Starting at IBM’s technical service at 18, Washington G spent over a decade in various IT roles. Transitioning to Security, he led PCI DSS compliance setup for a payment entity. Contributing to an EIDAS-compliant ID project followed. Managing IT security and Cyber Compliance across 22 countries for a payment gateway company, he achieved PCI DSS certification thrice and multiple payment licenses. He also worked as a Cybersecurity Manager at a Big Four. He then embarked on a new journey in Spain as a CISO at a Cryptocurrency Exchange, achieving ISO 27001 and ISO 22301 certifications. He now works as CISO at Global Exchange.
Recently, in an exclusive interview with Digital First Magazine, Washington shared his professional trajectory, insights on the future of cybersecurity landscape, significant career milestones, future plans, words of wisdom, and much more. The following excerpts are taken from the interview.
Hi Washington. Can you please tell us about your background and areas of expertise?
I began my career at IBM Uruguay’s technical service at 18. For over a decade, I held various positions in IT, including Datacenter Administrator, SysAdmin, and Head of an IT department. Transitioning to Security, I tackled my first major challenge setting up PCI DSS compliance for a payment entity. Later, I contributed to a digital identity project, managing tasks such as setting up HSM, PKI, and EIDAS Compliance. Joining a payment gateway company, I managed IT security, Cybersecurity risks, and Cyber Compliance across 22 countries, achieving PCI DSS certification thrice and multiple payment licenses in different countries. After working as a Cybersecurity Manager at a Big Four, my wife and I decided to make a life change. I started my work experience in Spain working as CISO in the number one Spanish Cryptocurrency Exchange. I have been able to work with a highly qualified team of professionals with whom we have achieved significant milestones such as having certified ISO 27001 and ISO 22301. Nowadays, I am working as a CISO at Global Exchange.
My background and expertise blend IT and Security, Technical, and Management skills. I specialize in IT, Information Security, and Cybersecurity, excelling in risk assessment, strategy development, and program implementation aligned with organizational goals. My technical expertise allows me to deploy advanced security solutions and stay ahead of emerging threats. I ensure compliance with relevant laws and regulations, mitigate risks through incident response and disaster recovery planning, and foster a culture of security awareness within organizations. Through collaboration with external partners and internal teams, I build and lead high-performing cybersecurity teams, optimizing resource allocation to maximize security impact. Continuously updating my knowledge, I remain adaptable to address evolving cybersecurity challenges and technologies.
What part of your current role do you enjoy the most?
The ability to make a tangible impact on the security posture of the organization and develop a high-performing team is what I enjoy the most in my role as CISO.
According to you, what will cyber security look like in the next 5 years?
I think that in the next 5 years, we will see an important change mainly in the analysis and incident response teams and in the SOC teams. As cyber threats become more sophisticated, organizations will increasingly leverage artificial intelligence and automation to enhance threat detection, response, and prevention capabilities.
In the coming years as AI adoption increases, we will see more sophisticated and frequent attacks. We will have to use the AI itself to be able to defend ourselves against the AI. Companies like Microsoft are already testing prototypes to integrate AI into Teams meetings to protect us against deepfake attacks.
In addition, We will see a growth in cybersecurity regulations in the next 5 years. Governments and regulatory bodies worldwide will continue to introduce and enforce stricter cybersecurity regulations to protect sensitive data and mitigate cyber threats. Compliance with regulations such as DORA, MiCa, NIS2, GDPR, and others will be a top priority for organizations.
What are some of the challenges with cybersecurity and risk assessment right now that you see no one is talking about?
I believe that most companies implement controls without considering what risks they are trying to mitigate with that control or how they will measure the effectiveness of the control they are implementing. In many cases, during the implementation of controls, when the focus is lost on which risks they want to mitigate with that control and which assets may be affected by that risk, the cost-benefit relationship of its implementation is often not taken into account, leading to high and sometimes unnecessary costs for the company.
What are the top skills, both technical and soft skills, that are greatly needed as a cybersecurity professional in the current digital landscape?
To be able to answer this question, it is important to highlight that in cybersecurity, there are many profiles and significant differences in technical and soft skills among them. For example, a pentester profile requires technical skills in web auditing, and mobile application auditing, among others. These technical skills are very different from those of a defensive profile (blue team), which requires knowledge of security event management, incident response, and forensics. There are also differences in soft skills. Cloud Security profile may require someone who is very detail-oriented, but communication may not be their most important soft skill, whereas someone working in the GRC team, responsible for applying policies, managing business continuity, etc., communication may be a more important soft skill for this profile.
How do you think we can attract more young people to this field?
In Spain, a big effort has been made by academic institutions to offer Cybersecurity degrees, and many technical IT professions include a cybersecurity subject. I believe this will bear rewards in the coming years.
I also think the best way to get young people interested in security is to open more opportunities for junior profiles. If We search on LinkedIn, we can see many junior positions with 2 or 3 years of experience as a requirement. If we add to this requirement some expensive certifications, How young professionals who didn’t join the job market could compliance this requirement? We are demotivating them and not allowed to become Senior profiles or CISOs of large companies in the future.
What has been your most career-defining moment that you are proud of?
It’s difficult to choose just one, so I’ll comment on the two moments that are the most important in my career.
The first one was when I found the PCI DSS standard, and a highlighter left on my desk. When I asked the IT Manager if he had forgotten that on my desk, he laughed and said, “The company made two attempts to certify this standard and failed. We need to be certified by next March (it was July) because we’ve just been granted the electronic money license, and we need to certify our payment wallet app. The challenge was enormous: planning tasks, setting up the entire infrastructure (SIEM, WAF, CDE, etc.), working after hours for months, drafting policies, and plans, managing risks, configuration standards, etc. Being able to reach the deadline and getting certified was a personal achievement of which I am very proud.
The second one, I wouldn’t know if it was more important than the first, as they are different. When I joined the company, there was only one person in the Ciberecurity team, who did everything from vulnerability scanning to firewall configuration. In less than a year, the department grew to 6 teams, a group of exceptional professionals with whom no challenge was insurmountable. In 11 months, we rocketed our security maturity level which allowed us to certify in ISO 27001. It was the most important demonstration of teamwork I have seen in the 22 years I have been working. The level of commitment from an entire team makes things that seem impossible, possible.
In your academic or work career, were there any mentors who have helped you grow along the way? What’s the best piece of advice you have ever received?
My former boss shared a story about two colleagues competing for a promotion. To test them, the manager sent them to a construction site to ensure it wouldn’t affect the company’s wiring. One returned with a simple assurance, while the other proactively engaged, confirming details, and taking preventive measures. The lesson was about the difference between executing and managing tasks, emphasizing the importance of seeing the bigger picture for aspiring leaders.
What are your passions outside of work?
My career is my passion; whenever I have free time, I’m always studying a new topic or reading a related book. I consider myself fortunate because I work in what I love.
Where do you see yourself in the next 5 years?
Probably I will be working as a CISO or another Cybersecurity position for sure, as I mentioned before, it’s not just a job for me, but something I’m passionate about. At some point, I considered the idea of starting my own business, but I wasn’t born with the necessary sales skills to be successful in the business world.
What advice do you have for anyone who is in a CISO role?
Try to maintain a mixed profile. Something that works for me is studying a course or certification related to Information Security, such as the latest DORA certification I completed, and then studying something more technical, like the DevSecOps certification I’m currently pursuing. Alternating between cybersecurity and information security topics allows me to maintain both technical and managerial profiles. It will become increasingly important for CISOs to have both profiles developed, as it provides a broader understanding of the different pillars of cybersecurity and information security. Additionally, we can be closer to security teams and technical profiles, helping them perform their tasks more effectively.