How do you manage challenges cybersecurity in an industrial start-up?

Read the interview with Yohann BAUZIL, ex-CISO (Chief information security officer) at Airbus OneWeb Satellites. For an industrial satellite start-up, cybersecurity isn't a question, it's a given. Yohann BAUZIL joined Airbus OneWeb Satellites to structure and manage the company's cybersecurity. In this fascinating interview, you'll discover his global approach to the security of production tools, be they IT or industrial.

The role of the CISO, Chief Information Security Officer

To begin with, you have the title CISO. Is this different from RSSI or is it a translation of the same function?

There's a debate. For me, it's not the same thing. Typically, there are Information System Security Officer positions, which are much closer to the notion of CISO. When you're CISO, you're interested in information security in the broadest sense. The recent emergence of the position of "Cybersecurity Director" demonstrates the evolution of missions. Here, we're getting closer to the notion of CISO, as he or she will be responsible for information security. And this in the ISO 27001 sense, information security versus information system security.

The CISO's challenges are being extended to include "industrial security": identity and access management, protection of resources and buildings, etc. When badges and video surveillance are managed, the CISO can in fact become the CISO.

So your job has several safety aspects?

Yes, that's right. I'm in charge of the security division and the team. This division covers not only ISS, but also the security of our industrial sites, identity and access management, and you can also add RGPD, with a DPO hat in the past. So it's security in digital and non-digital terms.

The organization of the (cyber)security division within Airbus Oneweb Satellites

What role does safety play at Airbus Oneweb Satellites?

The safety department has a dedicated team. However, I would say that in the best of all possible worlds, there should be no safety team, just the application of processes. But the human factor remains a point of vigilance. Even though, I have to admit, our employees have a real sensitivity and culture when it comes to applying safety principles.

In 2017, what were your first actions on appointment?

Everything had to be done. And I had a very technical approach: 50% technical / 50% functional. As we were in the process of setting up a new company, we had a great need for architecture, which was a link with my previous responsibilities.

I was also able to draw on a risk analysis that laid the foundations for the 2017-2020 Security Roadmap.

How did the idea of a safety center come about?

The security division emerged fairly quickly. ISS (in IT) quickly becomes a glass ceiling when you don't have a legacy and the architecture is in place. One lever for this evolution was the RGPD. The CIO had given impetus to the steps in May 2017 for an effective implementation from May 2018. This led me to become IT and freedom correspondent and then logically DPO. This was supplemented with my role as deputy manager of the Toulouse site in charge of industrial safety, wearing three hats:

• CISO,
• Security Officer
• and DPO,

We have created a "CISO" hat in charge of security.

Note that this approach is possible within a small structure like AOS SAS (editor's note: around 150 people). We don't have to deal with the kind of siloed approaches you see in larger structures.

In terms of organization, is the safety department attached to CIO ?

At the launch in 2017, yes (editor's note: the company was founded in 2016). As of 2019, we have created a dedicated Ssecurity division to better integrate industrial safety and the RGPD. Naturally, the security division has been attached to General Management. It's the right attachment, not least to avoid potential judgment bias on the IT side. When a CISO manages industrial safety, it's anything but an IT subject. The mission is transverse. He logically reports to General Management.

From an operational point of view, is it a matrix approach?

In fact, I have a double reporting system, which is unheard of in my career. I report to CIO for IT matters, and to the COO - Chief Operation Officer - who is the company's number 2 for Security matters. And I have a functional link with the President of the French entity - because in the end, it's he who bears responsibility for the company.

What about safety on the satellites produced by Airbus Oneweb Satellites?

For our organization, this is not an integral part of our missions. It's handled directly by the product team. What's more, in recent years we've seen the emergence of a new variant of the CISO profession, the CPSO (Chief Product Security Officer). This is another job that can be found in large organizations. My mission is primarily internal. I'm there to ensure the security of the information architecture needed to build the satellite, but not the security of the satellite itself.

Do you have a highly matrixed approach to security, with multiple links?

Yes, because our role is above all to federate. The RGPD, for example, is first and foremost a legal issue. Industrial security is very much imbued with the notion of site. IS security must be structurally integrated into the business of an IT department. So this threefold link is inherent to the security function, and its mission is to federate.

As I often say to the Chairman, "You're the one who's criminally liable, so it's only normal that you should have an opinion on my actions. Because in the end, it's you who will go to prison".

Building the safety roadmap

The roadmap provides those responsible for safety and risk management with :

• an overview of the program's key stages and milestones
• key resources to save time and ensure successful execution
• information on the cross-functional team responsible for carrying out the program

How did your Safety Roadmap 2017-2020 come about?

I used the risk analysis to structure the main measures:

• Organizational measures with the establishment of three responsibilities (information systems security, data protection, industrial safety).
• Technical measures, with the implementation of technical solutions based in particular on the resources offered by being an Airbus subsidiary.
• Be constantly on the lookout: The difficulty is not in doing... but in knowing what you want to do and what you need to do. Our skills become obsolete very quickly. In two months, we lose our expertise. Establishing a "qui-vive" state of mind is essential.

Has the original 2017-2020 security roadmap been extended?

From 2020 onwards, for various reasons (acquired security, shareholding evolution, covid, etc.) we have switched to an annual logic.

I have a pyramidal approach to safety: the subjects that form the base are mandatory, and the higher up the ladder you go, the more you're involved in continuous improvement or complementary subjects. The initial roadmap enabled us to build the base. From now on, I'm more into an opportunistic dynamic, with new tools bringing new insights into monitoring, event explanation, etc.

So we work with formalized one-year plans. Through exchange and mutual challenge with the teams, we establish the year's priorities, which serve as a guideline and are amended during the year. The three-year approach is a vision that I have, but which is not explicitly shared. It's more my personal roadmap than a tool for working with my teams. The technical challenges vary too quickly in security for a 3-year projection.

So if the foundations are sound, what is the challenge now?

I'm lucky enough to be working in a company whose culture is based on defense standards. This has given us a technical framework and a team of people who understand the fundamentals of security. I can concentrate on optimizing security.

For me, the sinews of war are visibility. No matter what you put in place, you'll never prevent yourself from being attacked. What counts is to know, to have the tools to alert us if we've been attacked (editor's note: the term used by Yohann is "typing").

For example, 5 years ago, it wasn't easy for everyone to set up an EDR (editor's note: End-point Detection Response - a kind of antivirus 2.0). But now, in our sector, it's a compulsory component, given the threat. And every year, we discover new bricks. It's also a requirement of our sector, the space industry, which is subject to numerous regulations that must be constantly monitored.

Does a three-year roadmap still make sense in the safety business, given the vagaries and speed of change?

That's a very good question. We used to work with a 3-year roadmap, now we're working with a 1-year roadmap. This gives us flexibility and agility. But it's possible because we're a small, very reactive organization. Maybe the right compromise is 2 years. In any case, when it comes to security, 5 years doesn't seem to me to be in line with the reality of evolving threats.

Speaking of forced change, what about the widespread use of teleworking with Covid?

Nomadic working has been in place since the beginning of AOS, it's a legacy of our initial culture. So the COVID episode didn't change much. Except for the purchase of screens and keyboards to facilitate remote working. A demonstration of sound fundamentals, and this plays on the CISO's peace of mind.

How can we maintain such a base over time, particularly in terms of the human element that is often described as the weak link in the security chain?

We have compulsory annual safety awareness training for every employee (with a signature committing them to responsibility). In addition, beyond what might appear to be marketing, I have a very human approach to safety. In concrete terms, my safety requirements impose a constraint on my day-to-day work. In return, I make myself available. For example, I process all my e-mails within 24 hours. This can go as far as colleagues sending me personal "phishing" e-mails. And I always give them an answer.

Raising awareness and ensuring the availability of the security team are the keys to strengthening the human link in security?

I did a post on the subject of awareness on Linkedin. But the sophistication of attacks means they can't be countered by vigilance alone. It's up to us to put the tools in place to help them. For example, a new type of attack is formidable: the "browser in browser". This is an attack based on phishing that simulates a fake browser in another... Even if we run awareness campaigns, anyone can be caught out. This type of attack is virtually undetectable without technical tools. Awareness-raising is 20% of the response at most.

Let's go back to the "personal" Roadmap, any particular objectives?

I have two objectives: the first is to bring a cross-functional approach to safety between our US and French sites.

The second is to finalize a series of POCs (editor's note: proof of concept) on various promising new tools.

Any advice on setting up a security roadmap for those who are in the process of structuring their approach?

The starting point is to know yourself perfectly. It's hard to structure your actions if you don't know where you stand, where the gaps are. So it's important either to self-assess your level of maturity, or to carry out an audit. For example, I have developed a self-analysis Excel file based on ANSSI recommendations. This enables you, for example, to self-assess the correct application of "security hygiene rules".

Steering the governance of security projects

How does safety fit into your project governance?

We remain in a start-up state of mind, with the need to build fast. We have a three-pronged approach:

• The business - who we ask to think in terms of needs (even if every other time they come up with technical solutions rather than a formulation of needs).
• IT proposes a technical solution to meet your needs
• Security will validate the technical proposal. This is facilitated by our original proximity to IT. So it's rare to have solutions that don't meet our requirements.

How do you interact with IT teams?

Almost all of us came from the "same world". So we have common patterns of thought and reasoning for implementation. Our approach is very virtuous. I don't remember ever saying no to one of their proposals.

How is the dialogue with the business going?

My only difficulty, and it's extremely limited and rare, is shadow it. The business has the skills to move forward without us. So they could very well take advantage of openings in the IS to implement solutions without going through us. But this is extremely rare.

The CISO's job is anything but a technical one. It's more about helping the business to express a need. A typical example: the business asks me to set up an FTP server. Which is a solution. But the real need is to send large files securely between site A and site B.

We're a support function. I have no right to say no to a requirement. I can only ask for adjustments to the solution or suggest solutions to the need.

Are you permanent guests on project steering committees?

We're in start-up mode. Large-scale structural projects, exceeding dozens of man-days, are very rare with the business. For more internal projects, we're in "agile plus plus mode". Being on the same platform, everything is done directly with flexibility.

We essentially do "run" more than "build".

How do you sequence your piloting, comitology?

We have a fortnightly team follow-up with operational monitoring of projects, including prioritization of actions. It should be noted that at least 50% of security projects are "IT" projects.

This is reported on and KPIs are produced for the safety division's principals (Chairman AOS SAS & COO).

In addition, we have a fortnightly follow-up with the COO and a monthly follow-up with the President of the French entity. This is also extended to the US branch. These bodies are dedicated to safety.

The future of (cyber) security

A prediction for the future of security issues?

First of all, I think there's a gap between the marketing effect and reality. It's clear that attacks are on the increase. But I'd like to try and explain this increase: it can be explained by the fact that many structures have recently started up from scratch. So when you start from scratch, it's easier to "get hit". On the other hand, when you have a strong security culture and employees don't apply a personal "open-bar" culture to their workstations, the risks are very limited. You need a strict security policy, even if it means abusing a certain freedom. I did a post on the subject of the infringement of freedoms by security measures. We're always on this fine line between security and freedom.

You're very active on a network like LinkedIn. What's the next step for safety and communication?

When I started out in this job, I felt alone. So I'm keen to pass on what I've learned. One of the lessons I've learned is the power of sharing, networking and exchanging. It enriches the work of monitoring. I make regular posts that generate a lot of reactions, especially from young CISOs. This allows me to theorize my ideas, challenge my opinions and understand the reactions. We're all enriched.

Security is a shadow activity within the organization. We're soldiers in the shadows, and that's a good sign, because if we're in the spotlight, it's because we've been attacked. But that doesn't mean we should remain silent. If, for example, the availability of the self-diagnosis guide, which is a simple translation of the ANSSI's hygiene principles, enables SMEs or ETIs to advance their security roadmap, we all win.

Interview glossary

• CISO: Chief Information Security Officer
• COO : Chief Operation Officer
• RSSI: Information System Security Manager.
• ANSSI : National Agency for Information Systems Security
• AOS : Airbus Onweb Satellites
• EDR: End-point Detection Response
• SSI: Information System Security