- Speaker #0
This episode is a French-to-English translation of our original podcast. We've done our best to adapt cultural references, but you may notice the occasional unusual phrasing or wordplay, which may not land quite the same. Thanks for your understanding. Welcome to In the Eye of Cyber, the podcast that gives voice to digital players. I'm Anna-Laure de la Rivière, Communications Director at Gatewatcher. Today, we have the pleasure of welcoming Fabrice Brou, Director of Cybersecurity and Architecture at Stein, the IT Department of the Muscataires Group, and recently elected President of Cessin. We'll discuss the specific challenges of the retail sector, a domain facing unique cybersecurity challenges between the multiplication of external providers, IoT infrastructure protection, and cyber attacks targeting major retailers. A conversation rich in perspective. Hello, Fabrice.
- Speaker #1
Hello, Enlore.
- Speaker #0
I always start with a brief introduction about my guest. Fabrice, you graduated from Pierre and Marie Curie University. You also hold an executive MBA in strategy and economic intelligence from the School of Economic Warfare. you began your career as a Technical Sales Engineer at Aircom. In 2003, you joined the Danone Group as an CISO, then Louis Vuitton as Head of Cybersecurity in 2008. In 2018, you joined STIME, which is the IT department of the Muscataires Group, as Director of Information Systems Security. And recently, you've become the Director of Cybersecurity and Architecture at STIME. And you've taken over the presidency of CSIN, the club of experts in information and digital security succeeding Ms. Diorossi. That's a very rich career path. And now, I'd like to focus a bit on your particular sector of activity, since retail is quite an interesting example. With very specific challenges related to digital, you have thousands of points of sale, infrastructures to integrate, you have a strong dependence on external providers. you have to deal with a particularly extensive attack surface. So, how do you secure such a fragmented ecosystem without hindering innovation and customer experience? What new risks are emerging in this sector? And that's what we're going to see now with Fabrice Brou. So, I'll remind you that you are the Director of Cybersecurity and Architecture at Stein, the IT department of the Muscataires Group, and retail is a sector that has massively adopted digital in recent years. including e-commerce, mobile payments, and automated checkouts. Has this digital acceleration been well-anticipated in terms of security, or are we still reacting to threats?
- Speaker #1
Well, actually, no. The retail sector is no longer reacting to threats. The retail sector has matured enormously in terms of cyber, of cybersecurity. When we look at all the CISOs in retail in general, I'm not talking about Mouskater's group, but really all of retail, we see that there are real strategies in place. We see that increasingly, cybersecurity is taken into account in the various projects of retail players from the start, and that a whole chain of protection is being put in place. A whole chain of detection is being set up. And by the way, I see within the Cessin Club, for example, we have a community called the French Crystal, where in fact all the CISOs in charge of retail activity, all the major retail chains, but not only them, meet to discuss risks, to discuss threats, to discuss action plans for cybersecurity coverage. and meet twice a year to exchange. So really, today, the retail sector is no longer reacting to threats as it was 10 or 15 years ago, maybe, and even then. But really, we can see that, well, when I attend these meetings, I tell myself that we have finally reached a certain level of maturity that means we don't have to be ashamed compared to other, much more mature entities with thousands of points of sale, sometimes with their own infrastructure.
- Speaker #0
With its thousands of points of sale, sometimes with their own infrastructure. Retail is a fragmented ecosystem. Can we really secure such a decentralized network without hindering innovation? How do you do it at the Mousquetaires Group, for example?
- Speaker #1
Well, first of all, I'm not sure that this is really specific to retail. If I take other examples where this question could also be asked to companies in the automotive sector that have dealerships, we can also think of the insurance sector, which also has agencies. So, in fact, Indeed, we have a lot of connection points, a lot of stores, warehouses. As you said, the specificity of the Muscataires group is that we also have factories. Well, in fact, we do like all large companies. We have standards that are deployed, there are rules that are imposed, and which means that the cybersecurity settings of one store are identical to another. But in the same way as the information system that is installed more globally in the store, we install the same self-service checkouts, the same payment systems, the same payment terminals. In short, everything is harmonized because otherwise it would become completely unmanageable, and not just from a cyber perspective. So we need to rationalize. So indeed, there are standards, and it's just a volume of sites that is a bit important. But fortunately, we have pretty much the same rules everywhere.
- Speaker #0
I understand. And so the retail supply chain relies on increasing automation with robotized warehouses, with ultra-optimized flows. Have these systems become the new target of cyber attacks?
- Speaker #1
Indeed, in the retail sector, and especially in the warehouses we have, there are still some warehouses that can operate for certain retail brands as before, with a warehouse management system, order pickers and then delivery systems, administrative sales management, etc. And then you do indeed have more and more logistics bases that are being mechanized or robotized. And so we are starting to see finally converging towards the same issues as those in more industrial sectors. So the way to approach the subject will be different, because when you are in a warehouse that is totally robotized or mechanized, you will be dealing more with industrial systems. So you'll be talking about automation, you'll be talking about conveyors, you'll be talking about sensors. So the language is a little different. The dreaded events are not... totally the same. But ultimately, once you have managed to identify all the dreaded events, what are the constraints that the logistician had? Well, the security principles that apply will be the same. Then depending on the industrial or logistics setup, for what we might call physical reasons, you may have equipment that is a bit special, that is more resistant to shocks, etc. But fundamentally, the cybersecurity principles you will implement, the processes you will implement are the same. The only differences are that the resources to operate them are not necessarily always the same. And then the way to explain it and translate it is not the same.
- Speaker #0
We've heard about quite a few cyber attacks in the sector in recent months, including Truffaut, Auchan, Cultura. What do these attacks teach us about cybercriminal strategies in retail?
- Speaker #1
Well, first, what we learn is that cybercriminal organizations have understood that it's not just banks that have information about citizens and consumers. And most importantly, they have information at their disposal that can be monetized because ultimately, among the criminal organization's objectives, there is also a money story. For a long time, we heard about, I remember, for example, the Target case on credit card information theft, etc., for which we had regulations. Well, not in the legal sense of the term, but indeed, the card providers have joined forces and imposed standards that we must apply. So the best-known standard is PCI DSS in our universe. So we have managed with these standards to protect our customers' banking information. That's already a first point. The second thing is that we must also see that when you go to what we might call the major retailers, I think we can go to cosmetic shops or large retail chains. You have the loyalty card, and the loyalty card is ultimately also a means of payment. because each time you go through the checkout and present your loyalty card, you earn, what do you earn? You earn a bit of money, in fact, which you can reuse during your next visit to the store. So that's also money. And so, indeed, we can see that cybercriminal organizations are saying to themselves that there is an interesting financial windfall to collect. So that's the first piece of intelligence. So we see that there are more and more cybercriminal organizations that are making themselves known as being particularly aggressive towards retail brands. Then, the other problem we have is that we are also regularly victims of what is called, it's a bit of a barbaric term, credential stuffing. But to try to explain it simply, over the course of the various computer attacks and over the course of the last 10 years, there have been thefts of logins, passwords, in short, access identifiers that have been made and which have been grouped together in large databases. And so today, we have cybercriminal organizations that use these resources, these databases, to test all these identifier pairs, log in passwords on all retail websites. And so sometimes, obviously, it works, because as citizens, it's complicated to have a different password for each site on which we are forced to register. Because today, we are forced to create an account on almost all the sites we visit, so it becomes a bit complicated to manage. So very often, we use the same ones, and in fact, as a result, It happens that sometimes it works on our sites. So as it is essential for us to preserve the trust that our customers have in our brands, we put in place all kinds of alerts, first of communication to the customer, and obviously with the general data protection regulation, we are forced to do so. But at the same time, I find it very, very healthy to do so. We also put in place all kinds of technical processes, human processes, to try to identify these threats as early as possible because technically, unfortunately, an identifier and a password that connects to an e-commerce site and that works, a priori, doesn't look like an attack, in fact. So obviously, we have managed to find other vectors that alert us and that allow us to block very, very quickly. But, and we still have a lot of work to do, It is becoming more and more common in certain retail brands to also see the implementation of solutions such as enhanced authentication through the famous MFA. Because precisely, we want to protect the data that customers entrust to us, and that the only way to be sure that it is indeed you who is behind the connection that we are observing on your site, well, it is to ask for another form or a complementary form of authentication via SMS or similar. And so as a result, We see these solutions beginning to appear more and more. We know that it can harm the customer experience, which is essential for us. However, despite this, we see that some retailers have made this choice and that it is increasingly being deployed. Finally, the third lesson for me that we learned through the attacks you mentioned is the supplier chain. Because when you have an e-commerce site, not everything is necessarily in your hands. In fact, you have partnerships with external third parties. whether it's for delivery management, for example, whether it's for e-commerce stock management. In short, there are lots of scenarios for which you can call on external third parties who very quickly have a valuable solution to offer you and a potential service to offer your customers of value. And so, in fact, what these September attacks also show us is that it's important for us to be able to increase the maturity and control the level of cybersecurity of this entire chain, on which, in fact, we can act in a way Let's say much more relative than if it were applications that we host in our own data centers.
- Speaker #0
You are reinforcing the requirements for your supply chain in a way.
- Speaker #1
Yes, exactly. That is to say that in fact, when I told you that we do cyber integration from the start of the project, so we question them and we qualify a little bit already the level of cybersecurity they have, we add cybersecurity requirements in the contracts or we constrain them to propose a security assurance plan. And sometimes... What we also try to do is to go as far as a cybersecurity audit or a penetration test, which is becoming more and more complicated to do. But we try nonetheless, as far as possible, to be able to see that, because it allows us to have an evaluation of the level of cybersecurity at a given moment. Very good.
- Speaker #0
Now let's talk a little bit about AI, since it's always the topic of the moment, with AI that will transform retail, whether it's for the customer experience or for stock management. Does it introduce new vulnerabilities or opportunities?
- Speaker #1
Well, first of all, AI will introduce new opportunities, that's for sure. In the retail universe, in the new, in the universe of value creation for our customers, our consumers, that's sure to bring a lot, a lot of things. But it will also, but it will, obviously, every time we open up a new technology, there is always the value contribution. And then there is always the slightly darker side. So indeed, we have risks that are linked to artificial intelligence, particularly on how to query it. When we take, for example, generative artificial intelligence, or what we can query, what are called LLMs, for example, the way to prompt, since that's the technical term used a bit. But as a result, the way to query it can sometimes lead the artificial intelligence to give you more information than it should. In fact, there are still a lot of people who are not great specialists in cyber practice in artificial intelligence. And in fact, Within the club, we also have a lab that works on these subjects of risk around artificial intelligence to try to indeed extract a somewhat global risk matrix from it. We have seen some documents available here and there. On the other hand, we have about 10 CISOs who are working on real subjects of cyber integration in AI projects for their company and who have decided to make it a common pot for the entire industry. So I will certainly have more information to communicate soon.
- Speaker #0
So this is a more intimate question. We often talk about human factors and in particular the stress of CISOs in recent years. I often talk about CISOs in general, under constant pressure, with undersized teams. Their role today goes beyond simple technical management to include strategic and regulatory issues. Do you see an evolution of their function towards a more influential role within executive committees? And how can we better recognize and value their impact within companies?
- Speaker #1
So indeed, The role of the CISO has evolved over the past 20 years. We can see that they have gone from the person in charge of antivirus to today, in some organizations, a key influencer within an executive committee. So we can see this evolution. However, we see that some large companies that are very mature in terms of cyber, we see that some large administrations do indeed have a CISO who is either a member of the EXCOMM, or at least a member of the board. So we can see this evolution. However, this debate about the positioning of the CISO has always made me a bit uncomfortable because ultimately, is it better for the CISO to be attached to the EXCOMM without means, without resources? Or is it better for a CISO within an organization of the company, whatever it may be, and who is entrusted with the human means, the financial means, and who has the possibility to move this subject forward? I don't have an opinion. Well, I do have an opinion, rather even rather clear-cut, which is that it is better indeed for the CISO that they can have all the financial, human, and technological means to be able to fulfill their mission. Then indeed, If they have the possibility to intervene in a management committee or an executive committee to explain how cyber risk can harm the productivity or effectiveness of the company or administration, well, that's excellent news.
- Speaker #0
Very good. Thank you for your answer. So, beyond sectoral issues, we ask a somewhat broader question about the technological dependence of French and European companies. 70% of cyber solutions used in France by organizations come from the United States. or Israel. This raises a strategic question. Can France and Europe, in your opinion, really take back control of their digital sovereignty in the face of the concentration of the cyber market?
- Speaker #1
Indeed, we Europeans mainly depend on American or Israeli solutions when it comes to cyber. But more broadly, we depend on the Americans for digital in general. And it is not so much the solutions, in fact, that can be detrimental. but ultimately the various extraterritorial laws that apply to them. We can think of FISA, for example, on electronic surveillance. We can also think of the CLOUD Act. In short, we can see that the Americans are implementing more and more extraterritorial laws that allow them to ultimately pump all our information without us necessarily having the possibility to prevent it. And so all this can harm our competitiveness, especially in a context where ultimately and paradoxically, The trade balance between Europe and the United States is rather favorable to Europe today. Well, that's not the case in the digital universe. So it is therefore… And so naturally, on these digital subjects, it seems natural or healthy to me to want to have an offer allowing this autonomy. But for that, it is necessary to notably induce an ambitious and even brave European strategy, so that we can develop more a strategy of support for local publishers or better. Integrate cybersecurity into European and industrial digital policies, for example. This will not be possible to do overnight anyway. So we will also have to accept the fact that this European strategic policy to be put in place will potentially take 10 or 20 years. And I take as an example, when we look at what is happening in China, we see that China made the choice about 20 years ago of a certain digital autonomy compared to American solutions. And so, while we talk a lot about GAFAM in the West, in China, We have the BATXs, which are just as powerful and which ultimately achieve record figures. We see in France arriving more and more in recent years in France and in Europe. Generally speaking, we see that operators like Huawei and Alibaba are starting to arrive on the market and so they have alternative offers. So that's quite interesting to see them. And we can see, even if we talk about the retail sector, that the payment methods when you go to China are of a totally different nature from what we are used to using. And sometimes you have certain places where you can't use your MasterCard to pay, you have to use a Chinese system. So that's a real political strategy to be put in place. And probably Europe needs to do the same, but by giving itself time. Unfortunately, it won't happen overnight. It will, it will require a bit of effort and then courage, because it is likely that all the American lobbies around the European Commission will work hard to ensure that this dependence persists. And in fact, when we look at it from this angle, What do we see? We see that the United States has a strategy, let's say a European strategy. We see that the United States and Europe use roughly the same digital services without Europe today being able to say anything. So and then we see that Asia also has other digital services, and in fact all these digital autonomies there are that arrive. If you put yourself under the shadow of a CISO who works in an international company, questions a lot of their strategy. That is to say that today they will have to have potentially a strategy using rather Western cyber technological resources in the West, rather Asian in Asia. Even if the global policy is the same, the technologies will be different. And as the technologies are different, it means that you have teams that are multiplied, or at least that will grow to do the same thing but on different technologies and know how to protect themselves differently on American or Chinese digital platforms.
- Speaker #0
Exactly. You will use a rather American technology in the United States. You will use rather a Chinese technology in China. So as a result, you will see a person who either you find the five-legged sheep who knows how to administer both the American part and the Asian part. Or you will have two people in fact. And so in fact, we have a certain number of CISOs in international companies who ultimately must themselves suffer these different protection policies that are put in place and which are not without consequences neither on their resources nor on their budget. However, Europe should not become too dependent on the United States. It should also have its own autonomy. So there you go. So to finish on a lighter note, I heard that you are a musician. Is that true?
- Speaker #1
Yes, it happens to me here. What's your group called and can we listen to it somewhere? Well, to listen to it, you would have to come to the cease in Congress, which takes place every year in Reims, the first week, the first Tuesday and Wednesday of December. So we had created a WhatsApp group called Les Six Insupportables, the Six Unbearables, either in reference to iPhone or... I'll let you guess a little bit what Six Insupportables means. And in fact, we take advantage of and abuse the magnificent pen of Milen Jarose, who has reinterpreted with excellence, both of us, parodies of famous French hits on subjects, and reinterpret them on cyber themes. And we often take advantage of the gala evening of the Congress to start singing all together and then do a kind of little karaoke with all the participants. So it's rather, rather fun.
- Speaker #0
Indeed, very convivial. Cyber security and music go perfectly together. So if you had to choose a soundtrack to illustrate the challenges of the 2025 session, what track would you choose?
- Speaker #1
Well, in fact, I haven't found a track for the 2025 challenges, or at least one that can be easily interpretable. However, I have two titles that come to mind, especially in relation to what we've just been talking about. We had... My Len had rewritten, reinterpreted a Johnny Halliday song that we call Light the Fires, which is sung almost every year at the Congress, which is a great moment of laughter, and then another which is a reinterpretation of Magic System, which is called There's Panic in the Air. So that's a little bit what I could say.
- Speaker #0
That makes me want to join Sissine, in any case. I hope. And thank you very much for this exchange, Fabrice. Thank you to all those who are listening to us. I hope you enjoyed this episode. Find the video clips of this episode on my LinkedIn, Anna-Laure de la Rivière. And don't hesitate to follow us on all listening platforms and leave us five stars on Apple Podcast. See you soon in In the Eye of Cyber.