Cybernews interview: Mathieu Gorge, VigiTrust: “the more information you share – the bigger your risk surface is”

Please find this Cybernews Interview here.

Mathieu Gorge – CEO & Founder (VigiTrust)

The rapid global digital transformation introduced not only new technologies but also a new approach to working.

This new connectivity has enabled people to become more collaborative, with options to edit and exchange documents in real-time from wherever they are working. However, the constant connection introduces new threats. As companies start to increase their digital footprint, the risk of sensitive data being breached, deleted, or misused becomes even higher.

As a result, the market has been filling up with security and compliance solutions to make sure each employee’s and customer’s private data is protected. This is why we reached out to talk to Mathieu Gorge, the CEO of VigiTrust – an Integrated Risk Management SaaS solution.

How did VigiTrust come about in 2003? What has your journey been like?

I had been working in cybersecurity for about 4 years when I started a company in Dublin, Ireland. I saw an opportunity for a niche in the market around data protection training and, back in 2003, that was really novel. Having a background in network and content security, I reached out to the connections in the market. Essentially, they came back with an answer that they would be happy to buy network security from me because they knew me, but my business was too young and the idea of data protection training was too novel for them to go with it. As a result, I started a company around network and content security, and 2 years later I went back to market data protection training. Around 2005, that started to pick up.

Essentially, for the first 14 years of the business, we were security trainers and consultants, performing assessments as well as doing security consulting, primarily in Ireland, France, the UK, and to some lesser extent, the rest of Europe. In 2017, we decided to pivot the business into what is today’s VigiTrust, which is essentially a provider of SaaS governance, risk compliance, and integrated risk management solutions.

We’ve got an award-winning tool called VigiOne, that allows you to prepare, validate, and manage continuous compliance with legal and industry security frameworks, including the usual suspects such as GDPR, PCI, HIPAA, NIST, ISO, and a few others.

Can you introduce us to your risk management solutions? What are their key features?

VigiOne is a SaaS tool that addresses three key components of any compliance and governance program:

Preparedness. We have a full e-learning platform within VigiOne that allows you to do role-based training. It allows you to demonstrate to the regulators and enforcement bodies that you’ve trained people and you’ve provided the right guidance to them in order for them to use the data and system security.

Compliance Validation. Within the compliance validation module, there are all of the usual checklists. The official questionnaires for compliance (like PCI), the regular data processing activity (like for GDPR), and also a number of best practices reports.

Governance / Ongoing Compliance. Within this tool, we essentially have a dashboard that allows you to report per exception and per completion. That adds a lot of value because it’s great to know where you’re in compliance, but it’s even better to know where you’re not so that you can drive your efforts to the right area and make significant improvements.

Once you’ve achieved compliance, you have to maintain compliance at all times. What that means in practice is that there are daily, weekly, monthly, quarterly and yearly tasks that need to be performed – whether it’s updates of policies, quarterly pen tests, or yearly training.

The tool also allows you to have templates for projects. Speaking of templates, the VigiOne tool is really unique because it allows our clients and partners to create their own security frameworks using Assessment 360. That’s a web console that imports controls, a list of requirements, and different ways to validate and maintain the controls. It’s very intuitive and it makes compliance easier and more straightforward.

Besides quality risk management systems, what other security measures do you think should be a part of every modern company?

You can’t have an effective security or compliance program unless you make security a part of the company’s DNA. To do so, you must start by educating key decision-makers, C-level executives, and the board. The challenge is that you’re often faced with what we call the 5 stages of cyber-accountability grief:

Denial. “It doesn’t apply to us, we’re here to build the company, grow employment, generate profits for the shareholders – don’t bother us with cyber!”

Anger. “We’ve given you money to hire a CISO, a compliance officer, put firewalls in place, and train people. Go and talk to the compliance people, they’ll look after you.”

The bargaining stage. “We can see our competitors are being audited by the regulators. Maybe we should hire a big firm to come in and do an assessment, and that’ll get us off the hook.”

The depression stage. “We need to do something. How are we going to do it?”

The acceptance stage. “I guess we’re doing a lot of stuff right, and all we really need to do is put our house in order and bridge the gap.”

It’s very important to make sure you have a sponsor who is going to back the entire project and review it on an ongoing basis. If you look at a standard like PCI, it’s a great one to get started because you can replace “credit cardholder data” with “sensitive data,” and it gives you a minimum benchmark of what you need to do. However, none of this will work unless you build a sense of collective responsibility.

Have you noticed any new threats emerge as a result of the recent global events?

I often talk about the 4 points of risk:

Geopolitical
Financial, contractual, and operational
Brand reputation management
Pure cyber/IT risk

Today, the geopolitical risk is absolutely massive, because essentially the arrows are shifting. The invasion of Russia into Ukraine has created a shift in the balance of power on many fronts. It’s also resulted in an increased rhythm in terms of cyberattacks. For instance, it’s well documented that Russia tried to hack into the Ukrainian government 3 to 6 months prior to the physical attack. During the same time, the Ukrainians have tried to do that in Russia as well. As a result, of the sanctions imposed by the US and Europe and a few other countries, the Russian economy is being squeezed, and what we’re seeing now is retaliation in the shape of cyber attacks coming from Russia into the Western world.

What we’re also seeing is a disruption in regard to the Internet, where we’re in the process of creating two major internet zones: the one outside Russia and the one within Russia. That is upsetting the way we’ve been doing business for a while and will impact the way data transfers are going to work moving forward.

We are also seeing a number of potential issues regarding data that’s hosted in Russia. So if you’ve got data hosted in Russia, for now, the Russian government hasn’t imposed any ban on data traffic, but one can only assume that it will come. It’s important to understand the parts of your ecosystem that are linked to Russia and whether or not you’ve got critical data in Russia because there is a chance that you may or may not be able to extract it moving forward.

What can average Internet users do to protect themselves from these threats?

The cynic in me says you should stop being connected altogether, but that’s just not practical. In reality, most of us have 3-5 connected devices with us at any given time. We need to be aware and protective of our own personal infrastructure. For instance, it’s not necessary to download every app that you come across, and it’s not necessary to accept data for geolocation.

The reality is – if you don’t need to share your data, you shouldn’t share it. If you don’t need to share your location, you shouldn’t share it. The more information you share, the more apps you use the bigger your risk surface is. A number of organizations worldwide are providing free training on how to secure your home networks because it’s based on the idea that if I tell my employees how to secure their home network and give them advice for free, they’re going to be more security-aware. Of course, you need to have as much security as you can: update your antivirus, backup your items, and encrypt your laptops.

At the end of the day, from a human being’s perspective, you don’t have to trust everyone. Unfortunately, we don’t live in a world where you can trust everyone. The reality is because we’re all connected, we have to make sure we understand the concept of personal infrastructure protection.

In your opinion, why do certain companies still fail to keep up with compliance and other security standards?

I go back to the three areas that VigiOne covers: preparedness, validation, and ongoing compliance. I always say that security is a journey. You’re on a journey to secure your systems, have the right processes in place, and train people. Then you validate compliance and by the time you celebrate that with a cup of coffee, you are out of compliance. The risk surface is not static. Every time you buy a company, you increase your risk surface because you inherit systems you’re not familiar with.

During the pandemic, a lot of organizations started digitizing their products. Pre-Covid, it would have taken them three years and security would have been taken into account. But at the beginning of the pandemic, companies prioritized getting products to market to bring cash in, rather than doing it securely. Now, that has to be addressed. When you want to maintain security, you have to update the systems, the process, and the training. Where people fall down is not necessarily the goodwill of trying to achieve compliance the first time, it’s maintaining compliance and having that self-discipline before somebody knocks at your door.

What dangers can customers be exposed to if a company they trust struggles to ensure compliance?

As a client, I’m going to entrust you as a supplier with my data. Some of that data is considered personal: health information under HIPAA or any other type under GDPR. So, if you have my date of birth along with my name, address, and social security number, that might be considered personal information. The danger for me as a consumer is that I may trust the wrong company with my data or I may trust a company where my data is not protected. Maybe somebody can copy the data internally. Maybe somebody can hack the systems easily. Maybe I’m not providing the minimum level of security required.

Now, if somebody gets my credit card information – it’s a pain, but it’s not life-threatening. If somebody gets my health data, on the other hand, I only have one. I can’t order another set like I can order another credit card. As a customer or citizen, it’s fine to ask questions about how your data is being secured and even to ask for a copy of all the data they have on you. That’s a data subject request, and in Europe, it’s compulsory. You can request one to either correct the data or ask the company to update the data.

What are the most common vulnerabilities nowadays, that if overlooked, can lead to serious problems for a business?

Patching is a major issue. If organizations don’t patch their systems, they won’t be able to prevent most of the vulnerabilities that are being exploited by hackers. You need to patch your antivirus and anti-malware. Then, users need to be trained regularly, because if you look at the way ransomware gets into the systems of an organization, it’s generally through social networking and phishing. In plain English, somebody clicks on a link or document they shouldn’t have clicked on, and it infiltrates ransomware software and encrypted data. Ultimately, if you keep your systems patched, close all the open doors, and train all your people on a regular basis, that’s the best way to address the latest vulnerabilities.

Tell us, what’s next for VigiTrust?

VigiTrust is scaling tremendously. From a technology perspective, we are integrating AI into our compliance engines to help people make better, more accurate, and more effective decisions regarding their compliance. We already have clients in 120 countries in multiple industries, and we are still growing.

We also have a growing Advisory Board with 800+ members from 32 countries. The VigiTrust Global Advisory Board is a non-commercial think tank made up of leading security and compliance subject matter experts, including C-level executives, board members, regulators, law enforcement, researchers, and other stakeholders, as well as influencers within the security industry. At our regular meetings, we discuss how data governance, information security, systems security, and critical infrastructure security impact the security and compliance industry. So watch this space!

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Performance".
csrftoken	1 year	This cookie is associated with Django web development platform for python. Used to help protect the website against Cross-Site Request Forgery attacks
viewed_cookie_policy	1 year	The cookie is set by the GDPR Cookie Consent plugin to store whether or not the user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
mgref	1 year	This cookie is set by Eventbrite to deliver content tailored to the end user's interests and improve content creation. It is also used for event-booking purposes.
visitorId	1 year	ZoomInfo sets this cookie to identify a user.

Cookie	Duration	Description
_gat	1 minute	This cookie is installed by Google Universal Analytics to restrain request rate and thus limit the collection of data on high traffic sites.
G	1 year	Cookie used to facilitate the translation into the preferred language of the visitor.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_*	1 minute	Google Analytics sets this cookie to store a unique user ID.
_gat_gtag_UA_59241235_1	1 minute	Set by Google to distinguish users.
_gat_gtag_UA_89738490_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_s	1 year	This cookie is associated with Shopify's analytics suite.
ajs_anonymous_id	never	This cookie is set by Segment to count the number of people who visit a certain site by tracking if they have visited before.
ajs_group_id	never	This cookie is set by Segment to track visitor usage and events within the website.
ajs_user_id	never	This cookie is set by Segment to help track visitor usage, events, target marketing, and also measure application performance and stability.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.

Cookie	Duration	Description
_ad_session	session	No description available.
_cfuvid	session	Description is currently not available.
active_demand_cookie_cart	1 hour	No description
activedemand_session_guid	10 years	No description available.
AnalyticsSyncHistory	1 month	No description
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
debug	never	No description available.
lfuuid	9 years 3 months 9 days 10 hours	No description available.
li_gc	2 years	No description
session_uid	20 years	No description available.
timezone	1 month	No description available.
timezone_offset	1 month	No description available.
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

VigiBlog

Cybernews interview: Mathieu Gorge, VigiTrust: “the more information you share – the bigger your risk surface is”