Talents' stories - Aïcha Mir, consultant and manager consulting and audit

I am a consultant in the Consulting and Audit Unit, working on support assignments with clients. Consulting specifically means risk analysis, audits in relation to compliance benchmarks, reviews before implementing solutions. 

We have a wide range of clients: small town halls, major listed companies, large industrial groups, banks... Our mission covers technical, organizational, and regulatory aspects.  

Absolutely! We call it a diagnosis or an audit. We start there: we get to know the client and we need to know what is done, what is not done, what are the things that are missing.  

Yes, one of the main qualities required is an ability to adapt to the client’s situation, their size, their limitations, their needs, their budgets. I often say that we are a bit like our clients’ therapists. They tell us their problems, and we must understand them, translate them, and respond. We try to analyze as closely as possible, to listen. Listening is crucial. We offer a tailored service.  

There are some “packaged” services, e.g., awareness activities, but securing an information system requires a thorough analysis and tailored responses.  

Yes, we call that the “level of maturity.” Some sectors are further behind than others, e.g., manufacturing. A commonly targeted sector but far behind. Although regulations have changed a lot recently, with the GDPR (General Data Protection Regulation), the Military Planning Law, which has allowed us to catch up over the years. Digitalization of all services, in all sectors, has made this compliance crucial.  

We carry out different types of assignment. It always starts with a diagnosis. What are the weaknesses? Weak passwords? Remote access management? Updates not applied? Lack of maturity among staff? From there, we propose an action plan, which can be picked up by their internal teams if they are able, but that's rare. So, we stay to offer support to implement this plan, based on a schedule that we implement, with priorities. And we can then get several Orange Cyberdefense services involved. For example, in terms of maturity, we offer several modules ranging from simple awareness to training between or within companies. We are an approved training center. 

I would say that the major problem is identifying risks. Often, we apply standards without getting some perspective on our own data and our actual risks. The GDPR has helped a lot to finally establish a risk map. We must ask questions about data: what has value? What does not? What must we protect, and how? That is essential. Risk analysis must go one step further than just compliance, and carefully consider the threat environment compared to the business.  

Yes, we are called in more and more. Major groups, of course, but also an increasing number of SMEs. Any company can be at risk today.  

Yes, there are more and more attacks but above all, more complex and sophisticated attacks. Hackers are getting organized and professional. The more complex IS (information systems) become, the more complex attacks become.  

When I started to work twelve years ago, there were very, very few women. I started out in a team which only had guys! It was not very easy to be the only woman, even though my colleagues were very welcoming, I was lucky. In technical departments it was even worse, there were some raised eyebrows when I walked in. But that is changing now. We are giving more talks to more young girls, in schools, at universities. And there are more women who they can identify with. If my experience could help encourage girls... 

Being a good listener, versatile and proactive! Particularly when you're a woman... 

Adapting to constant changes: threats, attacks, information systems, technological developments... You have to constantly stay on top of things: if you fall behind, you're dead. It is very disappointing to try and fix something when you're too late. You always need to be one step ahead.