Ransomware attacks have quadrupled in one year, according to the National Information Systems Security Agency (ANSSI). Criminal activity revived by the health crisis and the massive use of online teleworking tools. Faced with these threats, companies must adapt their security strategy, but not only that. All governance needs to be rethought. Henri Puissant*, specialist in IS organization and Yann-Eric Devars*, consultant in enterprise architecture, both ORSYS trainers, bring us their expertise to begin this transformation of systems and practices.
If the massive entry of companies into the cybersphere opens new horizons and gives rise to numerous innovations, it puts corporate governance to the test, particularly in terms of security. After data thefts, ransomware (hospitals, administrations, companies), cyber espionage (SolarWinds affair, etc.), infrastructure attacks (Oldsmar drinking water, etc.), the leaders of countries, administrations, companies measure the fragility of their organizations and become aware, or are pushed to become aware by the authorities, of the need to control the architecture of their organizations and information systems.
State governance disrupted by cyber threats
At the turn of the 1990s, like Christopher Columbus approaching America, Timothy John Berners-Lee, by creating the World Wide Web, gained a foothold in the cybersphere. He did not imagine the fate that would happen to his discovery: emergence of GAFA, Cambridge Analytica, ransomware, etc.
58 years after the discovery of America, Charles V brought together jurists and theologians in Valladolid to determine the rules of colonization, that is to say the way in which the Indians could be subjugated and converted. Likewise, 30 years after the discovery of the web, Sir Timothy John Berners-Lee, long-time president of the W3C, technical regulator of the Web, promotes a contract proposing behavioral rules to web players so that it remains a public good serving of humanity.
In Valladolid nothing had really been decided between ethics and interest. It is to be feared that the same will be true of the initiative of Sir Timothy John Berners-Lee and that new balances must be established over time. States have a lot of trouble establishing laws and regulating the Internet, which goes beyond them. They are already facing cyberattacks there : Estonia attacked by denial of service, Iran and the centrifuge affair, the USA and the SolarWinds affair, to name just a few. States equip themselves with means of defense, impose constraints on certain areas of activity (health, energy, food, water management, etc.) and thus designate Operators of Vital Importance (OVI) in order to preserve their operations and their citizens.
Corporate governance in turn affected by cybercrime
As with states, the navigation of companies towards these new horizons is dangerous. At the helm of companies, leaders must face real storms. According to academician Michel Serres, “to govern” is to know where you come from, where you have been, where you are and, consequently, to know the logbook and the condition of the ship well. But it also means knowing where you are going and adapting your route according to the state of the ship and its ecosystem. So how do you develop a strategy? What risks will we have to face? What legal, socio-technical and environmental constraints must be respected? What organization should be put in place? How can we create a dashboard that reports on the state of the company in its ecosystem and allows it to be managed effectively?
To all these questions, the following answers are required: the development of governance principles relating to strategy, acquisitions, performance, compliance with laws and regulations, human behavior and responsibilities; in-depth knowledge of its ecosystem; mastery of enterprise architecture combined with deep reflections about it.
Thoughts about architecture
Is the system capable of achieving strategic objectives and quickly adapting to changes in the ecosystem? Is it able to face the risks that will arise and does it have defensive means? Does it have a structure giving it the characteristics of resilience, flexibility, agility allowing it to resist? Advances in Moore's Law and software engineering make new architectures possible. However, the SolarWinds affair demonstrates the current naivety of certain management of companies and administrations which integrate open (open source) or proprietary systems without controlling the risks involved. This case, like the shortages resulting from the COVID crisis, shows how outsourcing is strategic while the cybersphere offers many opportunities for companies to call on external services to improve their value chain.
Thoughts about management
But we don't rule chaos! How to organize crew management so that the company adapts to its new ecosystem and survives? Mastery of business processes is essential. Isn't the role of the IT department to inject, in collaboration with the company's businesses, information and telecommunications technologies? It is therefore futile to talk separately about information system governance and corporate governance., the two being intimately linked. To quote Nicolas Carr, what matters is business: “ IT doesn't matter » ! Moreover, when it comes to IT, can we still only talk about Information Systems when, with AI, robots and connected objects, IT takes charge of many business processes and becomes an effector on the real world as the Oldsmar affair illustrates?
Changes in behavior
CIOs who have until now been too often “technocentric” must redirect their action towards creating value for the company and participate in the development of its strategy. Conversely, technology and information systems have become so important to achieving business objectives that they can no longer be considered solely as means to achieve already identified objectives. So the management of the Company, the IT department and business unit management must work in close collaboration. This is why the establishment of Business relationship managers is an essential organizational device to increase collaboration between all stakeholders in the company, develop collective intelligence and thus improve governance.
Governance: developing your capabilities through training
Training is an essential key to unlocking these three locks (architecture, management and behavior). I-Training and Services developed and runs four seminars published exclusively by ORSYS : one on the concept of governance and its organization, the second on enterprise architecture, the third on adapting the company to digital challenges, the fourth on the Business relationship management. These seminars are then broken down into two practical courses: the development of a dashboard and mastery of company architecture. They use the standards and best practices in these areas and share the experience of its speakers with the participants. Our other cybersecurity training completes this vaccination schedule against these virtual, but very real, threats.
