The role of the Chief Information Security Officer (CISO) has never been as challenging and crucial as it is today. With the exponential increase in cyber threats, that can cause irreparable damage to reputation, to the trust and assets of organizations, CISOs need to be prepared to face an increasingly complex and dynamic scenario
In 2024, Brazil recorded a significant increase in cyber attacks. In the first quarter, there was a growth of 38% compared to the same period in 2023, with Brazilian organizations suffering, on average, 1.770 weekly attacks. In the second quarter, the increase was even more pronounced, reaching 67% compared to the previous year, with an average of 2.754 weekly attacks per organization. In the third quarter, the average weekly number of attacks per organization in Brazil reached 2.766, representing a growth of 95% compared to the same period in 2023. The most targeted sectors were finance, health, government and energy, given that the main types of attacks were ransomware, phishing, DDoS and APTs (Advanced Persistent Threats)
CISOs must adapt to this new era of unprecedented cyber attacks – often performing multiple functions at the same time and, in the case of Brazil, managing a scenario of cost containment and investments in cybersecurity
The role of the modern CISO
The position of CISO is relatively new. Unlike financial directors or executive directors, the role of the information security director did not officially exist until the mid-1990s
Furthermore, the role of the CISO has been constantly changing in organizations. According to the 2023 CISO report from Splunk, 90% of respondents believed that the role had become a "completely different job" from when they started
If at the beginning the CISO was responsible for the development of policies, security governance and implementation of more rudimentary security controls, what led this professional to have a much more technical than managerial perspective, today the list of assignments increased, and very. One of them, for example, it is the political function of the position: CISOs need to have close working relationships with the CEO, the CFO and the Legal department of the organization. The budget for the Security area is an essential condition to face the myriad of threats that exist today
And that, yet, it is a problem for companies worldwide, especially in Brazil. The complexity of the scenario brings, on one side, a country with one of the highest rates of attacks in the world. On the other hand, the economic uncertainties and the fluctuation of the dollar (since the overwhelming majority of solutions are sold in foreign currency) make CISOs have to balance the available resources to ensure the company's protection
Good communicators
Unlike an image heavily based on the stereotype of the technician in the past, today the CISO needs to have a leadership role and be a good communicator to lead the creation of a solid cybersecurity culture within the company
Another important point is that CISOs cannot act alone in managing information security. They need to rely on the support and collaboration of the external ecosystem, that includes suppliers, clients, partners, regulatory bodies, class entities and security communities. These actors can contribute with information, resources, solutions and best practices that help the executive to enhance and strengthen the security of their organization. That's why, communication and relationship with the market are also fundamental
Security needs to start from a holistic view
It is not enough to have isolated and reactive security tools and processes. CISOs need to have a holistic and integrated view of security, that encompasses both the culture and the awareness of the employees, up to governance and alignment with business objectives
Security should be seen as a transversal and essential element for the continuity and growth of the organization, and not as a cost or a barrier. For that, CISOs must engage other areas and leadership within the company, demonstrating the value and return of security, and establishing clear and measurable policies and indicators
A sense of urgency is essential to anticipate threats
Cyber threats are constantly evolving and becoming more sophisticated, and can affect any organization, regardless of size or sector. That's why, it is important to always be attentive and updated on market trends and vulnerabilities, and invest in solutions and methodologies that allow for anticipating threats and risks
One way to do this is to adopt a security by design approach, that incorporates security from the design to the delivery of the organization's products and services. Another way is to conduct periodic tests and simulations that assess the effectiveness and resilience of security systems and processes, and identify opportunities for improvement and mitigation
Even though the role of the CISO is still evolving, this professional is a key player for the protection and innovation of organizations in the digital age. CISOs need to be prepared to deal with an unprecedented level of threats, that require proactive information security management, strategic and collaborative
Finally, CISOs must keep in mind that information security is not just a technical issue, but also a factor of competitiveness and value for customers. Those who can align security with business objectives and stakeholder expectations, and who can communicate the benefits and challenges of security clearly and convincingly, they will be able to build a strong and sustainable safety culture in the organization, and to contribute to your success and growth in the digital landscape
