KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
In this session, you will hear from cyber security thought-leader and Corix Partners founder JC Gaillard. JC will discuss and deconstruct 6 cliches around cybersecurity in small and mid-size firms and why security matters more than ever in the light of the COVID crisis, before answering your questions.
In this session, you will hear from cyber security thought-leader and Corix Partners founder JC Gaillard. JC will discuss and deconstruct 6 cliches around cybersecurity in small and mid-size firms and why security matters more than ever in the light of the COVID crisis, before answering your questions.
So just as a few words about myself, I'm the founder and managing director of cos partners, as well as everything you've just said. And I, and, and we, we are a boutique, we're a boutique management consulting firm focused on assisting CIOs and C level execs around cybersecurity strategy, organization and governance. And we've been working mostly with large organizations in the past, which as I said earlier, for me, the COVID does as, as presented small and midsize firms with very different challenges.
And as found them generally less prepared than larger organizations, which broadly speaking I've reacted, I've reacted reasonably well from what I'm hearing to the, to, to, to the crisis, which is why I wanted to put the focus on small and mid-size organizations and, and bringing some key management considerations for them around cybersecurity. In the midst of the, of, of the COVID crisis.
To be honest, there are quite a number if you've been involved in the cybersecurity or the tech industry for, for a long time, it's gonna come a little bit as a, as, as a, as a statement of the, of the obvious. I mean, of course we've seen nonstop cyber attacks, targeting all organizations, large and small indiscriminately. We've seen, you know, the regulation tightening worldwide around, around privacy and, and, and the general handling of personal data. And we've seen it in Europe with CCPR with GDPR. We we've seen it in, in the us with CCPA and a number of other regulations.
And, and, and of course the regulators are targeting organizations large and small. If you look at the DLA paper, for example, the DLA paper report, which, which has now been published twice in the beginning of 2019 and 2020, you know, looking at the, the fines imposed by regulators across Europe, you will see that the regulators have mostly targeted small and midsize organizations. So broadly speaking, you know, I, I, I could definitely have started a presentation like this pre COVID by, by saying something like that.
I could also have I've added, you know, that good, good security and privacy practices, regardless of your size are, are essential to building digital trust that we are seeing trends across society at, at large, towards greater and greater concerns towards data security, data, privacy, you know, surveillance and that increasingly good security and privacy practices. We see, we see them belonging to a trend towards better business practices and better business ethics. Okay.
So I could have said all that to introduce session like this pre COVID and frankly, the COVID doesn't change anything to any of that. Actually it accentuates all those things in, in a, in, in a world where, where social distancing has, has made people entirely reliant on digital services in, in, in a world where remote working has forced people to, to think about security differently around the way they collaborate and, and share information.
And also, frankly, in a context where cyber criminals have exploited the dis organization, which came with, with a number of negligent practices around the, the, the switch over from, from, from, from, from traditional working to remote working. So essentially for me, for many of you, I'm sure good security and, and good privacy practices are absolutely essential to keeping the lights on in the world.
We are in, in a context where, you know, if you've been able to trade it's because you have, you, you have had access to a digital platform, or you've been able to switch quickly onto a digital platform and, and, and good security and good privacy practices are essential to keeping the digital services active. So essentially when, when I, when I talk to small and midsize organizations around those matters, I done very quickly into a matter of perception around those aspects, which is not necessarily the same as the one I encounter with larger organizations.
So for me, when I talk to chief execs or, or CIOs in larger organizations in small size organizations, I often start by asking them, you know, where does it fit in your world, security and privacy? Where, where, where does it, where does it fit?
You know, the, the, is it on your radar or not? Was it ever on your radar? Was it always at the Pery of what you do or not, you know, as your business developed, what happened to security and privacy, have you embedded those into operational practices?
And, and I do get a very, very large amount of diversity in terms of responses towards those questions, from those who have undoubtedly had security on their radar for a while in particular, those who would have thought some form of security certification at the other end of the spectrum, to those who might be in denial about all those things and, and, and might not even have register with their local privacy regulators and may not even have a GPO.
So fundamentally what's missing in the middle of this is, is really a sense of the, the complex city, which has invaded the security and the privacy world over the past 10 to 15 years. You know, it has become a complex web of interconnected matters. It's no longer a matter simply of having the firewall on the outside and a bit of antivirus and to do a couple of pen tests and every now and then is far more complex than that. And what you know, what about the intricacies of cyber insurance? What about the intricacies of, of vet your staff?
What about the intricacies of, of exchanging data securely across the business ecosystem, which is increasingly fragmented? What about the security of cloud vendors? And of course now what about the flexibility of remote working at scale?
I mean, the, the COVID, once again, doesn't change any of that, the COVID situation, it accentuates many of those, it accentuates many of, of those matters what the COVID changes of course is the context in which those matters need to be apprehended. And undoubtedly, you know, we must be realistic here, short term crisis considerations, dominate. They must dominate. They will continue to dominate. There is absolutely no way around that.
You know, for the executive management, it's mostly a matters of cash flow, supply chain and staff welfare, the board and investors sometime have an ability to take a little bit of a higher ground and to look, you know, into ensuring business stability and business resilience, but both executive management and, and board and investors at the moment are, are very, very concerned again, as well about bounce back scenarios and, and, and, and what will happen around the bounce back.
And if you look for example, at surveys, which have been published by the likes of McKinsey and BCG, you will see the complexity of those bounce back scenarios for the staff. It's been a different matter for the staff. It's essentially about job preservation and remote working, and the stress that came with remote working when, you know, the person or in the professional world collided for, for customers, it's about services, availability, and stability.
And once again, as I said before, if you've been trading throughout the COVID, it's probably because you had a digital platform and you've been able to switch quickly onto one. And if you haven't been trading and you're not contemplating a return to some form of trade, you will, you are bound to be looking at some digital, some sort of, or some digital platform. So once again, something here, which, which, which has to be said, which may resonate as a bit of, of, again, a statement of the obvious is that you don't want cyber attack in middle of all this, okay.
Cyber attacks, data breaches, they will aggravate things. You don't want that to happen. Good security and good security and privacy practice are definitely key to keeping the lights on. And that's definitely the way to see no, Yeah, It looks like I've lost you guys, but I'm back on. And I was just saying, you can see this. I was just saying, you know, going forward things will evolve and concerns will evolve. But undoubtedly, a number of things will, a number of things will, will, will remain the, the data protection regulations are not going to go anywhere. Okay.
So concerns will return going forward around regulatory and legal friction. Cyber we tax are not going to go anywhere. So concerns will return around operational capability around cyber attacks and, and, and cyber resilience, fundamentally good security and privacy practices reduce risk and the reduced regress and legal friction.
And, and, and they are part of the general good health of, of any organization and, and pre COVID. This will continue to be essential.
And, and in that respect, they will continue to support valuations. If, if, if, if that's a, if, if that's a concern with, with regards to staff and, and customers, what we've seen here throughout the COVID crisis is probably an entire generation of, of, of people traumatized by the lockdown. We've seen a greater, greater emphasis towards caring for each other.
And, and for example, if you reflect on the, on, on the debate, which has been happening in many countries around, around the introduction of tracing apps, you will see that privacy certainly as hasn't gone of the radar. So, and ultimatly what we, what we're likely to see here going forward is a, is, is a greater and greater generational shift towards greater and greater emphasis and concern about around business purpose and, and privacy.
And again, good security and good privacy practices in, in as far as they reflect good business ethics, they will continue to attract and retain to be essential, to attract and retain talent and, and, and customers. And, and again, this is not going to go in, in any other direction post COVID.
So fundamentally, even when I talk to, to a small and midsize organization and, and, and they seem to get it, what I'm still hearing from them is very often the sense that they don't really know where to start, even if they want to act, even if they understand that the, the, the context I've just mentioned. Very often, we come across situations or discussions where they don't really know where to start at best. It leads to putting in place isolated, disjointed measures at worst.
It leads to action paralysis and, and, and all that in the context of a significant amount of, of, of, of, of remaining ter around the number of issues. And I want to go through a number of those, of, of those things.
I'm, I'm hearing just as a matter of conclusion before moving on to, onto my key, my key management, my key management recommendations to, to the C level exec since model midsize firm firms to start. I mean, I, I started by saying, you know, it won't happen to us because we are too small.
Of course, we, we, we, we, we, we know that and we, and we've, we've already, we've already discussed it a little bit, or we've already heard me speak about it a little bit at the start we're hearing, we are hearing a number of other, other misconceptions, which again, to some of you, if you've been in the tech security industry for a while, will, will, will maybe familiar, you know, things like, oh, you know, security doesn't matter us because we're in the cloud.
Well, that doesn't mean a lot, frankly, of course your cloud provider is responsible for the security of the cloud, but you are responsible for your own security in the cloud and for security of your data in the cloud. And, and, and you are able to your customers. And if you look at the contract with your, with your provider, you're likely to find out that it's, it's, it's shamelessly, one-sided in their favor. We're also hearing things, oh, you know, security is pain in the neck.
Well, less and less, frankly, people get hacked and they understand the hard way why they need stronger security. And we're all getting used to, you know, multifactor, we're all getting used to receiving codes on our mobile to do a number of things on number of platforms.
And, and, and, and, and that's definitely, you know, a clear trend from where, from where, where I stand, what is being increasingly perceived as a pain in the neck, and an annoyance is ruthless data monetization, ruthless, marketing, personalization, or aggressive data surveillance. And that is also a trend, as I said before, which we are seeing towards greater and greater emphasis around, around privacy and business purpose. Then we are hearing all sorts of things around priorities and, and, and, and essential activities.
And, and, and the fact that, you know, security is expensive and we'll sort it out later, and it will resources away from, from other activities. Well, frankly, in the current climate, as I said before, security is an essential activity. Maintaining good security is an essential activity. It doesn't have to be expensive, chop it up in management, manageable bits, you know, cut it into, in, into PCs. You can manage and focus on delivering it. What is expensive is retrofitting and the DUS after something has happened.
And frankly, that's the last thing you want in the context we're going through now. So I leave you with my final, my key management considerations for, for large, for large SMEs and mid-size firms and what I tell CEOs and CIOs in those organizations. And I start, frankly, always by saying, you know, take it seriously. Security measures are key to keeping the lights on. You've had me say that several times already this morning, adverse prioritization is not an option now is not the time to compromise. Even if budget is our scarce.
Even if budget, if cash is scarce, keep it on the list, keep it on the list. The last thing you want right now is a cyber attack. Keep things simple, chop it up into bits. You can manage, look at your cyber security posture without complacency focus, resources, where they're most needed. Look for win in there. If there are any focus on action. Now it's not the time for politics around priorities on this and priorities on that.
And, and all that bullshit, frankly, and more than ever. It's about people process then technology. And in that order, build up skills, build up process, build up things which will keep you secure, demonstrate good governance. Cause amongst the things, it will be key with your cyber insurers. Should you get breached? Don't forget that insurers are under tremendous amount of pressure because of the COVID.
They are, you know, facing multi-billion bills around business interruption, insurance. They will challenge you around cyber insurance. If you need to claim expect that good governance will, will help you in those discussions together with process and together with having taken this seriously from the start, and please now is not the time to, for a magical technical solution or magical sphere of bullet by, you know, and I'm gonna end by, by, by leaving you with a big secret, you know, those silver bullets, they don't exist. Okay. That's where I leave it. And I am happy to take questions.
I'm sorry for the little interruption in the middle, it looks like I dropped you or I did something wrong, but I hope I have managed to get back and you have managed to hear me properly until the end.
