Read the interview with Yohann BAUZIL, ex-CISO (Chief information security officer) at Airbus OneWeb Satellites. For an industrial satellite start-up, cybersecurity isn't a question, it's a given. Yohann BAUZIL joined Airbus OneWeb Satellites to structure and manage the company's cybersecurity. In this fascinating interview, you'll discover his global approach to the security of production tools, be they IT or industrial.
Find out in the interview :
There's a debate. For me, it's not the same thing. Typically, there are Information System Security Officer positions, which are much closer to the notion of CISO. When you're CISO, you're interested in information security in the broadest sense. The recent emergence of the position of "Cybersecurity Director" demonstrates the evolution of missions. Here, we're getting closer to the notion of CISO, as he or she will be responsible for information security. And this in the ISO 27001 sense, information security versus information system security.
The CISO's challenges are being extended to include "industrial security": identity and access management, protection of resources and buildings, etc. When badges and video surveillance are managed, the CISO can in fact become the CISO.
Yes, that's right. I'm in charge of the security division and the team. This division covers not only ISS, but also the security of our industrial sites, identity and access management, and you can also add RGPD, with a DPO hat in the past. So it's security in digital and non-digital terms.
The safety department has a dedicated team. However, I would say that in the best of all possible worlds, there should be no safety team, just the application of processes. But the human factor remains a point of vigilance. Even though, I have to admit, our employees have a real sensitivity and culture when it comes to applying safety principles.
Everything had to be done. And I had a very technical approach: 50% technical / 50% functional. As we were in the process of setting up a new company, we had a great need for architecture, which was a link with my previous responsibilities.
I was also able to draw on a risk analysis that laid the foundations for the 2017-2020 Security Roadmap.
The security division emerged fairly quickly. ISS (in IT) quickly becomes a glass ceiling when you don't have a legacy and the architecture is in place. One lever for this evolution was the RGPD. The CIO had given impetus to the steps in May 2017 for an effective implementation from May 2018. This led me to become IT and freedom correspondent and then logically DPO. This was supplemented with my role as deputy manager of the Toulouse site in charge of industrial safety, wearing three hats:
We have created a "CISO" hat in charge of security.
Note that this approach is possible within a small structure like AOS SAS (editor's note: around 150 people). We don't have to deal with the kind of siloed approaches you see in larger structures.
At the launch in 2017, yes (editor's note: the company was founded in 2016). As of 2019, we have created a dedicated Ssecurity division to better integrate industrial safety and the RGPD. Naturally, the security division has been attached to General Management. It's the right attachment, not least to avoid potential judgment bias on the IT side. When a CISO manages industrial safety, it's anything but an IT subject. The mission is transverse. He logically reports to General Management.
In fact, I have a double reporting system, which is unheard of in my career. I report to CIO for IT matters, and to the COO - Chief Operation Officer - who is the company's number 2 for Security matters. And I have a functional link with the President of the French entity - because in the end, it's he who bears responsibility for the company.
For our organization, this is not an integral part of our missions. It's handled directly by the product team. What's more, in recent years we've seen the emergence of a new variant of the CISO profession, the CPSO (Chief Product Security Officer). This is another job that can be found in large organizations. My mission is primarily internal. I'm there to ensure the security of the information architecture needed to build the satellite, but not the security of the satellite itself.
Yes, because our role is above all to federate. The RGPD, for example, is first and foremost a legal issue. Industrial security is very much imbued with the notion of site. IS security must be structurally integrated into the business of an IT department. So this threefold link is inherent to the security function, and its mission is to federate.
As I often say to the Chairman, "You're the one who's criminally liable, so it's only normal that you should have an opinion on my actions. Because in the end, it's you who will go to prison".
The roadmap provides those responsible for safety and risk management with :
I used the risk analysis to structure the main measures:
From 2020 onwards, for various reasons (acquired security, shareholding evolution, covid, etc.) we have switched to an annual logic.
I have a pyramidal approach to safety: the subjects that form the base are mandatory, and the higher up the ladder you go, the more you're involved in continuous improvement or complementary subjects. The initial roadmap enabled us to build the base. From now on, I'm more into an opportunistic dynamic, with new tools bringing new insights into monitoring, event explanation, etc.
So we work with formalized one-year plans. Through exchange and mutual challenge with the teams, we establish the year's priorities, which serve as a guideline and are amended during the year. The three-year approach is a vision that I have, but which is not explicitly shared. It's more my personal roadmap than a tool for working with my teams. The technical challenges vary too quickly in security for a 3-year projection.
I'm lucky enough to be working in a company whose culture is based on defense standards. This has given us a technical framework and a team of people who understand the fundamentals of security. I can concentrate on optimizing security.
For me, the sinews of war are visibility. No matter what you put in place, you'll never prevent yourself from being attacked. What counts is to know, to have the tools to alert us if we've been attacked (editor's note: the term used by Yohann is "typing").
For example, 5 years ago, it wasn't easy for everyone to set up an EDR (editor's note: End-point Detection Response - a kind of antivirus 2.0). But now, in our sector, it's a compulsory component, given the threat. And every year, we discover new bricks. It's also a requirement of our sector, the space industry, which is subject to numerous regulations that must be constantly monitored.
That's a very good question. We used to work with a 3-year roadmap, now we're working with a 1-year roadmap. This gives us flexibility and agility. But it's possible because we're a small, very reactive organization. Maybe the right compromise is 2 years. In any case, when it comes to security, 5 years doesn't seem to me to be in line with the reality of evolving threats.
Nomadic working has been in place since the beginning of AOS, it's a legacy of our initial culture. So the COVID episode didn't change much. Except for the purchase of screens and keyboards to facilitate remote working. A demonstration of sound fundamentals, and this plays on the CISO's peace of mind.
We have compulsory annual safety awareness training for every employee (with a signature committing them to responsibility). In addition, beyond what might appear to be marketing, I have a very human approach to safety. In concrete terms, my safety requirements impose a constraint on my day-to-day work. In return, I make myself available. For example, I process all my e-mails within 24 hours. This can go as far as colleagues sending me personal "phishing" e-mails. And I always give them an answer.
I did a post on the subject of awareness on Linkedin. But the sophistication of attacks means they can't be countered by vigilance alone. It's up to us to put the tools in place to help them. For example, a new type of attack is formidable: the "browser in browser". This is an attack based on phishing that simulates a fake browser in another... Even if we run awareness campaigns, anyone can be caught out. This type of attack is virtually undetectable without technical tools. Awareness-raising is 20% of the response at most.
I have two objectives: the first is to bring a cross-functional approach to safety between our US and French sites.
The second is to finalize a series of POCs (editor's note: proof of concept) on various promising new tools.
Any advice on setting up a security roadmap for those who are in the process of structuring their approach?
The starting point is to know yourself perfectly. It's hard to structure your actions if you don't know where you stand, where the gaps are. So it's important either to self-assess your level of maturity, or to carry out an audit. For example, I have developed a self-analysis Excel file based on ANSSI recommendations. This enables you, for example, to self-assess the correct application of "security hygiene rules".
We remain in a start-up state of mind, with the need to build fast. We have a three-pronged approach:
Almost all of us came from the "same world". So we have common patterns of thought and reasoning for implementation. Our approach is very virtuous. I don't remember ever saying no to one of their proposals.
My only difficulty, and it's extremely limited and rare, is shadow it. The business has the skills to move forward without us. So they could very well take advantage of openings in the IS to implement solutions without going through us. But this is extremely rare.
The CISO's job is anything but a technical one. It's more about helping the business to express a need. A typical example: the business asks me to set up an FTP server. Which is a solution. But the real need is to send large files securely between site A and site B.
We're a support function. I have no right to say no to a requirement. I can only ask for adjustments to the solution or suggest solutions to the need.
We're in start-up mode. Large-scale structural projects, exceeding dozens of man-days, are very rare with the business. For more internal projects, we're in "agile plus plus mode". Being on the same platform, everything is done directly with flexibility.
We essentially do "run" more than "build".
We have a fortnightly team follow-up with operational monitoring of projects, including prioritization of actions. It should be noted that at least 50% of security projects are "IT" projects.
This is reported on and KPIs are produced for the safety division's principals (Chairman AOS SAS & COO).
In addition, we have a fortnightly follow-up with the COO and a monthly follow-up with the President of the French entity. This is also extended to the US branch. These bodies are dedicated to safety.
A key element in the CISO/management dialogue, the Project Monitor dashboards are used to manage cybersecurity-related projects.
Simplify your project management with an all-in-one tool: multi-project dashboards, workload plan, schedule, tasks, IT request tracking, budget tracking.
First of all, I think there's a gap between the marketing effect and reality. It's clear that attacks are on the increase. But I'd like to try and explain this increase: it can be explained by the fact that many structures have recently started up from scratch. So when you start from scratch, it's easier to "get hit". On the other hand, when you have a strong security culture and employees don't apply a personal "open-bar" culture to their workstations, the risks are very limited. You need a strict security policy, even if it means abusing a certain freedom. I did a post on the subject of the infringement of freedoms by security measures. We're always on this fine line between security and freedom.
When I started out in this job, I felt alone. So I'm keen to pass on what I've learned. One of the lessons I've learned is the power of sharing, networking and exchanging. It enriches the work of monitoring. I make regular posts that generate a lot of reactions, especially from young CISOs. This allows me to theorize my ideas, challenge my opinions and understand the reactions. We're all enriched.
Security is a shadow activity within the organization. We're soldiers in the shadows, and that's a good sign, because if we're in the spotlight, it's because we've been attacked. But that doesn't mean we should remain silent. If, for example, the availability of the self-diagnosis guide, which is a simple translation of the ANSSI's hygiene principles, enables SMEs or ETIs to advance their security roadmap, we all win.
ℹ Yohann BAUZIL worked for 9 years in information systems architecture and security as a service provider in the Airbus Group's "Space" branch. In 2017, he joined the fledgling company Airbus OneWeb Satellites as RSSI. Since 2019, he has been in charge of the France security division and took over responsibility for the group (France + USA) at the beginning of 2022. Since June 01, 2022, he has joined the RHEA Group as Space Program Manager within the France entity.
At a conference with LeMondeInformatique, Yohann Bauzil talked about the ways in which Airbus Cybersecurity combats cyberthreats through EDR, threat intelligence and an outsourced SOC:
"We've been using EDR for the past 2 years, and if we look at the complexity of the threat, it has become an essential building block in the same way as anti-virus", explained the CISO. "We have integrated this EDR monitoring into the recurring tasks of a person dedicated 100% to security". In addition, the company relies on an SOC, coupled with a Darktrace solution, with Airbus Cybersecurity offering its own operational security center, managed by this subsidiary.