A few French CISOs attended the first edition of Cyber Security Connect UK. We asked them about the event and how they view the work of British CISOs. Although their opinions differ somewhat on this second point, all really appreciated the opportunity to talk with their British counterparts.
Olivier Ligneul is Director of Cyber Security at Groupe EDF and Vice-President of CESIN
* English/French CISOs: Are they very different?
British CISOs are more product and solution oriented. They really focus on the heart of things with quantified goals (dashboards/KPIs, etc.). In France, the question is still "Why go see the Board?”, while the English are already at "How do we go see the Board?” On the business side, the Brits are very interested in identifying the "culprit". In France, we’re more interested in analysing the attacker’s logic. It’s a very different approach. We don’t work in the same way to express how we achieve objectives.
* What advice can CISOs on either side of the Channel give each other?
For the French, learn English. Otherwise, there’s no way to communicate with our British counterparts. It may seem minor, but it’s important. On the other hand, the British would benefit from something similar to the 2011 "back to basics" action promoted by ANSSI’s DG. A British approach that depends too much on the repository can be prejudicial if the repository is flawed. We could look to the British approach to learn to think more in terms of results and less on resources. However, neither the British nor the French wonder enough about what works well for the other. Greater use of benchmarks would help us better identify common issues.
* What did you take away from CSC UK?
Over these two days, I saw a very high level of maturity in visitors. There is mutual respect in the world of cyber security, a willingness to share and debate topics on which we can disagree without arguing. What really impressed me was the wide variety of topics the British are willing to share. Few subjects seem to be taboo and comments are welcomed as contributions and not criticism. I was pleased to represent the CESIN with our President because there are real areas of convergence with members of SASIG. We can make comparisons and cross contributions on the problems we encounter in large groups. This common French-British approach could help us evolve our points of view on the international level and help consolidate overall coherence in the cyber security strategy of international groups.