Since the start of his career, Marc Vaillant has always worked in the high-tech sector, holding positions in companies of various sizes.

Before joining Criston, he was Chief Executive Officer at MobileWay and Vice-president of marketing at iCelerate.

What do you see as the biggest security threats today?

In IT security, the biggest "threat" has always been the end user. While IT security teams are fighting everyday to keep the data safe by isolating the network with latest security technology, end user will be the one that will "forget" an opened window! Today, users have become more and more powerful and their development skills are growing.

The increasing complexity of the client systems they require, as a result of their global distribution and heterogeneity, is in itself more dangerous than any single threat.

In the past, it was possible to protect client systems manually, on an ad-hoc basis. But now, with their considerable size and scope and the need to make more frequent upgrades for operational or security requirements, any client systems that is not proactively and consistently monitored and managed is in danger.

How important is patch analysis in the overall security architecture?


Contrary to antivirus that defends the systems when an attack occurs, patch management allows a proactive security policy: cover the breach before the attack happens.

This being said, the cost of patching is very high, and therefore IT managers should not adopt a "deploy all patches on all systems" approach. Proper analysis is needed to determine which patch is required on what system, and this is what Vulnerability Management brings.

What is, in your opinion, the biggest challenge in protecting sensitive information at the enterprise level?

The biggest challenge is to control "ALL" the flow of incoming/outgoing data from the IT system without blocking end-user productivity. The threats comes from remote access or data corruption vulnerabilities, and third party devices that are pluged to the network (nomad laptop, USB key etc.), and it is sometimes difficult to know which flow is regular business and which is not.

In your opinion, can one really calculate security ROI?

Security ROI is obviously difficult to calculate since it relates to how much one stands to lose rather than how much one will gain. IT disasters costs are easy to measure after a security breach, but the real trick is to balance the IT security investments against the risk exposure.