A Company's Mission to Demystify Security

One of the goals of VigiTrust is to demystify security. The company uses all the same acronyms as everyone else, of course, but founder and CEO Mathieu Gorge tries hard not to sound like a geek.

Take his 5 Pillars of Security Framework. Ready? Physical security, people security, data security, infrastructure security and crisis management. That covers the security bases about as simply and clearly as it could. The point was underscored in a recent VigiTrust presentation. C-Suite executives may not be legal, technical or operational security experts. Ditto board members. VigiTrust wants to draw them into the conversation, not push them away by speaking a foreign language.

Gorge talked about the ease of using the VigiOne platform in a recent briefing for TAG Cyber analysts. The GRC solution on its platform covers multiple regulations and standards, he noted. The theme is clear: the company wants to make the software and the process accessible and easy to incorporate into their businesses.

There’s another way Gorge has tried to demystify the subject. He created an advisory board in 2012. He’d founded the company in 2003, and he wanted to surround it with a network of experts. But in recent years, he said, the board has turned into more of a think tank. They hold public conferences in Dublin, New York, London and Paris, where VigiTrust has offices, and also in San Francisco and Sydney. These are all about educating the public in language that laymen can understand.

Gorge invited me to attend the one in June held (virtually, of course) in Dublin, where the company is headquartered. He spoke early in the day, and he even demystified the company’s name. For “vigi,” think “vigilance,” he said. No coincidence, I think, that it precedes “trust.”

The session after Gorge’s talk, entitled “How Boards See Cyber Risk Through the Shareholder Lens!,” seemed a good example of what the program was about. One big problem in this field, explained Bob Gardner, founding member of New World Technology Partners, is one of enterprise risk management. You need the support of the board to build cybersecurity. But the board can’t measure cyber risk the way it measures other risks. You need to connect cyber to the company’s assets, not just its balance sheet, he said.

That’s because it’s tied to the company’s reputation, he went on. And there’s a bigger picture to consider as well. It’s not just what happens to your company. You have to keep an eye on peer competitors. A breach can strike an adversary first, then migrate to your company and strike at your finances, reputation and ultimately mission.

One of the real challenges, Gardner said, is to come up with a quantitative analysis. Shareholders, customers, regulators, adversaries and the public at large may each have their own views of a company’s reputation. One way to measure the impact, Gardner said, is natural language processing (NLP).

NLP can be used to study what interest groups say and do about news of an event like a data breach. A statistical analysis of the results can help a company understand and quantify reputational hits. Reputational impact, capital impact and earnings/revenue impact can all be charted, Gardner said.

The importance of all of this, he emphasized, is that it’s possible to talk to the board and business leaders about cybersecurity risks in the language used in the boardroom. And that does more than merely demystify. It translates cyber into their language.

That’s one way to get the board on board.