Active participation in CLUSIF

Médiane Système has been a member of CLUSIF for 2 years now, but what is it? What does it involve? And above all, what does it bring?

This interview with Marie-Pierre FALLY and Sandrine BENARD, both of whom work at Médiane Système and are members of CLUSIF, will give you a better understanding of this entity.

What is your current position and your role within Médiane Système?

Marie-Pierre FALLY: “I’m in charge of the Quality, Cybersecurity and Environment department and the associated regulatory management. My role involves managing the quality department, which is made up of several RAQP (Project Quality Assurance Managers), an RSSI (Information Systems Security Manager), auditors and assessors, as well as process pilots.

My role is also to manage certifications and the deployment of industry standards, and to implement the strategic axes of quality and cybersecurity for a variety of purposes:

  • Optimize Médiane’s performance.
  • Contribute to the development of the company’s ethical and societal values (CSR approach).
  • Manage audit and verification plans.
  • Ensure regulatory watch.
  • Improve the quality of our developments by using industry standards and tools adapted to Service Centers and fixed-price projects.

I am thus enabling Médiane Système to position itself legitimately in various sectors and on constrained projects.”

Sandrine BENARD: “I’m both CISO and QPR. After graduating from the Ecole Centrale and gaining 5 years’ experience in software development, I decided to move into the field of quality. I currently work part-time in this department, alongside my role as CISO, which covers the following missions:

  • Control digital risks by identifying and reducing the number of vulnerabilities.
  • Secure and strengthen the Information System in collaboration with the RSI (Information System Manager).
  • Develop internal listening and skills to improve adaptation to threats.
  • Anticipating and managing cybersecurity crises.
  • Anticipate customer needs and secure technical solutions.

Can you tell us what CLUSIF is? What is its purpose and how does it work?

To begin with, CLUSIF stands for Le Club de la Sécurité de l’Information Français. In other words, it’s a non-profit association of information security professionals from all sectors of the economy.

→ Its aim is to promote information security (a factor in the long-term survival of companies) by controlling exposure to general risk, and to risk linked more specifically to information systems.

→ Its aim is to encourage the exchange of best practices and feedback through workgroups and workspaces, the publication of documents and the organization of conferences.

CLUSIF’s board of directors is made up of two colleges, each with seven members:

  • The “Suppliers” college: representing suppliers of security solutions and services.
  • The “Users” college: represents IS managers.

CLUSIF remains in line with ANSSI (Agence Nationale pour la Sécurité des Systèmes d’Information) guidelines, but is often ahead of the curve on new topics.

Why did you decide to join CLUSIF?

“As part of our cybersecurity rollout, and to meet the requirements of ISO 27001, we needed to exchange best practices with our counterparts and get feedback on cybersecurity. This was a new area for us. The CLUSIF conferences, and in particular the discussions in the CISO space, were an indispensable source of intelligence for us.

Why did you decide to join CLUSIF?

Marie-Pierre FALLY: “Sandrine and I took part in a number of working groups and conferences. As a CISO, Sandrine had the opportunity to join the very exclusive ” CISO space “. This space currently has 164 members, who meet once a month and communicate via the RSSI space’s internal mailing list.”

Sandrine BENARD: “Today, our role within CLUSIF is participative. In 2018, we were able to organize a meeting between SYNTEC (CSR/quality group) and CLUSIF around the RGPD. This meeting was co-hosted by a CLUSIF administrator and Marie-Pierre.”

What does your involvement with CLUSIF bring to your work?

“Participating in the various working groups and conferences enables us to continue our training by learning from the feedback we receive. It also enables us to keep abreast of new tools, methods and techniques used by our counterparts, whether in large groups or smaller companies.”

What are the direct and/or indirect impacts for Médiane Système? Do you have any concrete examples?

“The CISO space is a privileged place where mutual help is the watchword. As such, a CISO who is aware of a major attack in the pipeline, or who has experienced the initial fallout, usually quickly notifies the other members so that they can prepare for it.

For example, Médiane Système was informed in the very first hours of the “Wannacry” threat via this mailing list. This information enabled our RSI, as well as our technical teams in general, to react as quickly as possible to secure the information system and thus protect against this attack with the least possible impact on users.

We also pass this information on to all ICE Group companies.

Finally, what are your plans for the future with CLUSIF? In other words, how do you see your involvement with CLUSIF in the future?

“As CLUSIF’s operations are based on sharing, it’s only fair for us to make our contribution in return for what we’ve received. As such, we’ll be presenting our ISO 27001 approach at the CISO space in September. Subsequently, we propose to raise awareness of the quality professions within CLUSIF, and to give members the benefit of our feedback. Indeed, there are a number of similarities between the cybersecurity and quality professions, particularly in terms of governance and methodology. The September presentation will certainly be a first step. In any case, it will be a great opportunity to showcase Médiane Système’s expertise… “.