Promote Citadel Team without imposing it
Cyber risk awareness at the heart of the IT department's strategy
"Until now, employees have been using very common 'general public' tools such as instant messaging applications and our goal is to change that, switching them to a more secure tool. Citadel Team is part of this logic. I am happy to contribute to its deployment within CNES."Thierry DEMANGEOT, CISO
On September 7th, we had the opportunity to exchange with Thierry DEMANGEOT, Head of Information Systems Security at CNES .
His mission? To define and develop the security policy, both physical and cyber, within CNES and to monitor its implementation.
CNES, a major player in French space policy
CNES's mission is to "propose French space policy to the government and implement it within France and Europe through projects in an international context. "In collaboration with state actors (Ministry of Research and Innovation, Ministry of Defence and Ministry of Finance) as well as numerous external professional partners, CNES is a major asset for France. With a budget of nearly 2 billion euros per year, the Centre National des Études Spatiales is the second largest space budget in the world (in relation to the number of habitants).
Communication, a key security issue
Before the deployment of Citadel Team, the 2,400 employees of CNES did not use a tool that allowed them to exchange sensitive data in a secure manner. In a world where the protection of personal information against cyber attacks is increasingly important, it was necessary to create sensitivity within the company because, until now, "employees were using very common 'general public' tools such as instant messaging applications. These foreign applications represent a major risk for companies that cannot control their data. Therefore, the idea was to change the behaviour of employees within CNES.
At the heart of the information systems security policy
Before deploying Citadel Team within the CNES ecosystem, the question that Thierry DEMANGEOT and his teams asked themselves was whether to equip only the members of the COMEX or privilege some technical managers. In the end, the solution was deployed to all safety teams and users who needed to communicate .
The idea was not toforce employees to use a solution, but rather to make them aware of the need to protect their data, their assets and their know-how. Current events, the international context and all the publications on data theft are levers of awareness within CNES.
"We decided not to impose the tool because we know that it doesn't work. We relied more on word of mouth."
Pushing the solution without imposing it... This relies above all on effective internal communication to raise awareness of the risks of cybersecurity and data outsourcing, and to promote the advantages of Citadel Team: a French solution, as easy to use as consumer solutions, with the same features, but with added security.
The fact that Citadel Team is available free of charge, and accessible to all, including external partners, was a determining factor , because, as Thierry Demangeot pointed out, the CNES "works with multiple interfaces that have budgetary constraints. The fact that Citadel can be deployed for free was really important. »
COVID-19: a boost for the deployment of Citadel Team
Before the crisis, the strategy was to deploy Citadel Team following a "lily pad logic" (start slowly and accelerate gradually). At the time, there were about a hundred users.
Today, more than 750 employees are registered on the service. Thierry DEMANGEOT also points out that "about 45% of users are active every week and 30% are active every day."
In the midst of the COVID crisis, when telecommuting was crucial, the need was to allow employees to exchange information securely from home, whether from a smartphone or a computer. "Being able to exchange sensitive information by phone is extraordinary and meets a real need.[...] I would also say that one of the big pluses of the tool is being able to exchange information from your workstation. This is a real plus that commercial tools do not offer. »
What about the future?
Now, the objective is to consolidate the already large base of users and demonstrate that CNES employees are actually using the solution.
However, the aspect still to be developed is the secure telephony, which only around fifty of the users are currently equipped with.
"It's clearly an option for the years to come.»
With this in mind, the "Call Me" option, which allows all users to receive calls via Citadel Team, has been deployed.
Despite the existing solutions, the Citadel Call option is less restrictive in terms of devices because it can be "directly integrated into a fleet of smartphones deployed in the CNES building. "
Another aspect to be developed would be thevideoconferencing, a feature currently under development and of which CNES is a beta tester: "On paper, it looks attractive and interesting. After that, we have to see if it is competitive and if it really corresponds to uses that we could deploy within CNES. I tend to say yes, but we have to check. That is the topic to be tested in the upcoming weeks or months.»
Today more than ever, the implementation of teleworking represents a major risk for companies in terms of cyber security. CNES reacted very quickly by responding to the need for remote collaboration while protecting its know-how and assets.