The role of the Chief Information Security Officer (CISO) has never been as challenging and crucial as it is today. With the exponential increase in cyber threats, which can cause irreparable damage to an organization's reputation, trust, and assets, CISOs need to be prepared to face an increasingly complex and dynamic landscape.
In 2024, Brazil experienced a significant increase in cyberattacks. In the first quarter, there was a 38% increase compared to the same period in 2023, with Brazilian organizations experiencing an average of 1,770 attacks weekly. In the second quarter, the increase was even more pronounced, reaching 67% compared to the previous year, with an average of 2,754 weekly attacks per organization. In the third quarter, the average weekly number of attacks per organization in Brazil reached 2,766, representing a 95% increase compared to the same period in 2023. The most targeted sectors were finance, health, government, and energy, with the main types of attacks being ransomware, phishing, DDoS, and APTs (Advanced Persistent Threats).
CISOs have to adapt to this new era of unprecedented cyberattacks – often performing multiple roles at the same time and, in the case of Brazil, managing a scenario of cost containment and investments in cybersecurity.
The role of the modern CISO
The position of CISO is relatively new. Unlike CFOs or CEOs, the role of the information security director did not officially exist until the mid-1990s.
Furthermore, the role of the CISO has been constantly changing in organizations. According to Splunk's 2023 CISO report, 90% of respondents believed that the role had become a "completely different job" from when they started.
While initially the CISO was responsible for developing policies, security governance, and implementing more rudimentary security controls, which made this professional have a much more technical than managerial view, today the list of responsibilities has grown significantly. One of them, for example, is the political function of the position: CISOs need to have close working relationships with the CEO, CFO, and the Legal department of the organization. The security department's budget is an essential condition to face the myriad of threats that exist today.
And this is still a problem for companies worldwide, especially in Brazil. The complexity of the scenario brings, on one side, a country with one of the highest attack rates in the world. On the other hand, economic uncertainties and the fluctuation of the dollar (since the vast majority of solutions are sold in foreign currency) force CISOs to balance with the available resources to ensure the company's protection.
Good communicators
Contrary to an image that was heavily based on the technician stereotype in the past, today the CISO needs to have a leadership role and be a good communicator to lead the creation of a solid cybersecurity culture within the company.
Another important point is that CISOs cannot act alone in information security management. They need to rely on the support and collaboration of the external ecosystem, which includes suppliers, customers, partners, regulatory agencies, professional entities, and security communities. These actors can contribute with information, resources, solutions, and best practices that help the executive improve and strengthen their organization's security. Therefore, communication and relationship with the market are also fundamental.
Security needs to start from a holistic view
It is not enough to have isolated and reactive security tools and processes. CISOs need to have a holistic and integrated view of security, covering everything from employee culture and awareness to governance and alignment with business objectives.
Security should be seen as a cross-cutting and essential element for the continuity and growth of the organization, not as a cost or barrier. For this, CISOs must involve other departments and company leadership, demonstrating the value and return of security, and establishing clear and measurable policies and indicators.
A sense of urgency is essential to anticipate threats
Cyber threats are constantly evolving and becoming more sophisticated, and can affect any organization, regardless of size or sector. Therefore, it is important to always stay alert and updated on market trends and vulnerabilities, and to invest in solutions and methodologies that allow for anticipating threats and risks.
One way to do this is to adopt a security by design approach, which incorporates security from the conception to the delivery of the organization's products and services. Another way is to conduct periodic tests and simulations that assess the effectiveness and resilience of security systems and processes, and identify opportunities for improvement and mitigation.
Although the role of the CISO is still evolving, this professional is a key piece for the protection and innovation of organizations in the digital age. CISOs need to be prepared to handle an unprecedented level of threats that require proactive, strategic, and collaborative information security management.
Finally, CISOs should keep in mind that information security is not just a technical issue, but also a factor of competitiveness and value for customers. Those who manage to align security with business objectives and stakeholder expectations, and who can communicate the benefits and challenges of security clearly and convincingly, will be able to build a strong and sustainable security culture within the organization and contribute to its success and growth in the digital landscape.
