How do you govern a company in the face of cyberthreats?

By Henri Puissant, IS structure specialist and Yann-Eric Devars, enterprise architecture consultant, both ORSYS trainers

Ransomware attacks have increased fourfold in one year, according to the French National Agency for Information System Security (ANSSI). This crime has been given new life by the pandemic and the massive use of online telecommuting tools. Faced with these threats, companies must not only adapt their security strategy, but also go further. Their entire approach to governance must be rethought.

How corporate governance is affected by cybercrime

Much like governments, companies too face perils as they navigate these new horizons. Corporate leaders at the helm must confront real storms. According to the academic Michel Serres, "to govern" is to know where one comes from, where one has been, where one is and, consequently, to know the ship’s logbook and condition well. But it also means knowing where you are going and adapting your route based on the state of the vessel and its surroundings. So how do you develop a strategy? What risks will you face? What legal, social/technical, and environmental constraints must be respected? What structure should be put in place? How do you build a dashboard that reports on the state of the company within its ecosystem and allows it to be effectively managed? The answers are clear: Developing governance principles relating to strategy, acquisitions, performance, compliance with laws and regulations, human behaviour and responsibilities; in-depth knowledge of the company's ecosystem; mastery of the company's architecture combined with thorough reflection about it.

Thoughts on architecture

Is the system capable of meeting strategic objectives and adapting quickly to changes in the ecosystem? Is it capable of dealing with the risks that will arise and does it have the means to defend itself? Does it have a structure that gives it the resilience, flexibility, and agility to resist? Advances in Moore's law and software engineering have made new architectures possible. However, the SolarWinds affair demonstrates the current naivety of certain corporate and government leaders who choose to integrate open-source or proprietary systems without limiting the risks involved. SolarWinds, like the shortages resulting from the COVID crisis, shows how valuable outsourcing can be, as a strategy, because the digital world offers companies many opportunities to use external services to improve their value chain.

Thoughts on management

But chaos can't be governed! How do you organize the management of the crew so that the company adapts to its new ecosystem and survives it? Proficiency in business processes is a must. Isn't the role of the IT department to inject information and telecommunication technologies, in collaboration with the company's business lines? Because of this, it's pointless to speak separately of Information System governance and corporate governance, as the two are intimately linked.

Behavioural changes are needed

CIOs, who until now have too often been "technocentric", must reorient their actions towards creating value for the company and participating in the development of its strategy. Conversely, technology and information systems have become so important to the achievement of business objectives that they can no longer be considered only as means to achieve already-identified objectives. For these reasons, corporate management, the IT department, and the business unit managers must work closely together. This is why appointing business relationship managers is an essential organisational method, to increase collaboration between everyone at the company, develop collective intelligence, and thereby improves governance.

Going further: Developing your skills through training

Training is key to unlocking these three locks (architecture, management, and behaviour). With ORSYS, we run four exclusive seminars on the theme of "Governance": One on the concept of governance and its structure, the second on enterprise architecture, the third on adapting the company to the challenges of digital technology, and the fourth on business relationship management. These seminars are then broken down into two hands-on courses: Developing a dashboard and mastering the company's architecture. They teach about the standards and best practices in these fields, and share with participants the experience of people who have applied them. Our other cybersecurity training courses complete this vaccination campaign against these virtual, but very real threats.

Share this: