By Franck C., Cybersecurity Consultant
Franck, can you tell us about your career path? Have you always worked in cyber?
I started working in IT a little over 10 years ago, in 2008, initially as an IT operations technician at the newspaper La Provence. After completing my technical degree in Networks & Telecoms, I went on to study for a professional degree in Enterprise Network Administration & Security.
I joined EDF's Networks & Telecoms division. Within my team, I managed the network infrastructure and security for numerous tertiary sites in the Mediterranean region. This included call centers, as well as nuclear and hydroelectric power plants in the south of France.
I continued my work-study program with EDF to obtain my Diploma in Computer Engineering Management. During my four years at EDF, I held a number of different roles, from N2/N3 network operator to Network & Security Architect/Integrator, as well as project manager assignments.
With a primarily technical/operational background, I chose to join Telindus (now acquired by SFR) as a Network, Security, and Data Center Consultant.
I wanted to specialize in Information Systems Security, focusing more on GRC (Governance, Risk, Compliance), but I was still too passionate about technology, so I took a final one-year detour into operations as an N3 Security Engineer, so that I could maintain an understanding of the challenges and constraints of the technical world.
When did the Squad adventure begin?
Two years ago, I joined Squad, which brought me closer to the defense industry, a field I am deeply passionate about. With this dual technical/organizational role, it's hard to say whether I've always been in cyber. Personally, I consider myself to be.
Where recruiters think only of the RCMP when talking about cyber, by looking at the official definitions of the term and activities related to cybersecurity, we realize that the scope is much broader and does not correspond solely to the strategic aspects of ISS.
In practice, cybersecurity encompasses activities related to the protection, defense, and resilience of digital operations and information.
I also note that people are much more willing to talk about cyber issues when matters relating to the protection of states, individuals, and national sovereignty are involved.
The strategic/GRC aspect is therefore only a small part of cybersecurity. In 2010, my first "big" assignment was to design, model, and integrate a network and security infrastructure that would enable physical access control in sensitive areas, so it was difficult not to see the "cyber" aspects of this.
Some would argue that this is not the case. I believe this is a mistake, and unfortunately indicative of a lack of understanding of the full range of activities related to cybersecurity, particularly exacerbated by the hype surrounding cybersecurity. Ultimately, IT security, SSI, and cybersecurity are exactly the same thing, viewed from a different perspective.
What certifications do you have, and how did Squad help you obtain them?
I began my career by focusing on technical certifications, first CCNA for Cisco, then CSNA for Stormshield. Moving towards more strategic topics, I chose the ISO:27001 Lead Auditor certification, which is an excellent introduction to these subjects.
Since joining Squad, I have obtained two certifications and one qualification. First, the PASSI (Information Security Audit Provider) qualification, covering organizational and physical audits, architecture, and Audit Manager.
I also contributed significantly to the formalization and implementation of the Internal Audit Structure for our clients, based on the ISO:19011 standard, enabling Squad to become PASSI-certified as a company.
Having developed my skills in Governance (ISO 27001) and Compliance (PASSI), I then turned my attention to Risk Management, the third component of the GRC triad. Thanks to Squad, I completed the ISO 27005 Risk Manager training course with HS2 this summer.
Did you have other opportunities? Did you teach yourself?
I participated in an initial (non-certification) internal introduction to EBIOS RM, which has given me a broad understanding of strategic cyber issues (the famous GRC), without claiming to be an expert in the field.
To further solidify this overall understanding, Squad also allowed me to self-study on Udemy and finance my CISSP (Certified Information System Security Professional) certification: a sort of ultimate holy grail, attesting to a fairly high level of expertise across the entire spectrum of cybersecurity.
With this desire to remain versatile and to have the ability to understand both organizational and technical aspects always in mind, I am now moving towards CEH (Certified Ethical Hacker) certification.
My goal is not to become a pentester, but simply to better understand attackers so that I can better analyze, organize, and prepare IT defenses.
See also ⤵
