Interviewed By The Asian Banker Live
Stephane Nappo, global chief information security officer, Societe General, spoke about cybersecurity best practices and how financial institutions can effectively protect the information entrusted to them by customers
My name is Stefan Nappo I am the Global CISO (Chief Information Security Officer) of the international part of Société Générale Group. This is a large French banking group, and in this part of international group, I work with 300people in security team and 65 CISOs in 67 countries. And I would like to share with you some pragmatic messages. First of all, for me, it’s a true honour and a great pleasure to be with you from France with China. And from the rest of the world, we too much often see China only with the threat aspect and we not enough underline the many, many people that are working to protect the finance because China is important for finance today. Okay. We will start with a little journey about the digital innovation because the future of finance will be innovation.
This is our amazing world today. This is not tomorrow; this is only today, okay? I believe, personally, that with an important respect for confidence, I believe that security officer must share more than hacker today, okay? I am global security officer in many, many countries and I would like to share with you some obvious but pragmatic and precious and invaluable messages. The first one, in term of innovation, innovation is amazing. It’s new service, but innovation must comply with regulation and with security. And with the threat is the sustainability. Keep in mind that, for innovation have been hacked, okay? And all have been hacked. No innovation is immune to cyber-hacking.
Another point. Faster and sometime more fraudster. Okay. We need to implement more security in project. This is not a gadget; this is a necessity to ensure the sustainability of the service, okay? The return of investment must include the possibility of a fraud or [inaudible]. Technology is a useful servant but a dangerous master,? That will be our challenge in France, in China, in America, in Africa, in Australia. And at what cost level? To master the technology and never to reduce the service for the customer. But to maintain the trust of the customer, the confidence, we need to master the technology and security is, today, the most important tool. This is not the most goal of the enterprise, but that must be the most important tool today.
We often see the innovation like that, okay? [Inaudible], okay? The reality is just at the right balance between both, okay, with a matter of security. Okay? This is not “Terminator” and Skynet. Okay? We work a lot to stop with that, and that won’t be, as well, [inaudible] only. Okay? We need to secure service. It was the case with brick and mortar in outlets, and today, it just different, but it’s just with software application. Just a little question for you, I will answer on my side, that – what are the main type of risk, what it could be? This is very simple. The main type of risk at the beginning, for board member, for government, for company, for people, is to think they don’t exist. Okay? We need to be aware about the existence, the reality of the threat, okay?
The other risk is to be only a tech guy and to try to treat all the risk; that zero risk does not exist, okay? We have choice to make and align this choice with the state of the enterprise. For sure, security is much more than an idea. More than ever, C-level are involved. You have picture here. [Inaudible], big CEO, could have concern due to cyber-security, okay? No [inaudible] about that. This is really important. Finance is based on what? Finance is not based on digital. Finance is not based on finance. Finance is based on trust, confidence of the customer. No confidence, no customer, no more business. Okay. Today, security is a confidence [inaudible] [00:08:15] for finance, okay? Keep in mind, it takes 20 years to build a reputation and just a few minutes of a cyber issue to wreck it. Keep that in mind and use and reuse this message.
Another important message. We just have the luck on our side. Little garden in China, in France, in America. “How is my IT? How is my identity and access management and so on and so forth?” Yes, we have to work on defense, but offense exists. And for defense, for us in finance, it’s just a save money topic; for defense, it’s a [inaudible], it’s a make-money topic, okay?
They achieved the digital transition on the dark side of the mirror, okay? With crime as a service, [inaudible] supermarket in Russia and Romania, in Asia, in France as well, with $15 for [inaudible] for a week, okay? That costs millions for us to protect on defense sides, $15 to $30 to attack. It’s a national [inaudible] fight. It’s why we have to integrate that new dimension, okay? There are tailored malware to attack your bank, to attack your insurance company, your office, you personally, okay? And that costs nothing, okay? It’s a new order of crime. [Inaudible] offense, last sentence. This is no more a direct attack; this is today a clean business. They don’t want your money. If you are not banker, you are target. They want information to sell it through Internet to your teenager, to your child to buy a video game with a false, a fake card number, for example. Okay?
This is a clean business today. They don’t want to have a [inaudible] hunt, okay? They want information to resell it after. And keep in mind, information has a huge value for the market. How to secure innovation, quickly. This is not an end-line [inaudible], okay? We have to act as a symbiotic [inaudible], okay? Business has to involve security, but security must disrupt this [inaudible], okay? What is digital business today? For sure, we have regulation, with [inaudible], with target, with [inaudible], but digital business is service, innovation, convenient, success, and confidence. If you don’t think the same, you will have the [inaudible]. Okay? Everybody is aware about the Facebook issue. We have to maintain the data privacy in line with [inaudible] central bank regulation and the laws and in line with the customer confidence at your level and at your third party and partner level.
Offense, this is not complicated. You, we, all create opportunity for the offense, okay? To fight and to face, to cope with the offense is not complicated. You offer 80 percent of the offense opportunity with bad vulnerability management, okay, with bad batch management [inaudible]. I would like to share with you pragmatic risk approach. We work with many, many academic risk approach; it’s like scientist on my team as well. But this is necessary to share with you a pragmatic one. This is not only a question, a matter of threat in the house and your bank and your company; this is for driver, for threats. Business evolution, compliance, technology evolution, and [inaudible]. And not only [inaudible], and how to have the good response to that, to have the – a good framework with prevention, detection, reaction, and recovery.
And keep in mind, prevention. I’m sorry for the mistakes, but this is the reality, prevention is not able to know in advance the road map of the hacker. It’s why we have to limit prevention to all the known risk: vulnerability management, access-right management, and so on and so forth, and compliance, for sure. But detection, reaction is today the key, and we have one slice of cheese with recovery of your company. After one [inaudible] [00:13:18] worldwide attack, you must be able to reboot your company, your data and your service and your software quick. Okay, we are quite at the end. Please, stop with the retrospective vision of the risk, okay? For your operational risk management this is important, but for the cyber-crime, all the risk are in front of the car. Okay? Just an example. In a huge banking group, average, the risks from the past incident, k€50. Okay?
And the reality with risk analysis based on real scenario, like Sony, like [inaudible] and the reality of our weak system, this is €300 million. The amount is really different. And that will help you to obtain budget in your company with your [inaudible] lender. Please think, risk are in front of the car, not in the rear mirror of your company. Okay, and we have to adapt [inaudible] security, okay? It’s a question of [inaudible]. It’s not during the project you have to act with security, it’s before with clear [inaudible]. What is access management, what is data protection in a company and so on and so forth, and what are the law to comply with? It’s a question of financial cycle, okay?
It’s not just before the “go live” we have the risk and after. It’s when we will have many, many customer plopped on your service with many, many amount; with big amount of money. Okay? Security is a question of financial stake, and we have to stop with the linear project mode, with the same moves. We will go to go live, we will go in protection, and we have to adopt a continued development of security. It’s like a [inaudible] for the car; at the left side you have the security definition. When the car is ready, I think, with a good level of [inaudible] risk, the business could accept or not accept, and the new paradigm is here. We work not only with “go or no-go”. Okay, we work with “go, try, or no-go”. This is an iteration process, okay? The role of the ciseau is no more the policeman; this is a dieticianof the risk. And risk appetite is a matter of flow and regulation.
And your ciseau is no more the policeman with [inaudible], yes. The ciseau must be a dietician of the risk. “This risk is toxic, this risk is acceptable, this risk, no problem.” Okay. Okay, last message. Security must achieve from the supply chain, your IT. To the value chain, to your club, to Azure, to Amazon, and so on and so forth. Okay? And keep in mind that the human being is the key for today. Almost 90 percent of cyber-attack are caused by the human error, IT [inaudible]. I am [inaudible] by the phone on social engineering and so on and so forth. 90 percent. And despite of this very, very important threat, we continue to invest only in IT and not enough in human being. And it’s not only a question of [inaudible]; it’s a question of culture, with precise procedure. Okay?
We have rule, we [inaudible], we need to complete the framework with precise procedure. [Inaudible], you don’t have only – yes, this is risky to [inaudible]. You have the procedure. Okay? To stop with incident and with threat in the [inaudible], okay? Anticipation. Okay? I would like to thank you for this journey with you; and matter for me was to share with you some pragmatic messages because we have all the same IT, we have all the same threat, by threat and trends, and we need to share approaches. Thank you very much.