Скачать книгу

and legal services;

       – Annick Rimlinger, Executive Director of the CDSE (Club des directeurs de sécurité et sûreté des entreprises), founding member of Cercle K2 and member of the board of directors of Hack Academy;

       – Éliane Rouyer, independent director, President of the Audit Committee and member of the Compensation Committee of Legrand, independent director of Vigéo Eiris.

      I would like to thank all these speakers for their contributions and support, as well as Marc Triboulet (my teammate from HEC Gouvernance, with whom this round table cycle was initiated).

      Marie DE FRÉMINVILLE

      December 2019

      Why not assess the cyber performance of companies in the same way as their financial and non-financial performance (governance and CSR – corporate social responsibility)?

      Why not certify the cyber performance of companies in the same way as their financial performance via auditors, whose intervention is mandatory for companies of a certain size?

      Despite some progress, the vast majority of shareholders, and therefore the board of directors and management, are primarily interested in the company’s financial performance.

      However, the digital age is introducing upheavals in the company and in its ecosystem. Indeed, the “all-digital” concerns all stakeholders, administration, public services and national and international infrastructures, defense and intelligence services.

      We have reached a stage of non-return, which offers important opportunities, but which is also a source of fragility and major risks, particularly because cyber threat actors are becoming more professional and have significant resources to defraud, spy and sabotage.

      There is no such thing as zero risk, but the negligence of a board of directors would be associated with it if no action were taken in the field of cybersecurity of the company and if the attacks had significant consequences for its proper functioning, profitability and reputation.

      Financial performance should therefore no longer be the only priority. Financial performance and cyber performance should now be the two priorities of corporate governance bodies.

      Should we therefore reinvent the governance body designated by the national actions, namely its competences, its functioning, its agenda and its partners?

      For 50 years, we have been wading through a technological tsunami:

       – 1970: mainframe;

       – 1980: PC (Personal Computer) and client/server;

       – 1990: Internet and e-commerce;

       – 2000–2010: mobile and cloud;

       – 2010–2020: Internet of Things and artificial intelligence;

       – 2020–2030: quantum computing and blockchain.

      The digital world is borderless and immaterial, and the threats are invisible.

      Digital and related new technologies are transforming the way companies operate and business models.

      The main cyber-risks are risks of malfunctioning of the industrial or commercial process, financial risks, as well as risks of loss of considerable confidential information (strategic information, personal information) which affect different sectors: hospitals, autonomous cars, banks, telecom operators, energy, etc., with potential human consequences.

      The question is not “when will we be attacked?” but “what can we do to protect the company as much as possible, what can we do in the event of an attack, what can we do to restore systems as quickly as possible?”

      Cyber-risk is an integral part of companies and also of personal organizations (everyone is concerned individually and as a member of an organization). It is not just a technical risk.

      People are the weakest (and strongest) link in the entire safety chain.

      This book does not deal with tools (hardware, software, servers, architecture), but with organizations, processes and behaviors, without which the company cannot improve its performance, security, incident or crisis management, and resilience.

      It is about companies exercising their digital responsibility and maintaining or improving the trust of their stakeholders: customers, suppliers, partners and investors.

      Only 30 years ago, I experienced the arrival of personal computers (computers and word processing existed, but were not deployed in companies), the digitization of financial operations (accounting, cost accounting, banking relations and cash management, tax returns, reporting tools, accounting and management consolidation, financial relations with customers and suppliers), as well as the digitization of human resources management (payroll, social declarations, recruitment, training), internal and external communication, particularly with the arrival of social networks, production (connected factories and extended companies), marketing and sales of course, and logistics.

      Companies are completely digitalized: their data, operations, accounts, processes are intangible; their internal and external communications, their products are connected.

      Organizations and work habits have changed, skills have evolved, tools have been transformed, the classification of documents and people has sometimes (often?) fallen into oblivion.

      Companies have been able to internationalize, thanks to the ultra-fast means of communication. We talk to the company across the street as well as to those in the United States or China: only the time difference is incompressible.

      Companies share their data with their customers, suppliers, employees, shareholders, subsidiaries, etc. The digital environment provides companies with opportunities to create new businesses, new products and services and new customers, in order to optimize their organizations, reduce their costs, improve their internal and external processes, with their suppliers, service providers, subcontractors, investors, customers, depending on the business sector in which they operate.

      Companies are judged on their financial performance:

Скачать книгу