Q & A Round with Stephane Lenco (Chief Executive Officer, Thales)

What is the hot topic of the year in the current cyber landscape?

It feels like this WB Cartoon “Pinky and the Brain”, what’s the topic of the year Brain, why, ransomware taking over the world Pinky! More seriously, evolution of ransomware TTPs, cross-feeding with Intelligence-focused groups as cover up or extra money making, and so many variants.

What are some of the biggest threats, that are not being talked about enough?

Traditionally a lot of cyber professionals are focused on Confidentiality. With the ever-increasing amount of IOT and IT in our life, we depend on those systems working (at all) and as intended... I think every threat that goes after Availability is significant to our daily life for the coming future. Think of connected cities, hospital systems, water treatment.

How do you react to constantly changing threats in the market?

It’s a never-ending race. Jules Verne in his book “from the Earth to the Moon” depicted the constant fight of ammunition manufacturers against plating manufacturers. That arms race can’t be won. The primary focus is most definitely to get the proverbial 80% out of your way by doing (sometimes basic) hygiene and work your most feared events or threat actors up to find appropriate detection & response. It’s more about risk management and resilience, ability to respond quickly and reduce impact than preventing the event.

How do you quantify risk?

That really depends on your business stakeholder. Of course, money is a common comparison scale, but I found that expressing the risk quantity through feared scenarios: time, amount of media exposure, market loss is more meaningful. To do that, partnering with the said business stakeholder to get the “scale” and scale “unit” right from start is imperative

In the event of a data breach, what is your response plan?

General Eisenhower famously said “Plans are nothing. Planning is everything” and General Patton wisely said that « no plan survives contact with the Enemy ». Action One of the response plans is applying the procedure to set up the crisis team with the relevant people and support logistics. While the plan is written as part of the procedure and widely shared among your company, it’s what the crisis team does, adjusts to the « enemy » at hand and lays out as planning that is crucial. Action Two is to follow the crisis team lead decision and ensure continuous communication with management and stakeholders. At the end of your incident, don’t forget to feedback your plan with the postmortem analysis outputs. Of course, in relevant cases the DPO is notified as well as supervisory authorities without undue delay and individuals affected are informed as the procedure should lay out clearly!

What are some of your favorite "new" technologies or tools?

Definitely a mainstay for me is a trusty Kali Linux distribution tucked somewhere. And Visual Studio Code for viewing / editing stuff that replaced Vi and Emacs. It feels McGyver-ish to say that, but that’s my set of trusty Swiss army knives I’ve never left through my jobs... and they’re still new and shiny to me!

What are some of the key components to succeeding as a CISO in today’s business environment?

Most definitely KNOWING your own business environment. What matters to the business you’re in, company priorities, risk appetite. CISO is a hot role (to me at least) because it is NOT generic and interchangeable. Your next success factor is to be understandable, doing away with the jargon, materializing risk. Ultimately being helpful as opposed to a perceived blocker or naysayer.

What are the three things that you as CISO look at first to assess an organization’s cybersecurity readiness?

- Do you have someone appointed to deal with cybersecurity?
- Do you have a response plan / procedure in case of cyber event? (Including customer notification, backup plans etc...)
- Have you already experienced a cyber incident (no matter what size, nature, exposure)

If you had a time machine, what advice would you give yourself at the beginning of your career in cyber?

“Be bolder! Cyber will become a major topic in your life and the life of everyone. You get a chance to contribute shaping it, don’t be shy. You’ll love it!”

You are set to the stage at Black Hat MEA this November, what can our audience expect from your session, and what are you most excited about?

Black Hat is a fantastic set of events with top-notch speakers! Doing round tables with peers opens up minds, pushes new ideas or makes them more tangible with actual “real life” experiences you share. Cybersecurity is a Team Sport and getting to such an “All Stars Team” is a treat both for players and the audience. I know I’ll absolutely enjoy talking about “maturity” In cyber!