Skip to main content

CISOs and their main concerns

All the daily news of cyber attacks and data theft only reinforces that times are not easy for information security teams, especially CISOs.

And increasingly having a peaceful night's sleep is harder.

Looking at day to day I see at least three clear reasons for clear nights, and all of them focus on one cause, the RISK.

In short, I understand that the main reasons may relate to the following reasons:

1. Accountability to executives

Being 100% responsible for meeting investment expectations for security enhancement is a clear reason.

While cybersecurity is now a board-level conversation, many CEOs still don't get it right, meaning some reports and surveys confirm that more than 90% executives say they can't read a cybersecurity report and are not prepared to deal with it. with attack.

Really, this is not the main job of C-level. What they need and want is for CISO to position risk effectively and help them understand the equation of current state vs. technology and outcome. This is a big challenge in itself, because CISO must constantly ask itself: “Am I investing in the right technology? Do I have resilience power? Can I stagger? Is my environment truly healthy? How will I really know? ”

Being able to effectively communicate the current state and what is “good” is imperative for a CISO, as well as developing an action plan with objectives and targets to present to its board.

2. Capacity

Do I have the right skills and the right people to do the right things?

The cyber security crisis is getting worse. Identifying the right skill sets is the easy part. Finding experienced people is a totally different story.

For many companies, the scarcity of cyber security consultants is the biggest risk factor. In response, managed security service providers (MSSPs) have become a popular choice. But finding and verifying the right MSSP is a whole new challenge for CISOs and their teams.

Risk comes in several ways here:

- Have you evaluated all third parties and contractors that support your environment? Do they really support your operation in a personalized and dedicated way?

Are you highly dependent on one or a small subset of individuals to execute a part of your technology demand?

- Do you have documented processes and procedures to follow in case of a turnaround?

- What is your training plan to ensure your team keeps up with security trends within your technology demand?

“There is no easy answer to recruiting and retaining the right people in cybersecurity,” I have said this before and I say it again, “there is no unemployment in our area. The important thing is to match the team you own (internally and externally) with the defined security action plan. What skills do you need? Where are they coming from? Who is providing the direction? And how was my action plan evaluated and reassessed?

3. Compliance & Privacy Regulation

Yes, it may be that the dreaded GDPR is already a reality in Brazilian lands.

Here in Brazil, the General Data Protection Act (LGPD) was approved - only the President's sanction is missing. Now, as in the EU, data subjects and companies will have greater legal certainty. The law will require, from all companies, a series of adjustments, under penalty of severe sanctions, which can reach fines of up to 50 million reais. Your business needs to fit the required controls!

Compliance will be the biggest driver of security for years to come. I firmly believe that compliance drives more than 50% in the market today.

The General Data Protection Regulation (GDPR) or as it is being called in Brazil LGPD, which applies to anyone, literally any company in the world, who receives data. What is scary about GDPR is the financial risk associated with non-compliance.

GDPR is one of several compliance mandates that organizations globally are facing. There are also DFARS, NYCRR 500, FISMA, GLBA, SOX and others.

The challenge here is that it is easy to think "it will never happen to me." That's what we all used to think about cyber security incidents, right?

Given the financial pain of non-compliance, CISOs cannot afford the risk. As CISO, you need to surround yourself with the right information. If you have not already done so, involve three types of experts to support your compliance readiness:

- A cyber security service provider to provide risk mitigation recommendations and tactics;

- A managed security service provider to support 24x7 monitoring and management of security technologies;

- Legal advice to review your organization's compliance with regulations and laws.

* Umberto Rosti is CEO of Safeway

About [SAFEWAY]

THE [SAFEWAY] is a widely recognized company as a provider of premium information security and cybersecurity solutions. From its extensive portfolio, we highlight several solutions, including those based on platforms:

  • Archer da RSA Security, considered by the institutes Gartner and Forrester and by the market itself, the most complete process integration solution for Governance, Risk Management, Compliance and Business Continuity Management;
  • [SAFEWAY]Security Tower, supported by IBM Qradar (Watson technology), tailored to each organization in its security and cyber defense management needs.
  • And others, involving technologies ImpervaThalesBeyondTrust,  WatchGuard Technologies.

Leave a Reply