Rising cyber threats, tighter regulations, and a talent shortage are pressuring Luxembourg businesses to take cybersecurity into their own hands. For many, CISO-as-a-Service (CISOaaS) offers an affordable, effective way to build digital trust without breaking the budget.
According to a report by insurance and reinsurance firm Hiscox, in 2023 53% of companies were victims of a computer attack. The average cost of a cyberattack for companies is between ten and several hundred thousand euros. The hacking of professional emails remains the most frequent attack vector, while exploiting the trust and routine of employees. The long-term consequences are regulatory penalties, reputational damage, and loss of customer trust.
According to Hiscox, small businesses are often less equipped to deal with complex security incidents; they therefore remain an attractive target for threat actors, who rely on insufficient cybersecurity defences.
“Cybercriminals often target companies with specific security gaps, and exploit their vulnerabilities to infiltrate their systems”
“Cybercriminals often target companies with specific security gaps, and exploit their vulnerabilities to infiltrate their systems,” notes data.gouv.fr, a data platform by the French Interministerial Digital Directorate (DINUM). “Small and medium-sized enterprises (SMEs) are particularly vulnerable, often due to limited resources dedicated to cybersecurity.”
And according to Hiscox, the lack of regular employee training, deficient system updates and maintenance, and the absence of incident response plans are among the most common cyber vulnerability factors.
“These statistics underscore the critical need to invest in robust security measures and employee training to prevent these potentially devastating threats,” data.gouv.fr continues.
But with cybersecurity talent in short supply and costs high, how can SMEs take control of their digital defences? One increasingly viable answer is outsourcing: enlisting a Chief Information Security Officer (CISO) on demand.
External cyber-specialist
“CISO-as-a-Service (or CISOaaS) is an external expert or team who specialises in cybersecurity, offers a full-time or part-time, remote or hybrid service, based on the organisation needs,” explains Cédric Mauny (Strategic Advisor in Cybersecurity, Head of Enterprise Risk Management, Proximus NXT). “Organisations can be SMEs, large groups in the digital transformation phase, banks or public organisations subject to regulatory requirements and looking for budgetary flexibility.”
For Jean-Yves Mathieu, CEO of JYM Consulting and CISO-as-a-Service, the advantage is that the organisation gains access to personnel and resources that it does not have in-house: “This allows them to benefit from effective management of their security, enabling them to better meet information security and compliance requirements. Therefore, such an approach eliminates the need to recruit a full-time manager.”
An active coach and a sensitiser
Service provision ranges from simple advice to advanced missions, including bringing security practices into line with recognised international standards such as ISO 27001, as well as specific regulations imposed by national regulatory authorities. Furthermore, CISOaaS also plays a key role in the preparation of internal and external audits. “In addition, he identifies, assesses, prioritises and manages risks related to information security and implements a continuity strategy and plans,” Jean-Yves Mathieu adds.
“In the event of an incident, he carries out rapid reporting, technical and financial analysis, proposes a remediation plan and meets civil or criminal obligations.” The CISOaaS must therefore have a global vision, put in place tools to limit attacks and offer recommendations to the IT of the organisation. “It is imperative that these solutions address critical issues with readily deployable open-source tools, delivering operational solutions that range from 80-85% for maximum protection,” Mathieu continues.
Strengthening the security posture
For Cedric Mauny, the CISO-as-a-Service trains and helps teams to take charge of their security protection; the objective is to enforce the right tools to strengthen the security posture in the long term: “Like an active coach, the CISOaaS plays a central role in the implementation of simple, effective and non-constraining cybersecurity solutions,” he explains. “The support is personalised, aligned with the current level of maturity and the company’s priorities and the level to reach. It is an extension of the active workforce of the company with enhanced capabilities.”
For Mathieu, the CISOaaS plays the professional role of a mediator between the IT and governance sectors. Furthermore, he contributes to increasing the level of awareness among the company’s management. “It is vital for management teams to be aware of cyber risks, as they are not always measured. It is imperative that he engage the entire organisation and that the organisation assumes responsibility for its own security,” he says. Above all, they protect the company, the two experts point out. Hence, they must also be able to work closely with all teams to ensure that security policy is fully integrated into the organisation.
An unregulated profession
What is the responsibility of the external CISO in the event of an incident? “The client remains responsible under criminal law, while the advisor’s role is advisory,” Jean-Yves Mathieu explains. “In many cases however, the CISOaaS will be seen as the fuse.” And unlike other regulated professions such as lawyers or chartered accountants, there is no code of ethics or regulation specific to the outsourced CISO service, as the function is essentially based on internal and external trust, the two experts note.
“Some service providers can therefore declare themselves a ‘CISO-as-a-Service’ without having the skills to do so,” Cédric Mauny admits, pointing out that in the US, the debate on increased liability of CISOs in the event of a major incident or breach is ongoing. According to him, this reflection could reach Europe, where the need to regulate the function and introduce a label or an accreditation may be further discussed.
Confidentiality remains a major issue: “The CISOaaS accesses sensitive data, sometimes strategic or legal,” Mauny continues. “Hence the importance of checking its references, experience and ethics. The service contract between the organisation and the CISO-as-a-Service must therefore be clear, with a scope of responsibilities and, where appropriate, a clear separation of advisory and execution roles.”
A trusted third party
“A CISO-as-a-Service must be a trusted third party, independent of commercial interests,” Mathieu adds “It is imperative that the CISO-as-a-Service adopts an educational, transparent and responsible approach”. And for its part, the organisation must maintain control of its internal cybersecurity governance. This collaboration ensures optimal security protection while respecting the interests and responsibilities of each party. “Outsourcing does not equate to relinquishing responsibility. A good CISO-as-a-Service reassures, structures, guides and pulls upwards, while reminding the organisation of its responsibilities,” Mauny concludes.
“It is imperative that the CISO-as-a-Service adopts an educational, transparent and responsible approach”
This article was published in the 7th edition of Forbes Luxembourg.
Read more articles:
Talk Forbes x B17: Luxembourg, A Pioneer In Regulated Digital Finance
Meet The Scale-up Closing The $3.5 Trillion Climate Funding Gap
