| GRC
Discover with Sami the advantages of CRM
Sami Feki, Senior GRC Consultant at Synetis, tells us about his day-to-day work and the key features of his practice.
Discover our expert's Synetisian adventure!
Can you tell us about your career before and since Synetis?
I began my professional career in Tunisia, where I obtained a Master's degree in Information Systems (IS) Audit and Security. I then went on to work for a multinational company specializing in auditing, as an IT Auditor.
This experience enabled me, on several occasions, to go on secondment to France and discover the French market. I then decided to move to France so that I could develop my skills and extend my career in a country where cybersecurity is more highly developed.
When I arrived, I had the opportunity to work for a major international bank, as Cybersecurity Coordinator. This experience enabled me to gain a better understanding of the regulations that revolve around Risk and Compliance Governance (GRC) - in particular the LPM law (Loi de Programmation Militaire). I was also able to observe the workings of other teams (I had the opportunity to work on application maturity analysis and the monitoring of security measure implementation, as well as several other cross-functional projects), as well as their needs in terms of security.
How did you join us and what is your day-to-day role at Synetis?
I joined Synetis' GRC practice - after 6 years' experience in cybersecurity - in April 2021. I hold the position of Senior GRC Consultant.
My daily life at Synetis is very stimulating, my missions are never the same and I learn a little more every day.
At the start of my Synetisian adventure, I had the opportunity to work for several players in the banking sector, as RGPD Compliance Manager.
Since April 2022, still in the same sector, I've been working on a daily basis for a customer in the position of IS Security Manager. As part of a new product acquisition, I support my client in maturity analysis projects for new solutions, whether Cloud or On-premise. My aim is to select the best solution to meet our customer's needs - in line with standards and best practices. The final decision in this type of project can be made through workshops - to identify the need and criticality of the data that will be passing through the new application, but also through risk analysis and maturity analysis.
What is Risk and Compliance Governance (GRC)? Why are these areas important for companies?
Governance, risk management and compliance are three fundamental elements in the smooth running of a company. Taken together, they give us GRC :
- Governance is the set of policies, rules or frameworks that a company uses to achieve its objectives or to protect all those involved in its operations (employees, customers or shareholders' funds);
- Risk, as defined in ISO 27005, refers to the impact of an adverse event on the proper functioning of a process or the company. A good risk assessment will enable a company to identify security flaws in its IS and apply corrective measures. The impact of these risks is calculated by the probability of occurrence of an adverse event, and its financial, reputational, operational or legal impact;
- Compliance means respecting the laws and regulations applicable to the company. These differ according to the company's sector of activity, its location, and even that of its customers.
How do you accompany your customers on their assignments? What issues do you encounter most regularly?
Throughout my career, I've supported a variety of customers - in different business sectors - and carried out several types of assignment, such as compliance audits, RGPD compliance, risk analysis using the EBIOS RM method, or solution maturity analysis. Each of these assignments has enabled me to develop my skills, meet new people and work with different teams.
As part of our missions, we work with other cyber teams - such as the CSIRT (CERT) team and operational audit teams - to carry out PenTest vulnerability scanning missions. It was a very rewarding experience!
I believe that technical knowledge enables a GRC consultant to have a clearer view of his assignments and a better understanding of his sector of activity. These skills also enable them to focus their work and better respond to their customer's needs.
Have you ever taken any certifications? Why is this important?
In the course of my professional career, I've been lucky enough to obtain four certifications:
- CISCO CCNA 1.2.3: three certifications issued by CISCO, an American company specializing in network and server hardware. These are recognized as the industry standard for network design and support, guaranteeing high levels of specialization and credibility.
- ISO 27001: international standard describing the best practices to be followed when setting up an Information Security Management System (ISMS);
- ISO 27005: standard containing guidelines for information security risk management. It supports the general concepts set out in ISO/IEC 27001. This standard is designed to help companies and organizations implement information security based on a risk management approach;
- CyberArk Defender: this certification, issued by CyberArk, helps us strengthen our knowledge and skills in critical layers of security to protect privileged accounts.
In my opinion, it's important for consultants to obtain certifications. These are necessary to gain technical expertise and to be recognized by the professionals we meet on assignments. These certifications also endorse our expertise in a specific field, and enable us to keep our knowledge up to date in a constantly evolving cyber world.
Obtaining these certifications enables me to maintain an evolutionary mindset and thus remain competitive in my field.
In your opinion, what are the top 3 pieces of advice to give a company to effectively manage its risks?
Here are the three pieces of advice I would give a company to effectively manage its risks:
- Risk assessment: this step helps us understand the vulnerabilities and threats facing the company. It also enables risks to be estimated and categorized according to their potential impact. Ultimately, these analyses will enable companies to deal with their risks more effectively, and to deal with them efficiently thanks to appropriate preparation;
- Implementing security policies and charters: in order to control risks, a company must also implement security policies, procedures and charters. These need to be shared with all the organization's employees - so that they can familiarize themselves with them and apply them. These policies must be reviewed periodically as part of a continuous improvement process;
- Employee awareness: it's very important to raise awareness among your teams and train them in good cyber practices, so that they can apply these security rules correctly.
Can you name a topical issue that could have a major impact on cyber risk management?
Several topics come to mind. First of all, the subject of ransomware is always a hot topic in the world of cybersecurity. This type of attack, which can block a company's information system, can have a real impact on cyber risk management. In the event of an attack, the company's business could come to a complete standstill.
Today, we can see a proliferation of software centered on Artificial Intelligence (AI), with the emergence of the ChatGPT platform as an example. This type of platform has led to an increase in cyber-attacks, as it enables hackers to penetrate vulnerable information systems more easily.
