Interview With Mathieu Gorge – VigiTrust
Private Internet Access recently interviewed Mathieu Gorge, CEO and co-founder of VigiTrust. She asked him about his passion for cybersecurity.
Private Internet Access: What motivated you to start VigiTrust?
Mathieu Gorge: I had been working in cybersecurity for a few years, primarily on network security and content security. So, my original security background was in selling VPNs, firewalls, intrusion detection, content, security, and so on.
After a few years, I felt that the folks that we were talking to didn’t necessarily understand the basics of cybersecurity or data protection. I decided to start my company, VigiTrust, to talk about privacy and security on an ongoing basis as opposed to merely trying to address the problem by buying more technical solutions.
PIA: Can you tell me what is your company’s flagship product or service?
MG: VigiTrust is an award-winning provider of SaaS solutions around governance risk compliance and integrated risk management. Our solution is called VigiOne. And in a nutshell, it allows you prepare for, validate, and manage continuous compliance with about 100 security frameworks and regulations and standards worldwide, including PCI, GDPR, CCPA, NIST, ISO, CIS, and many others.
PIA: What do you love about working in cybersecurity?
MG: Well, we never get bored, do we? I mean, it’s an ongoing battle, the threat vectors change all the time. And to some extent, they match the economy and the geopolitical changes that we have.
Two examples, starting with COVID. When everybody started working from home, we saw loads of very unprepared organizations open up their firewalls, for connections to employee-owned devices that they would otherwise never have considered before. One of the issues today is that some of those holes and firewalls are still open, despite the fact that we are now two years into hybrid workings. That’s one of the examples and obviously the security industry had to address that.
The next example is the invasion of Ukraine by Russia that completely changed the geopolitical order. It is essentially resulting in a number of new attack vectors and a huge focus on critical infrastructure protection. So, it’s very hard to get bored with all of that.
Also, I think that if you have some knowledge, you have a duty of care to share it with as many people as you can, in order to give back value to the community. Because at the end of the day, if businesses are secure, if your houses are secure, if smart cities are secure, we can all continue to enjoy a good life.
PIA: Why do you think individuals and companies need to have a good VPN?
MG: I look at the challenges that COVID started, and the idea of hybrid work is something that’s really taking off. You really need to be able to securely connect to your home base, from a data perspective. So, as much as possible, you need to have secure data in the cloud, but for some data or for some systems, they’ll have to be so sensitive. Perhaps because of the architecture of the business, they’re actually based on your company’s network. So, you need a secure way of connecting back. The easiest way to do that is with VPN. VPN is a good basis for starting a secure remote communications.
PIA: What do you think are the worst cyberthreats out there today?
MG: I think that right now, all of the attacks are becoming a little bit more personal, right? The attack surface has completely shifted with COVID. We see attackers really trying to attack generic employees, but also CEOs and C level folks. We need to make sure that the systems that those remote people have are secure. So, having a VPN is obviously the very least that you should do.
On top of the VPN, you need to make sure that you’ve got strong authentication and that you have somebody or a system looking at the logs and looking for unusual activity. You also need to make sure that you train your users and give them security awareness training that matches their new work environment or their evolving work environments.
We were seeing that the attacks on critical infrastructure are actually resulting into personal consequences. So for instance, an attack on Colonial Pipeline affects the price of energy and a physical attack from Russia to Ukraine is affecting the supply chain and the security of the supply chain.
An attack on the health service executive in in Ireland is actually impacting the ability of Irish citizens to get access to health care. I think this is raising the overall awareness level of everyone, and they understand that their own way of life is at risk. Attackers will attack generic users, or will try and attack power users such as the C-suite to get access to those critical systems that are behind the firewall. That’s one thing that we really need to address.
PIA: How do you think the pandemic is changing cybersecurity for the future?
MG: Well, in two ways. I spoke about remote working and hybrid work already, but the other part is that during the pandemic, a lot of organizations that said it would take five years to digitize their services suddenly had digitized access to key services, to web commerce to e commerce within months.
That was all at the expense of security and compliance. I think that we need to go back and look at all those services and products that were digitized very quickly and check that it’s been done securely, because my guess is it hasn’t.
It’s not necessarily undoable to reverse engineer security into that, but I find that it’s better to have security by design. And we completely missed the security by design, it was a survival instinct. I need to be able to continue to sell. The people can’t come to my shop. They can’t come to my school. They can’t physically be there. So I need to digitize and unfortunately that had an impact on security.
Good security has to start from the top at the board level. And unfortunately, security and compliance professionals tend to hide behind legal and technical jargon. We need to address that challenge. And the best way to address it is to educate the board on cyber risks in plain business English.
That’s something that I cover in my book, The Cyber Elephant in the Boardroom, because essentially, cybersecurity is the one taboo topic in the boardroom. Having said that, the board deals with risks all the time, be it financial, HR, growth, legal, whatever. This is just an additional risk and we need to essentially translate that risk into business risk. So we need the language to be able to talk about the value of VPNs. We can talk about the value of training, having good policies, good security, and awareness training in a language that businesspeople understand and that will help everyone and every stakeholder in in that ecosystem.