Security is about balance and cooperation at all levels – the organizational, security community at national, EU and international levels.

Myriam is a dynamic security professional who started her career as a developer in a start-up after graduating from the French University of Lorraine. Her career quickly set on a path towards security through career steps across different sectors driven by her quest for challenge.

"Although I was originally hired as a developer in a start-up, my responsibilities quickly escalated. I discovered the world of security through the implementation of the ISO 27001 framework. My journey to cyber security did not stop there as I moved to the audit department of a payment card provider and then to a Luxembourg bank. I have now embraced new challenges as Chief Information Security Officer (CISO) of LUXITH in the health sector. LUXITH manages a shared IT infrastructure and services for all Luxembourg hospitals. As a CISO, my two missions are securing our IT services provided to hospitals and facilitating the establishment of their shared IT security strategy".

Myriam does not regret her career choices as she explained.

"Entering in the security field makes you a specialist and helps you develop your strength, skills and confidence but most importantly it helps you better challenge the various stakeholders in your organization".

In this interview, Myriam shared with us a couple of thoughts about cyber security today across sectors then specifically in the health sector and in the future.

Regardless of your industry, security is always about balance

With her experience across different sectors, Myriam can say there is common ground:

“information security is about balance”.

Balance between being technical and understanding business, between security and productivity, between being a showstopper and having sufficient social and communication skills to make consensus, as well as balance between all the constraints faced by a CISO such as regulatory, resources and business constraints.

“I think a CISO cannot rely solely on his/her technical skills. Sure he/she needs them, if nothing less for understanding threat agents’ techniques, but he or she also needs to understand the business side."

In the financial sector, the balance is between the means of the external attacker and the means of the institution to defend itself. Financial institutions are a usual target because a successful attack means almost direct financial income for the attacker or financial loss for the institution. In the health sector the balance is between security and productivity,

“because productivity in hospitals saves lives that is why it should not be underestimated” Healthcare centers and hospitals have recently become higher value targets due to the sensitivity of the information they process and the general lack of maturity.”

Myriam also strongly believes that cooperation is key to find that right balance.

“To ensure success in the policies, standards and procedures I am developing, I involve experts in the organization from the beginning. I always seek consensus, especially in my current job, where I need to make all Luxembourgish hospitals align on a common strategy.”

In niche domains and life critical environments, security is a synonym of challenges which can be solved through cooperation

One of the reasons Myriam decided to change job and become a CISO was her quest for a challenge. For a long time, information security was not a major concern in many hospitals, and they did not have the same maturity as organizations in more regulated sectors. Nowadays with the increasing number of attacks targeting hospitals such as ransomware, and with the new EU regulations such as the General Data Protection Regulation (GDPR) or the EU Directive on Security of Network and Information system (NISD), hospitals need to invest more in information security.

“Healthcare is the only industry where the threat from the inside is greater than the ones from the outside according to latest reports. When you see that human errors and internal threats do still have a significant impact, you understand that you have quite some work ahead”.

“Securing medical devices is also a considerable challenge. It is a niche domain where providers do not have much competition. It is therefore difficult to impose security requirements to them. This is paradoxical considering industrial systems such as medical systems can directly affect people life or death and at the same time are hard to patch and secure. To cope with those problems, I think cooperation is key. In the medical domain, we are trying to increase collaboration with all health actors including the ministry within Luxembourg; and in some neighboring countries such as France. We for example sometimes reuse relevant standards developed abroad. But cooperation demands a huge amount of time, and time is hard to find. In parallel, the European Union defined, in 2017, a Medical Device Regulation entering into force in May 2020 to handle the security issues related to these devices.”

Future of security will be built at two different dimensions, the organization level and EU/international level

Cyber security is becoming strategic and the internet is the new battlefield; governments building cyber armies is a good example of that.

“Nowadays a cyber-attack can have national-scale effects. The cyber-attack on the Estonian Government in 2007 or the Ukraine hack in 2017 are only foretastes of what may happen in the future, especially now that all our systems get digitalized. In my point of view, security needs to be tackled not only in an organization (or in a consortium of organizations) but also at the EU and even international level. The new NISD will most likely be of great help. The NISD deals with defining an EU cooperation mechanism to respond to cyber incidents at the EU level. The Directive also defines critical infrastructures and the digital providers EU countries critically depend on. In our modern society, no country is self-sufficient, for example we all depend on each other for electricity, IT infrastructure etc. As such, collaboration at the EU level is particularly important though we probably still have a challenging journey ahead. In my experience, cooperation in a consortium of organization is already very challenging, as everyone have his or her own pride and fear of losing control. For me the main success factors are test, exercise and simulation.”

“Information security is about balance. Balance between security and productivity for example because productivity in hospitals saves lives that is why it should not be underestimated.”

“I think a CISO cannot rely solely on his/her technical skills. Sure he/she needs them, if nothing less for understanding threat agents’ techniques, but he or she also needs to understand the business side.”