The role of the Chief Information Security Officer (CISO) has never been as challenging and crucial as it is today. With the exponential increase in cyber threats that can cause irreparable damage to organizations’ reputation, trust, and assets, CISOs need to be prepared to face an increasingly complex and dynamic scenario.
In 2024, Brazil saw a significant increase in cyber attacks. In the first quarter, there was a 38% growth compared to the same period in 2023, with Brazilian organizations facing an average of 1,770 weekly attacks. In the second quarter, the increase was even steeper, reaching 67% compared to the previous year, with an average of 2,754 weekly attacks per organization. In the third quarter, the average weekly number of attacks per organization in Brazil reached 2,766, representing a 95% growth compared to the same period in 2023. The most targeted sectors were finance, health, government, and energy, with the main types of attacks being ransomware, phishing, DDoS, and APTs (Advanced Persistent Threats).
CISOs have to adapt to this new era of unprecedented cyber attacks – often juggling multiple roles at the same time and, in the case of Brazil, managing a scenario of cost containment and cybersecurity investments.
The role of the modern CISO
The CISO position is relatively new. Unlike Chief Financial Officers or Chief Executive Officers, the role of Chief Information Security Officer did not officially exist until the mid-1990s.
Furthermore, the role of the CISO has been constantly evolving in organizations. According to Splunk’s 2023 CISO report, 90% of the respondents believed that the role had become a “completely different job” from when they started.
At the beginning, the CISO was responsible for developing security policies, security governance, and implementing more rudimentary security controls, which led this professional to have a much more technical than managerial view. Today, the list of attributions has increased significantly. One of them, for example, is the political function of the position: CISOs need to have close working relationships with the CEO, CFO, and Legal area of the organization. The Security area budget is an essential condition to face the myriad of threats that exist today.
And this is still a problem for companies worldwide, especially in Brazil. The complexity of the scenario brings, on one hand, a country with one of the highest attack rates in the world. On the other hand, economic uncertainties and dollar fluctuations (since the vast majority of solutions are sold in foreign currency) make CISOs have to balance with the available resources to ensure the company’s protection.
Good communicators
Unlike an image heavily based on the technical stereotype in the past, today the CISO needs to have a leadership role and be a good communicator to lead the creation of a solid cybersecurity culture within the company.
Another important point is that CISOs cannot act alone in managing information security. They need to rely on the support and collaboration of the external ecosystem, which includes suppliers, customers, partners, regulatory bodies, professional organizations, and security communities. These actors can contribute with information, resources, solutions, and best practices that help the executive improve and strengthen the security of their organization. Therefore, communication and market relationships are also essential.
Security needs to come from a holistic perspective
Simply having isolated and reactive security tools and processes is not enough. CISOs need to have a holistic and integrated view of security, covering everything from the culture and awareness of employees to governance and alignment with business objectives.
Security should be seen as a cross-cutting and essential element for the continuity and growth of the organization, not as a cost or a barrier. To achieve this, CISOs must engage other areas and leadership within the company, demonstrating the value and return of security, and establishing clear and measurable policies and indicators.
A sense of urgency is essential to anticipate threats
Cyber threats are constantly evolving and becoming more sophisticated, able to affect any organization, regardless of size or sector. Therefore, it is important to always be alert and updated about market trends and vulnerabilities, and invest in solutions and methodologies that allow for anticipation of threats and risks.
One way to do this is to adopt a security by design approach, incorporating security from conception to the delivery of the organization’s products and services. Another way is to conduct periodic tests and simulations that assess the effectiveness and resilience of security systems and processes, and identify opportunities for improvement and mitigation.
Although the role of the CISO is still evolving, this professional is a key player in the protection and innovation of organizations in the digital age. CISOs need to be prepared to deal with an unprecedented level of threats, requiring proactive, strategic, and collaborative information security management.
Finally, CISOs should bear in mind that information security is not just a technical matter but also a competitiveness and value factor for customers. Those who can align security with business objectives and stakeholder expectations, and who are able to communicate the benefits and challenges of security clearly and convincingly, will be able to build a strong and sustainable security culture in the organization, and contribute to its success and growth in the digital landscape.
