  • Formalizing your cybersecurity optimization roadmap.
  • Monitoring and controlling remediation actions and your security level.

Author

Antoine Baranger
Antoine Baranger
Directeur Risk Advisory

Read more