Cyber security, is the central topic on our agenda today. I have been listening with great interest to the speeches held so far and am looking forward to a fruitful cooperation between countries, as part of the outcome of my mission in Poland.
Cyber security goes beyond IT. It is a matter that concerns any individual using multimedia. For a country building its economic strengths on ICT, cyber security is an essential asset to its economic attractiveness.
Cyber security creates trust among citizens and businesses. However its implementation is often discriminatory from the point of view of costs and complexity. In Luxembourg, we have addressed this dilemma and identified quite an interesting governance approach.
We came to understand that the concept of “Information security” is only going to work in today’s society, if it is “customer” or “user” oriented. By customer, I mean the citizen, an SME, a larger company and of course the government itself. The customer or user centric view is thus the only perspective from which to gain insight into the real needs and challenges of today’s world.
Just like in meteorology, in cybersecurity we need reliable forecasts. In cyber security these forecasts are called “threat assessments”. The more you are aware of threats against your assets, the better you will be able to protect them – and your activity.
The objective of the “threat assessments” is to raise awareness of risk exposure at customer level. Thus enabling him to improve his organisational and behavioural measures, and configure his mitigation tools accordingly.
Timeliness and accuracy of warnings, alerts or configuration instructions of the mitigation tools are therefore of outmost importance in building information security.
However, a reliable forecast doesn’t do the job alone. As much as it must fit the real need of the user, it must be understood and trusted by him.
To achieve that goal in cyber security, Luxembourg has decided to create 3 Computer Emergency Response Teams (CERTs). Each one focussing especially on the need of their community : Research and Education, Government, and Business. (The latter being coordinated by the Ministry of the Economy.)
These 3 bodies do not only analyse threats and issue warnings in a customer friendly approach. They also develop performance indicators based on threat assessment results. Those represent an important element at the level of the national information security governance.
In order to be more resilient, we advocate “information security as an infrastructure”. Basically, this means that we support the creation of synergies in different domains and at different levels within society.
You may know about the “emergeny.lu” project. It is a great example of a fruitful cooperation between the government, SES Astra, HiTec and Air Rescue. “Emergency.lu” aims to guarantee access to communication in case of large infrastructural breakdown. Satellite communication capabilities, which normally provide many business opportunities, are put in this case at the service of a resilient communication.
In that same perspective, my ministry is undertaking large efforts to mutualise security measures that exist with the ISPs. We aim at democratising risk assessment by creating collaborative risk assessment platforms that foster collaboration and enhance preparedness.
Moreover, we reduce the complexity and effort of risk assessment to a minimum. Our method uses a common language describing assets, threats and vulnerabilities. It also provides pre-configured, reusable risk assessment objects.
The first test runs have shown that current costs for performing a risk assessment in company are reduced by 80%.
“Risk assessment” is now an affordable service in Luxembourg, with a positive impact on the country’s e-economy health index.
Cyber security represents an economic opportunity. We strongly believe in the empowerment of all the stakeholders, as part of the democratisation of information security. Our approach is customer oriented, collaborative and coordinated at national level.
Thank you for your attention.