Laurent Amsel
Group CISO
Carrefour
DECEMBER 2023
Group CISO Laurent Amsel of Carrefour, Governing Body Co-Chair of the France CISO Community, describes his career journey as taking place in three chapters. He started in IT operations, then he led a team that developed and produced new services, and finally, he served as Chief Information Security Officer for ten years. He believes this variety in his background is a strength that informs his work as cybersecurity chief because in many cases of technology policy or operations, he says, “I have done the work before and know what it means.”
With all of the challenges facing CISOs today, including an expanded attack surface and a constantly changing threat environment, Laurent believes that it is essential for CISOs to focus on three main priorities to be successful in their roles.
- Run the Roadmap of Cybersecurity
The first key priority is “to run the roadmap of cybersecurity,” as Laurent says. To be successful as a CISO, the roadmap must be clear, meaningful and address short- and long-term time frames. Laurent explains, “It will give your team, your C-level executives – and basically your company – good visibility on what we want to do, on which time frame we want to do it and why we want to do that.”
The roadmap should also be offered at a level pertaining to their technical acumen. He continues, “At the C-level, it should be expressed in business terms, not technical terms. But it also must be transcripted in a more technical way to be understood by the operational team.” Laurent adds that “the opposite would be [for the roadmap] to do only technical things, talk about small projects, and to lack vision and a sense of your mission.”
In addition, the cyber strategy roadmap must be aligned to the company's roadmap, or at minimum, to the company's technology roadmap, to be most effective.
I think the key to success for CISOs is to have this clear roadmap that is understood at different levels and that is on the right time frame.”
- Communicate Risk to the Board
Laurent believes that having a solid security roadmap is one of the primary ways of communicating risk to the board and helping to alleviate some of their anxiety about security threats. “They hear on TV or in the papers that companies are attacked – and some are closing because of the attack,” he says. “But the roadmap is a good way to explain, ‘This is the world as it is today, but we know what to do, and this is what we want to do.’”
It helps, Laurent says, when the roadmap includes timelines, budget needs, and estimated results. He continues, “You communicate, ‘My vision is that – in three years, if we deliver on this map, the risk will be mitigated to this level.’”
- Collaborate with CISO Peers
Even more than other C-suite roles, cybersecurity is a team sport that necessitates sharing and exchanging ideas with other security leaders. The third key to success for CISOs, according to Laurent, is to connect to an ecosystem of security peers. He says, “You have to discuss new ideas with your peers, because most likely the problems that you have somebody had before and fixed it in an efficient way.”
He believes it is important to expand your network as much as you can and shares that is why he joined the Evanta CISO Community. “My advice to other CISOs is – be open, talk to peers outside of your company, and expand your network in tech as much as you can,” Laurent says. “And, of course, don't forget to give back to others. It is part of a bi-directional exchange in cybersecurity.”
Currently, Laurent’s specific priorities as CISO at Carrefour are improving data protection and increasing security awareness. Like many organisations, Carrefour is creating more and more data on its digitalisation journey, and that data is “at the centre of the business,” Laurent says. In addition, more employees have access to data, and attackers see an opportunity there. “My forecast is that data theft will increase,” he says.
He continues, “It’s a goal of the attackers, because a large company can rebuild themselves from other attacks – they find a solution. But, when data is stolen, it’s gone. There is nothing to do to reverse it.”
This is a main challenge for me – the amount of data and the ability to protect it.”
The challenge is the quantity of data they are producing every day and how to classify it. Laurent believes that it is important to make everyone internally aware of the sensitivity of data and how it is categorised. He thinks ultimately generative AI could be a tool for helping to recognise and classify data efficiently – and to alert the security team when sensitive data is accessed.
“We expect a lot from generative AI here,” he explains. “We are at the very beginning, but I have great hope that we will find technology to help us to do what humans cannot completely do – recognise sensitive information and help us protect it.”
On the topic of security awareness, Laurent prioritises this issue because “cybersecurity is a ‘people’ issue, too… All of the stakeholders have access to data, so they must be aware of the risk.” He believes that employees need to understand the value of the data and the sensitivity level of it.
“Let's make people aware of the cyber risk to the company. Technology cannot do everything,” he adds. “Or, if you decide that technology will be your only defence, you make the life of your colleagues difficult. Everything has to be controlled by technology to avoid risk if you do not trust human beings. It would be almost impossible to work.”
He believes that’s why there must be a balance between technology and people in providing security to an organisation. The “people factor” is why security awareness is critical, but the challenge is to provide it in a way that is engaging to employees. “There is mandatory training… so you do it, but you don't really believe in it. I think we should be able to find new ways of making people aware that are more interactive and will have a real impact on their behaviour.”
With all of the various threats on the landscape, as well as a company’s digital business priorities, how can CISOs manage their efforts and workload? For Laurent, it goes back to the roadmap, accompanied by a risk analysis. “Risk analysis helps you prioritise,” he says. “If a risk is too high for my company and we have to bring this risk down to an acceptable level, that becomes part of my roadmap. So, we prioritise things based on the risk.”
For more sharing and discussions on data protection, security awareness and other top priorities for CISOs, apply to join your local Evanta community, or check our calendar for upcoming opportunities to get together with your CISO peers.
Special thanks to Laurent Amsel and Carrefour.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.
