Mathieu Gorge, VigiTrust: “the more information you share – the bigger your risk surface is”
The rapid global digital transformation introduced not only new technologies but also a new approach to working.
This new connectivity has enabled people to become more collaborative, with options to edit and exchange documents in real-time from wherever they are working. However, the constant connection introduces new threats. As companies start to increase their digital footprint, the risk of sensitive data being breached, deleted, or misused becomes even higher.
As a result, the market has been filling up with security and compliance solutions to make sure each employee’s and customer’s private data is protected. This is why we reached out to talk to Mathieu Gorge, the CEO of VigiTrust – an Integrated Risk Management SaaS solution.
How did VigiTrust come about in 2003? What has your journey been like?
I had been working in cybersecurity for about 4 years when I started a company in Dublin, Ireland. I saw an opportunity for a niche in the market around data protection training and, back in 2003, that was really novel. Having a background in network and content security, I reached out to the connections in the market. Essentially, they came back with an answer that they would be happy to buy network security from me because they knew me, but my business was too young and the idea of data protection training was too novel for them to go with it. As a result, I started a company around network and content security, and 2 years later I went back to market data protection training. Around 2005, that started to pick up.
Essentially, for the first 14 years of the business, we were security trainers and consultants, performing assessments as well as doing security consulting, primarily in Ireland, France, the UK, and to some lesser extent, the rest of Europe. In 2017, we decided to pivot the business into what is today's VigiTrust, which is essentially a provider of SaaS governance, risk compliance, and integrated risk management solutions.
We've got an award-winning tool called VigiOne, that allows you to prepare, validate, and manage continuous compliance with legal and industry security frameworks, including the usual suspects such as GDPR, PCI, HIPAA, NIST, ISO, and a few others.
Can you introduce us to your risk management solutions? What are their key features?
VigiOne is a SaaS tool that addresses three key components of any compliance and governance program:
Preparedness. We have a full e-learning platform within VigiOne that allows you to do role-based training. It allows you to demonstrate to the regulators and enforcement bodies that you've trained people and you've provided the right guidance to them in order for them to use the data and system security.
Compliance Validation. Within the compliance validation module, there are all of the usual checklists. The official questionnaires for compliance (like PCI), the regular data processing activity (like for GDPR), and also a number of best practices reports.
Governance / Ongoing Compliance. Within this tool, we essentially have a dashboard that allows you to report per exception and per completion. That adds a lot of value because it's great to know where you're in compliance, but it’s even better to know where you're not so that you can drive your efforts to the right area and make significant improvements.
Once you've achieved compliance, you have to maintain compliance at all times. What that means in practice is that there are daily, weekly, monthly, quarterly and yearly tasks that need to be performed – whether it's updates of policies, quarterly pen tests, or yearly training.
The tool also allows you to have templates for projects. Speaking of templates, the VigiOne tool is really unique because it allows our clients and partners to create their own security frameworks using Assessment 360. That’s a web console that imports controls, a list of requirements, and different ways to validate and maintain the controls. It's very intuitive and it makes compliance easier and more straightforward.
Besides quality risk management systems, what other security measures do you think should be a part of every modern company?
You can't have an effective security or compliance program unless you make security a part of the company's DNA. To do so, you must start by educating key decision-makers, C-level executives, and the board. The challenge is that you're often faced with what we call the 5 stages of cyber-accountability grief:
Denial. “It doesn’t apply to us, we’re here to build the company, grow employment, generate profits for the shareholders – don’t bother us with cyber!”
Anger. “We’ve given you money to hire a CISO, a compliance officer, put firewalls in place, and train people. Go and talk to the compliance people, they’ll look after you.”
The bargaining stage. “We can see our competitors are being audited by the regulators. Maybe we should hire a big firm to come in and do an assessment, and that’ll get us off the hook.”
The depression stage. “We need to do something. How are we going to do it?”
The acceptance stage. "I guess we're doing a lot of stuff right, and all we really need to do is put our house in order and bridge the gap."
It's very important to make sure you have a sponsor who is going to back the entire project and review it on an ongoing basis. If you look at a standard like PCI, it's a great one to get started because you can replace “credit cardholder data” with “sensitive data,” and it gives you a minimum benchmark of what you need to do. However, none of this will work unless you build a sense of collective responsibility.
Have you noticed any new threats emerge as a result of the recent global events?
I often talk about the 4 points of risk:
- Financial, contractual, and operational
- Brand reputation management
- Pure cyber/IT risk
What we're also seeing is a disruption in regard to the Internet, where we're in the process of creating two major internet zones: the one outside Russia and the one within Russia. That is upsetting the way we've been doing business for a while and will impact the way data transfers are going to work moving forward.
We are also seeing a number of potential issues regarding data that's hosted in Russia. So if you've got data hosted in Russia, for now, the Russian government hasn’t imposed any ban on data traffic, but one can only assume that it will come. It's important to understand the parts of your ecosystem that are linked to Russia and whether or not you've got critical data in Russia because there is a chance that you may or may not be able to extract it moving forward.
What can average Internet users do to protect themselves from these threats?
The cynic in me says you should stop being connected altogether, but that's just not practical. In reality, most of us have 3-5 connected devices with us at any given time. We need to be aware and protective of our own personal infrastructure. For instance, it’s not necessary to download every app that you come across, and it’s not necessary to accept data for geolocation.
The reality is – if you don't need to share your data, you shouldn't share it. If you don't need to share your location, you shouldn't share it. The more information you share, the more apps you use the bigger your risk surface is. A number of organizations worldwide are providing free training on how to secure your home networks because it's based on the idea that if I tell my employees how to secure their home network and give them advice for free, they're going to be more security-aware. Of course, you need to have as much security as you can: update your antivirus, backup your items, and encrypt your laptops.
At the end of the day, from a human being's perspective, you don't have to trust everyone. Unfortunately, we don't live in a world where you can trust everyone. The reality is because we're all connected, we have to make sure we understand the concept of personal infrastructure protection.
In your opinion, why do certain companies still fail to keep up with compliance and other security standards?
I go back to the three areas that VigiOne covers: preparedness, validation, and ongoing compliance. I always say that security is a journey. You're on a journey to secure your systems, have the right processes in place, and train people. Then you validate compliance and by the time you celebrate that with a cup of coffee, you are out of compliance. The risk surface is not static. Every time you buy a company, you increase your risk surface because you inherit systems you're not familiar with.
During the pandemic, a lot of organizations started digitizing their products. Pre-Covid, it would have taken them three years and security would have been taken into account. But at the beginning of the pandemic, companies prioritized getting products to market to bring cash in, rather than doing it securely. Now, that has to be addressed. When you want to maintain security, you have to update the systems, the process, and the training. Where people fall down is not necessarily the goodwill of trying to achieve compliance the first time, it's maintaining compliance and having that self-discipline before somebody knocks at your door.
What dangers can customers be exposed to if a company they trust struggles to ensure compliance?
As a client, I'm going to entrust you as a supplier with my data. Some of that data is considered personal: health information under HIPAA or any other type under GDPR. So, if you have my date of birth along with my name, address, and social security number, that might be considered personal information. The danger for me as a consumer is that I may trust the wrong company with my data or I may trust a company where my data is not protected. Maybe somebody can copy the data internally. Maybe somebody can hack the systems easily. Maybe I'm not providing the minimum level of security required.
Now, if somebody gets my credit card information – it's a pain, but it's not life-threatening. If somebody gets my health data, on the other hand, I only have one. I can't order another set like I can order another credit card. As a customer or citizen, it's fine to ask questions about how your data is being secured and even to ask for a copy of all the data they have on you. That's a data subject request, and in Europe, it's compulsory. You can request one to either correct the data or ask the company to update the data.
What are the most common vulnerabilities nowadays, that if overlooked, can lead to serious problems for a business?
Patching is a major issue. If organizations don't patch their systems, they won't be able to prevent most of the vulnerabilities that are being exploited by hackers. You need to patch your antivirus and anti-malware. Then, users need to be trained regularly, because if you look at the way ransomware gets into the systems of an organization, it's generally through social networking and phishing. In plain English, somebody clicks on a link or document they shouldn’t have clicked on, and it infiltrates ransomware software and encrypted data. Ultimately, if you keep your systems patched, close all the open doors, and train all your people on a regular basis, that's the best way to address the latest vulnerabilities.
Tell us, what’s next for VigiTrust?
VigiTrust is scaling tremendously. From a technology perspective, we are integrating AI into our compliance engines to help people make better, more accurate, and more effective decisions regarding their compliance. We already have clients in 120 countries in multiple industries, and we are still growing.
We also have a growing Advisory Board with 800+ members from 32 countries. The VigiTrust Global Advisory Board is a non-commercial think tank made up of leading security and compliance subject matter experts, including C-level executives, board members, regulators, law enforcement, researchers, and other stakeholders, as well as influencers within the security industry. At our regular meetings, we discuss how data governance, information security, systems security, and critical infrastructure security impact the security and compliance industry. So watch this space!