Attacks by ransomware have quadrupled in one year, according to the Agence nationale de la sécurité des systèmes d'information (ANSSI). This criminal activity has been rekindled by the health crisis and the massive use of online teleworking tools. Faced with these threats, businesses need to adapt their security strategy, but that's not all. It's the whole governance which needs to be rethought. Henri Puissant*, a specialist in IS organisation, and Yann-Eric Devars*, an enterprise architecture consultant, both ORSYS trainers, bring us their expertise to help us begin this transformation of systems and practices.
While the massive entry of businesses into the cybersphere is opening up new horizons and giving rise to numerous innovations, it is also putting corporate governance to the test, particularly in terms of security. In the wake of data theft, ransomware (hospitals, government departments, businesses), cyber espionage (SolarWinds affair, etc.) and infrastructure attacks (Oldsmar drinking water, etc.), the leaders of countries, government departments and businesses are gauging the fragility of their organisations and are becoming aware, or are being urged to become aware by the authorities, of the need to control the architecture of their organisations and information systems.
State governance turned upside down by cyberthreats
At the turn of the 90s, like Christopher Columbus approaching America, Timothy John Berners-Lee, by creating the World Wide Web, was gaining a foothold in the cybersphere. Little did he imagine the fate that would befall his discovery: the emergence of the GAFAs, Cambridge Analytica, ransomware, and so on.
58 years after the discovery of America, Charles V brought together jurists and theologians in Valladolid to determine the rules of colonisation, i.e. the way in which Indians could be subjugated and converted. Similarly, 30 years after the discovery of the web, Sir Timothy John Berners-Lee, long-time chairman of W3C, the web's technical regulator, promoted a contract proposing rules of behaviour for web players to ensure that the web remained a public good at the service of humanity.
At Valladolid, nothing had really been decided between ethics and interest. It is to be feared that the same will be true of Sir Timothy John Berners-Lee's initiative, and that new balances will have to be established over time. States are finding it very difficult to establish laws and regulate the Internet, which is beyond their control. They are already facing cyber-attacks. Estonia attacked by denial of serviceIran and the centrifuge affair, the USA and the SolarWinds affair, to name but a few. States are equipping themselves with means of defence, imposing constraints on certain areas of activity (health, energy, food, water management, etc.) and thus designating the "best players". Operators of Vital Importance (OIV) in order to protect their operations and their citizens.
Cybercrime takes its toll on corporate governance
As is the case for governments, it is dangerous for companies to navigate these new horizons. At the helm of companies, managers have to face real storms. According to academician Michel Serres, "governing" means knowing where you've come from, where you've been and where you are, and therefore knowing your logbook and the state of your ship. But it also means knowing where we're going and adapting our course according to the state of the ship and its ecosystem. So how do you develop a strategy? What risks do we face? What legal, socio-technical and environmental constraints must be respected? What organisation should be put in place? How do you put together a dashboard that reflects the state of the company in its ecosystem and enables it to be managed effectively?
To all these questions, the following answers are essential: the development of governance principles relating to strategy, acquisitions, performance, compliance with laws and regulations, human behaviour and responsibilities; in-depth knowledge of the company's ecosystem; mastery of the company's architecture combined with in-depth thinking about it.
Reflections on architecture
Is the system capable of achieving its strategic objectives and adapting rapidly to changes in the ecosystem? Is it capable of dealing with the risks that will arise, and does it have the means to defend itself? Does it have a structure that gives it the resilience, flexibility and agility it needs to stand up to change? Advances in Moore's Law and software engineering are making new architectures possible. However, the SolarWinds affair demonstrates the current naivety of some corporate and public sector managers who are integrating open source or proprietary systems without checking the risks involved. This case, like the shortages resulting from the COVID crisis, shows the extent to which outsourcing is strategic at a time when the cybersphere offers companies numerous opportunities to call on external services to improve their value chain.
Thoughts on management
But you can't govern chaos! How can we organise the management of the crew so that the company adapts to its new ecosystem and survives? Business processes need to be mastered. Isn't the role of the IT Department to work with the company's business lines to inject information and telecoms technologies? It is therefore pointless to talk separately about Information System governance and corporate governance.The two are intimately linked. In the words of Nicolas Carr, what counts is the business: " IT doesn't matter " ! What's more, when it comes to IT, can we still only talk about Information Systems when, with AI, robots and connected objects, IT is taking charge of many business processes and becoming an effector on the real world, as the Oldsmar case illustrates?
Changes in behavior
IT Departments, which until now have all too often been 'technocentric', must redirect their actions towards creating value for the company and participating in the development of its strategy. Conversely, technology and information systems have become so important to achieving the company's objectives that they can no longer be considered solely as a means of achieving objectives that have already been identified. So the management of the Enterprise, the IT Department and Business Unit management must work closely together. This is why the introduction of Business relationship managers is an essential organisational tool for increasing collaboration between all the players in a company, developing collective intelligence and thus improving governance.
Governance: developing your skills through training
Training is an essential key to unlocking these three locks (architecture, management and behaviour). I-Training and Services has developed and run four seminars published exclusively by ORSYS one on the concept of governance and its organizationthe second on company architecturethe third on adapting the company to the challenges of digital technologythe fourth on the Business relationship management. These seminars are then broken down into two practical courses: developing a dashboard and mastering enterprise architecture. They cover the standards and best practices in these areas, and share the experience of the instructors with the participants. Our other cybersecurity training courses complete this vaccination programme against these virtual but very real threats.
