Mohammed Sijelmassi is the CTO of Sopra Steria.
Cyber-attacks cost governments, companies and individual citizens hundreds of billions of Euros every year. It is a severe and growing problem, likely to become more damaging as we move to increased automation. So long as cyber-attacks generate financial or political benefit, they will endure and become harder to defend against as attackers become increasingly sophisticated.
Assaults on computer systems and networks have been a problem since the early days of the Internet. The Internet is not a single telecommunications network with a defined perimeter, controlled access, and proprietary protocols. It is a web of networks: everyone and everything can, in principle, connect to the Internet. Security is, therefore, a widely distributed task — a task for everyone. All these connecting networks and their devices, such as computers, sensors, Wi-Fi routers or smartphones, must be protected; the Internet does not do it for us.
Policy makers have identified security as a major challenge for a long time. Over the last two decades, the EU has become a major actor by introducing several regulations (e.g. NIS2, Cybersecurity Act, Cyber Resilience Act proposal) and investing significantly (e.g. Digital Europe, Horizon Europe) to this effect. ENISA, the European cybersecurity agency located in Greece, helps with analysis, awareness raising, and coordination. The recently established ECCC, the European Cybersecurity Competence Center in Romania will reinforce collective action further, particularly with the cross-border SOCs (security operations centers for intelligence sharing between Member States).
Security measures should not be confused with safety and reliability provisions (which can, to a certain and measurable degree, be guaranteed and tested). The level of security is much harder to define and assess, as it crucially depends on the sophistication of attacks. This means policy makers may oblige manufacturers and users to follow procedures, apply precautions or deploy defensive tools, however, the private sector’s ingenuity and readiness to tackle the problem is needed.
Culture of Security
The IT industry has become better at protecting its products and services with, for example, source code reviews or regular updates. It has also become better at delivering security solutions for users with, for example, anti-virus, firewalls, or rootkit detection. Developing products with security in mind is, however, only one of the many steps. The context matters as well.
Protecting private users at home or small businesses requires security out-of-the-box and easy to operate tool kits. Defending business or government networks is a different game. Larger organisations will have more IT professionals, but their computer systems are more complex and more sensitive. Security is a process that never really ends. Increasing attack sophistication, undiscovered vulnerabilities, mobile working, Bring Your Own Device (BYOD) policies and remote network access all require a defence-in-depth approach. It is a well-known concept, but its implementation is challenging and demands investment. Sopra Steria understands this and provides world class cybersecurity services, combining implementation practice and integration of state-of-the-art products.
Sopra Steria’s software developments and system solutions follow a security life cycle, driven by a ‘security-by-design’ principle. It starts with threat analysis and preventive measures, for instance, not allowing unchecked input. Sopra Steria implements solutions to protect the digital assets of our customers. The task is to integrate security processes in day-to-day business in a non-disruptive and simple way to avoid having staff trading convenience against security by looking for short cuts. An important pillar is the Sopra Steria SOCs (security operations centres), to detect and respond to security incidents. Sopra Steria is certified by the French ‘Agence Nationale de la Sécurité des Systèmes d’Information’ and our approach is already in line with the provisions of the proposed NIS2 proposal.
Cybersecurity Skills: We need to move forward
Everyone in an organisation needs a certain level of cybersecurity knowledge. This can be achieved through practical training and keeping staff on alert about, for example, the various and latest phishing attacks. For the IT industry, the shortage of cybersecurity specialists has become a major problem. We, at Sopra Steria are dealing with this problem head-on. We seek out and train people with the right aptitude.
The recently presented ‘European Cybersecurity Skills Framework’ (ECSF), developed by ENISA, is well thought out and highly qualitative. It presents profiles of twelve typical professional roles, for instance, threat intelligence specialist, cybersecurity architect or risk manager. Additionally, the Commission’s intention to establish a cybersecurity skills academy is timely and will find industry support. It is, however, vital that we continue to train more skilled professionals and increase their depth of knowledge on a continuous basis to ensure that Europe is prepared for the cybersecurity challenges ahead.
A European Cybersecurity Ecosystem
Cybersecurity has always been a matter of national security but the recent geopolitical developments have made it clear that it is vital to ensure a degree of independence. We need European vendors — world class and responsive to our values — to be competitive at global scale. Programmes such as Horizon Europe or Digital Europe are helpful but insufficient unless Member States rally around these initiatives.
Together we need to work on the availability of cybersecurity professionals and training facilities, a more integrated response system, and an ecosystem of European vendors. In this regard, Sopra Steria is encouraged by the European Commission’s commitment to digital skills.
We also need to work together on future challenges, which is to face upgraded state sponsored attacks, post-quantum cryptography and AI.
None of this is easy. But I believe that Europe already has what it needs at its disposal. It just needs to pull its resources together.
Sopra Steria is a European tech leader helping clients drive their digital transformation through consulting, digital services, and software development to get tangible and sustainable benefits. At Sopra Steria, we are committed to making the most of digital technology to build a positive future for our clients and society.