Flavio Carvalho is CISO Iberia at Group Crédit Agricole. Flavio is an experienced Cybersecurity Director, seasoned CISO, who has been working for companies in the U.S., Europe, and South America. He has 12 years of experience in Cybersecurity field and holds over 20 years of experience in technology. He is a husband, father of 3, currently living in a plane between Portugal and Spain.
As 2022 wraps up and 2023 unfolds, it is once again time to review the year that ends and prepare for the one that comes. What are the trends? Where do our organization stand in its maturity growth? What are our most important areas to improve? Which issues need to be solved? Questions that will help us on our goal to mold group behavior towards a more secure, cloud-first, agile mentality.
It´s not easy, though! Security plays a role very much linked to what happens in Technology within the organization. The change towards agile, cloud-first technology is fast and of course, there are many delayed, simply not prepared or not willing to embrace the change.
Having spent the past decade in the cybersecurity field in different positions, starting as a member of Security Operations Center (SOC), then as the Director for a Managed Security Services Provider and ultimately CISO for a Bank in Europe, I´ve seen a lot in both sides of the table. First by offering services as a provider and then contracting services to fulfill a mid-term security strategy in a highly regulated market, complex in compliance requirements. The human factor plays a key role in the strategy, together with risk management. You may think you have the means by securing a budget and a good team, but it is not simple as it seems: you have to be able to measure and establish a route through risk management. Also, to consider the maturity level of the institution you are, how exposed it is to legacy, and how well its employees deal with changes.
Let´s start by analyzing risk management: it matters a lot how your institution measures risk. Usually, start-ups and scale ups are more risk tolerant than bigger (older) enterprises, mainly financial or health institutions. So first, you should observe and establish how prone to risk your institution is and what the CISO is supposed to do to adapt cyber risk to global risk management. Once you have a better view of risk management, it´s time to organize cyber risk, starting by the risk register. As often, it´s much easier said than done. Measure risk is a tuff task: you can start by applying some qualitative methodology and later evolve to some quantitative, but to make sure you measure risk in every asset, system, site, information flow, etc, you have to make it easy, to train your employees to apply and to have upper management support to sustain it.
At some point (believe me, it will take time!) you might have a good methodology to apply and a risk register in place. By then you´ll be in a very good position to really manage your cyber security strategy. Otherwise, it´s a navigation in the dark: you might have a plan and stick to it, deploy new technologies and evolve in your ability to detect and respond, but, without the risk well measured and managed, you may not be sure if you´re doing or not the necessary.
Ok, now the other component that would affect a lot your risk management and that should be an effective part of it: the human factor. I´ve worked for companies in different geographies such as Brazil, Colombia, Argentina, United States, Chile, Panama, Portugal, Spain, and France. From small, low in maturity level to banks in Europe, much more compliant, rigid, and mature. Regardless of where you are, take time to observe your colleagues, how long they stay in the company, how often HR changes your organigram, how conscious they are regarding security and change. Then start educating: e-mails, articles, real world cases, fake phishing campaigns, escape rooms. There are plenty of options, but only time will help you increase their ability (and will) to help you in your task to defend the enterprise. I used to start with fake phishing campaigns to measure where we are in terms of awareness. I´ve seen companies going from 40% in click rate to less than 3% in a two-year interval. Not easy, but doable. Good old phishing is still a threat, and that helps you stimulate the good reflex: people should ask you, go to you, and you´ll be there to guide, to help.
That takes me to a very important concept that I would like to talk about before concluding this article: Security exists to support and enable business, not to block, restrict, cut.
Employees will not go for shadow IT if you identify and offer a secure, allowed alternative. Security goal must be to improve and enable business, always.
That said, I finish this wishing you a very good and secure 2023, for sure not an easy year, but an opportunity to evolve, improve your processes and your overall security posture. Go get it and happy 2023!