Complex threats usher in “nova ERA” for Cybersecurity leaders

The role of the Chief Information Security Officer (CISO) has never been more challenging and crucial than it is today. With the exponential rise of cyber threats that can cause irreparable damage to the reputation, trust and heritage of organizations, CISOs need to be prepared to face an increasingly complex and dynamic scenario.

In 2024, Brazil recorded a significant increase in cyber attacks. In the first quarter, there was a growth of 38% compared to the same period of 2023, with Brazilian organizations suffering, on average, 1,770 weekly attacks. In the second quarter, the increase was even more pronounced, reaching 67% compared to the previous year, with an average of 2,754 weekly attacks per organization. In the third quarter, the average weekly number of attacks per organization in Brazil reached 2,766, representing a growth of 95% compared to the same period of health attacks, more targeted ransomware and APS were the most targeted sectors 20, the most targeted attacks were the same types of health, the attacks.

CISOs have to adapt to this new era of unprecedented cyber attacks - often performing multiple functions at once and, in the case of Brazil, managing a scenario of cost containment and cybersecurity investments.

The role of the modern CISO

Unlike the chief financial officers or chief executive officers, the role of chief information security officer did not officially exist until the mid-1990s.

In addition, the role of the CISO has constantly changed in organizations. According to Splunk's 2023 CISO report, 90% of respondents believed that the role had become a completely different “work than when they started.

If in the beginning the CISO was responsible for policy making, security governance and implementation of more rudimentary security controls, which led this professional to have a much more technical than managerial vision, today the list of assignments has increased, and much. One of them, for example, is the political function of the position: CISOs need to have close working relationships with the CEO, the CFO and the Legal area of the organization. The budget of the Security area is an essential condition to face the myriad of threats that exist today.

And this, still, is a problem for companies worldwide, especially in Brazil. The complexity of the scenario brings, on the one hand, a country with one of the highest rates of attacks in the world. On the other, economic uncertainties and the fluctuation of the dollar (since the overwhelming majority of solutions are sold in foreign currency) makes CISOs have to balance with the resources available to ensure the protection of the company.

Good communicators

Unlike a stereotypical tech-based image in the past, today the CISO needs to take a leadership role and be a good communicator to lead the creation of a strong cybersecurity culture within the company.

Another important point is that CISOs cannot act alone in the management of information security. They need the support and collaboration of the external ecosystem, which includes suppliers, customers, partners, regulatory bodies, professional entities and security communities. These actors can contribute information, resources, solutions and good practices that help the executive to improve and strengthen the security of his organization.

Security needs to be based on a holistic view

Isolated and reactive security tools and processes are not enough. CISOs need to have a holistic and integrated view of security, ranging from employee culture and awareness, to governance and alignment with business objectives.

Security should be seen as a transversal and essential element for the continuity and growth of the organization, and not as a cost or a barrier. For this, CISOs should involve the other areas and leaders of the company, demonstrating the value and return of security, and establishing clear and measurable policies and indicators.

A sense of urgency is essential to anticipate threats

Cyber threats are constantly evolving and sophisticated, and can affect any organization, regardless of size or segment. Therefore, it is important to be always aware and updated about market trends and vulnerabilities, and invest in solutions and methodologies that allow to anticipate threats and risks.

One way to do this is to adopt a security-by-design approach that incorporates security from design to delivery of the organization's products and services. Another way is to conduct periodic tests and simulations that assess the effectiveness and resilience of security systems and processes, and identify opportunities for improvement and mitigation.

Even though the role of the CISO is still changing, this professional is a key player for the protection and innovation of organizations in the digital age. CISOs need to be prepared to deal with an unprecedented level of threats, which require proactive, strategic and collaborative information security management.

Finally, CISOs should keep in mind that information security is not only a technical issue, but also a factor of competitiveness and value for customers. Those who can align security with business objectives and stakeholder expectations, and who know how to communicate the benefits and challenges of security clearly and convincingly, will be able to build a strong and sustainable security culture in the organization, and contribute to its success and growth in the digital landscape.