A country of unicorns: Can we learn from innovation in French cyber security?
A country of unicorns: Can we learn from innovation in French cyber security?

Ever since being elected French President in May of this year, Emmanuel Macron has made his ambitions clear for France to become Europe's technology leader. During his speech at the Viva Technology conference in Paris in June, Macron announced his plans to turn France into a “country of unicorns.”

President Macron is on a drive to promote the French corporate market. While venture capital investments in other European countries have been in decline, they are steadily growing in France. Cyber-security start-ups have seen much of this investment come their way and the number of security vendors has increased in recent years. Cyber-security is likely to continue to be a key focus for the President, whose own campaign faced a large-scale, coordinated cyber-attack just days before voting started. 

Alongside countries such as the US and Russia, France is one of the top states facing cyber-attacks, accounting for 2.35 percent of threats detected globally[i]. As a result, France is working hard to raise awareness of cyber-security and is focused on developing innovative security technologies. The high volume of attacks that the country has seen, has forced France to take a different and, in many ways, unique approach to both education and technical solutions for cyber-security. France has already seen numerous successes and innovative cyber- security projects take off across the healthcare, finance and defence sectors.

So can we learn anything from the French approach when it comes to cyber-security?

The government's approach

The government has a clear focus on cyber-security and in 2009, established the Agence Nationale de la Sécurité des Systèmes d'information (ANSSI), a national authority with responsibility for IT security. Reporting to the Secretary General for Defence and Security, ANSSI assists the President in overseeing the security of all French information systems, as well as helping create regulations and security policies. 

Through ANSSI, safeguarding France's cyber-security is seen as a way to better preserve the sovereignty and independence of the nation, protect its critical national infrastructure and ensure the day-to-day safety of citizens. In 2015, Prime Minister Manuel Valls announced the French national digital security strategy. Led by ANSSI, the strategy is designed to support French society as it adapts to digital change. It aims to promote France as a leader in driving the roadmap for European digital strategic autonomy.

Cyber-security organisations are not the only ones helping to raise awareness of cyber-security and promote best practices. Supported by ANSSI, CIGREF, a network of 140 large French-based companies across different sectors, is dedicated to educating everyone on current cyber-security risks and changes in the landscape. The organisation adopts non-traditional channels to achieve this, often reaching a younger audience than typical cyber-security intiatives. In 2016, the organisation developed a short web series around a reality show called ‘Hacker Academy'. In each episode a different hacker and hacking tactic is focused on, as well as ways to avoid falling victim. 

In a further show of commitment to cyber-security, in 2015 the Government introduced the France Cybersecurity Label. The label is awarded to those who deliver high quality products and services. It is a guarantee for end users that the products and services deliver ‘well-defined functionalities, with a level of quality established by an independent panel.' The certification enables vendors to set their solutions apart from others and gives buyers peace of mind that a product is certified.

Collaboration and integration

It's not just the French government working hard to ensure the country is properly protected against cyber-attacks. Security vendors are collaborating, through associations such as Hexatrust and CLUSIF, to integrate complementary but specialised offerings and combine knowledge to solve IT security issues.

Hexatrust is made up of 29 established French IT security companies that have 10 to 20 years of experience. It has 1,200 collaborators with €150 million in annual turnover. Each company in the group provides complementary, state of the art technology. The group's R&D budget represents almost a third of its members' turnover, with a total investment of €45 million each year. Each member is independent, and is tasked with remaining at the forefront of the technology in their area, whilst working together with other members to guarantee a complete and integrated offering for customers. As a result, the group is able to continuously innovate across all areas of cyber-security. Hexatrust believes that a proactive approach doesn't stem from centralisation but is instead achieved through cooperation. A project which usually takes four years, takes the group no more than four months to complete on average.

Collaborating on cyber-security knowledge and insight is commonplace in France – serving to make key issues open to all to solve together rather than working in silos against each other.  One example is CLUSIF, an association of professionals and suppliers within the French IT security industry. CLUSIF holds regular working groups that facilitate discussions and explore best practice guidance to industry challenges. Working in such a collaborative way enables organisations to make better informed decisions.  Another example of collaboration is the Association of Data Protection Correspondents (AFCDP).  This is an open forum for people to discuss and debate the role of the Data Protection Correspondent – soon to be Data Protection Officer (DPO) with the incoming General Data Protection Regulation (GDPR). AFCDP's aim is to promote discussions on relevant issues, to educate members and non-members and to deliver best practices and guidance on these issues.

Innovation is highly-regarded and celebrated throughout the French cyber-security industry. The approach taken in France often allows smaller companies and start-ups to get in on the action, bringing new and innovative products to the market – where ordinarily larger, more established organisations might hold a monopoly. For example, the French International Cybersecurity Forum (FIC) holds an annual SME Innovation Award programme. The programme encourages research and innovation by SMEs in the industry. The international presence at the forum also helps to provide greater visibility for SMEs. Another well-established cyber-security event, Les Assises de la Sécurité, also awards an Innovation Prize.

Conclusion

In France, industry bodies and associations are dedicated to raising awareness of cyber-security issues for both businesses and the general public, not just locally but internationally. This global approach means the best quality solutions are made available. With organisations, such as ANSSI, ensuring that the standards and regulations set out are met and implemented, everyone has a clear understanding of what is expected of them.

This dynamic and innovative attitude is a key lesson that can be learnt from France and sets the country apart when it comes to cyber-security advances. For France, it's important to take a comprehensive view of security, prioritising high risk areas first – but not just focusing on point solutions.


[i] Business Insider, The world's 10 biggest cyber crime hot spots in 2016, 14 May 2017,http://uk.businessinsider.com/worlds-10-cybercrime-hotspots-in-2016-ranked-symantec-2017-5/

Contributed by Olivier Morel, pre-sales manager, Ilex International

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.