The role of the Chief Information Security Officer (CISO) has never been more challenging and crucial than it is today. With the exponential increase in cyber threats, which can cause irreparable damage to organizations’ reputation, trust, and assets, CISOs must be prepared to face an increasingly complex and dynamic scenario.
In 2024, Brazil saw a significant increase in cyberattacks. In the first quarter, there was a 38% growth compared to the same period in 2023, with Brazilian organizations suffering an average of 1,770 attacks per week. In the second quarter, the increase was even more pronounced, reaching 67% compared to the previous year, with an average of 2,754 weekly attacks per organization. In the third quarter, the average weekly number of attacks per organization in Brazil reached 2,766, representing a 95% growth compared to the same period in 2023. The most targeted sectors were finance, healthcare, government, and energy, with the main types of attacks being ransomware, phishing, DDoS, and APTs (Advanced Persistent Threats).
CISOs must adapt to this new era of unprecedented cyberattacks—often juggling multiple roles simultaneously and, in Brazil’s case, managing a landscape of cost containment and cybersecurity investments.
The role of the modern CISO
The CISO position is relatively new. Unlike chief financial officers or chief executive officers, the role of the chief information security officer did not officially exist until the mid-1990s.
Moreover, the CISO’s role has been constantly evolving within organizations. According to Splunk’s 2023 CISO Report, 90% of respondents believed the role had become ‘completely different’ from when they started.
If initially the CISO was responsible for policy creation, security governance, and implementing more rudimentary security controls—leading the professional to have a much more technical than managerial perspective—today the list of responsibilities has grown significantly. One of them, for example, is the political aspect of the role: CISOs need to have close working relationships with the CEO, CFO, and Legal department. The security budget is essential to counter the myriad threats that exist today.
And this remains a problem for companies worldwide, especially in Brazil. The complexity of the scenario brings, on one hand, a country with one of the highest rates of attacks globally. On the other hand, economic uncertainties and fluctuations in the dollar (since the vast majority of solutions are sold in foreign currency) force CISOs to balance available resources to ensure company protection.
Good communicators
Unlike the outdated stereotype of the technical expert, today’s CISO must take on a leadership role and be an effective communicator to foster a strong cybersecurity culture within the company.
Another critical point is that CISOs cannot manage information security alone. They need support and collaboration from the external ecosystem, including vendors, clients, partners, regulators, industry associations, and security communities. These stakeholders can contribute information, resources, solutions, and best practices to help executives enhance and strengthen their organization’s security. Therefore, communication and market engagement are also fundamental.
Security must start from a holistic vision
It’s not enough to have isolated and reactive security tools and processes. CISOs need a holistic and integrated security vision, encompassing everything from employee culture and awareness to governance and alignment with business objectives.
Security should be seen as a cross-cutting and essential element for an organization’s continuity and growth, not as a cost or barrier. To achieve this, CISOs must engage other areas and leadership within the company, demonstrating security’s value and return on investment while establishing clear and measurable policies and indicators.
A sense of urgency is essential to anticipate threats
Cyber threats are constantly evolving and becoming more sophisticated, capable of affecting any organization, regardless of size or sector. Therefore, staying alert and updated on market trends and vulnerabilities is crucial, as is investing in solutions and methodologies that allow organizations to anticipate threats and risks.
One way to achieve this is by adopting a security-by-design approach, which incorporates security from the conception to the delivery of an organization’s products and services. Another method is conducting periodic tests and simulations to evaluate the effectiveness and resilience of security systems and processes, identifying opportunities for improvement and mitigation.
Even though the CISO role is still evolving, this professional is a key player in protecting and driving innovation for organizations in the digital age. CISOs must be prepared to handle unprecedented levels of threats, requiring proactive, strategic, and collaborative information security management.
Finally, CISOs must keep in mind that information security is not just a technical issue but also a factor of competitiveness and value for customers. Those who can align security with business goals and stakeholder expectations—and who can communicate the benefits and challenges of security clearly and convincingly—will be able to build a strong and sustainable security culture within the organization, contributing to its success and growth in the digital landscape.
