Logo Galink

Solution

Partners

Resources

About

Log in

Try for free

Galink la solution de TPRM n°1

Try

‹ Return to blog

From the CISO to the COMEX: making supplier risk a priority

Oct 6, 2025

CISO, Provider, Galink
CISO, Provider, Galink

On the occasion of the Vendor Cyber Risk Summit organized by Galink and a roundtable moderated by Leslie Fornero, host of the podcast Le Monde de la Cyber, two cybersecurity experts shared their experiences on a critical subject: the cyber risk related to suppliers.

At the table:

  • Odile Duthil, cybersecurity director of the Caisse des Dépôts Group and president of CUSIF

  • Jérémy Couture, CISO of La Française des Jeux (FDJ)

Together, they explored how to raise awareness among general management about this growing risk and how to turn it into a strategic business priority.

To see the full replay

45% of companies already affected by a supplier attack

Right from the start, a survey conducted among the audience set the tone: nearly one in two companies (45%) has already been impacted by a cyberattack linked to a supplier. A figure that Jérémie Couture deems representative of the actual reality: 98 of the 100 largest French companies have already suffered a breach via a third party.

Odile Dil adds: supply chain attacks today represent nearly two-thirds of the cyber incidents observed. In the banking sector in particular, indirect attacks — like that of Harvest, a supplier of suppliers — have demonstrated that even the most protected players are not immune.

Regulation, a lever for action and alignment with the COMEX

For Odile, the DORA regulation (Digital Operational Resilience Act), applicable in 2026, serves as a wake-up call: the regulator helps address the topic at COMEX. But beyond the framework, it is important to understand that the weak link is often found at the supplier of the supplier of the supplier.

At Caisse des Dépôts, the approach is top-down: identification of critical functions, mapping of processes, then descending to the applications and service providers concerned. The CEX validates critical functions and vital processes, while operational teams manage risk on a daily basis.

On the FDJ side, the ISO 27001 standard plays a similar role: management reviews allow addressing supplier risk by talking about what everyone understands, the real impacts on the business.

Speaking the COMEX language: from cyber to business impact

A key message emerges from the discussion: to convince the COMEX, one must talk about impact, not technique.

When talking about impact, everyone understands — the business units, procurement, management. The FDJ is also working on quantifying supplier risk, translated into financial scenarios. Saying that there is a data leak is not enough; what matters is what these data allow one to do. Can we still trust our contacts? It is this loss of trust that costs dearly.

Methodology: prioritize, contract, audit

The two CISOs share a common belief: it is impossible to audit all suppliers, prioritization is necessary.

  • At Caisse des Dépôts, a multi-year compliance plan is in place. Contracts are progressively renegotiated with new cybersecurity clauses (safeguards, business continuity, testing, etc.).

  • At FDJ, a pyramid approach targets about twenty critical suppliers, audited regularly according to specific criteria: dependency, maturity, trust, and exposure.

The essential thing is to be clear about the capacity to act: it's better to audit a few critical partners thoroughly than to skim over hundreds of contracts.

Crises and drills: teaching through simulation

Another lever for COMEX buy-in: crisis exercises. At Caisse des Dépôts, the first was organized at the request of the CEO, concerned about what to do in the event of an incident. Since then, these exercises have become regular. They allow leaders to project themselves, measure the real impact on business, and understand that cyber risk is a business risk.

Continuous monitoring and regular exchanges

Each year, the two organizations present their risk maps and associated action plans to audit and management committees. At Caisse des Dépôts, these elements are also shared with the Surveillance Commission, composed of parliamentarians, proving that cybersecurity has become a governance issue.

Advice to CISOs to engage their COMEX

In conclusion, here are some concrete takeaways:

  • Simplify the threat and link it to current events to anchor the topic in reality.

  • Talk about impact, not technique: quantify, illustrate, tell risk scenarios.

  • Adopt a cross-functional approach by involving procurement, legal, business units, and IT.

  • Accept residual risk and think resilience rather than perfection.

Cybersecurity is no longer just the concern of the CISO: it is that of the entire company.

In brief

Making supplier risk a business priority means understanding that it is a systemic risk, not just a technical one, presenting it to the COMEX with business arguments, equipping, prioritizing, and contracting the risk management, and above all involving all functions of the company in a collective resilience approach.

<5 practical tips for effectively managing vendor risk

Galink is now ISO 27001 certified 🎉>