CISO and CIO Strategic and Together, or Nothing

Written by

I have dedicated more than a decade to the universe of information security and risk management. In consulting, the contact with the reality of the industries in general and each client in particular will naturally help us to complete the puzzle.

Even if we act as good academics, we have an intense research activity and seek international certifications as a way of giving visibility to the accumulated knowledge, there is nothing that compares to practice. Nothing like being able to connect concept to the real world and thus validate theories, premises, and needs, after all, calm sea does not make good sailor.

Much has changed since the 1990s, but too much has remained inert. In a simplified holistic view, what we saw and continue to see today is an exponential movement of technology adoption. Automation and digitization to be more precise, which in practice means that the transactions resulting from human, commercial, economic, political, cultural and social relations are migrating from platform to platform, and with this, it generates electronic records in scale that, by definition, serve to document the activity of the agents involved (read about blockchain).

As this digital movement penetrates even more deeply into the relationships considered relevant to society, such as: property; welfare; and power transferring, we have created an even more volatile environment of risk.

Volatility is not related to the risk equation itself, since the forces between its agents remain unchanged as the specialized literature points out. Vulnerabilities or security failures continue exposing the information assets to the action of threats in constant activity. Meanwhile, the probability of success of these attacks - a factor that depends on the interpretation of context vectors - plays the role of weighing the individualized correlation between vulnerability and threat, and producing what we call the risk perception. Everything exactly as we knew it then.

On the other hand, when we begin to observe the variables that compose the equation from the new context of automation and digitization of the moment, we begin to see all its dynamism and volatility. The digital environment seems to provide a much faster proliferation of new threats as well as the discovery or simple existence of a much greater number of vulnerabilities in a small fraction of time.

According to a recent study conducted by Symantec in 2016, about 430 million malware threats were discovered - software intended to infiltrate an unlawful computer in order to inflict some damage or theft of information - which represents an increase of 36% compared to the previous year. In terms of vulnerability, specifically called Zero-Day - security flaws which have not yet been explored or documented for which there is no known correction - the study indicates a quantitative increase of 125% compared to 2016, jumping from 24 to 54 new discoveries. Spooky.

In practice, what we are seeing happens is the exponential growth of dependency that relationships between governments, companies and people have on the digital environments and technology assets in general, while generating increasing masses of binary records. We are unquestionably on a path with no return and where there is no alternative. Just look around. The annual income tax return to the government no longer offers the paper option. Your bank no longer wants you to use its remaining physical channels. Your business partner no longer wants to exchange information other than by electronic means. Your employer no longer sees your operation without collaborative virtual environments to run the business.

We are seeing the birth of Industry 4.0, a modern term coined to represent the fourth industrial revolution. A new evolutionary phase in which technologies for automation and data exchange are applied using artificial intelligence concepts; cognitive computing; cyber-physical hybrid systems; mobility; Internet of things; big data; analytics and cloud computing, guided by the principles of interoperability, virtualization, decentralization, real time, service orientation and modularity. All simply fantastic, except for the side effects.

This applied digital transformation, by definition, imposes a severe regime of high speed and high risk. The dynamics provided by automation operating on electronic platforms makes much more information circulate with much more speed, in volumes never seen before and with planetary reach. Likewise, vulnerabilities arise with greater speed and threats appropriate the characteristics of those same environments to also increase the efficiency of attacks and increase the reach and scope of their targets. According to the Symantec 2016 study, 80 million automated attacks on information assets occur daily, more than 500 million personal records have been stolen, and the financial impact on organizations is already at 3 trillion per year.

The side effect of this new disruptive environment of risk 4.0 is the growth of electronic crimes, or cybercrime, and its variations cyber-terrorism, cyber-extortion, cyber-sabotage and cyberwar with the potential to cause unprecedented damage. However, unlike what many may be thinking, the momentum requires attention, observation, resilience, planning, and structured reaction. Ignoring or underestimating the new risks of this hostile environment will not enable survival and pave the way for the future of business.

The scenario demands well-prepared, up-to-date professionals with multidisciplinary skills, solid knowledge, and practical experience, as well as being surrounded by more intelligent and cognitive solutions capable of interpreting large volumes of events in a fast and more assertive way, leaving the machines with repetitive work and releasing itself for strategic judgments and decisions.

According to IBM studies, cognitive computing will be able to relieve the security team from the pressure of more than 200,000 security events per day. I venture to say that companies should immediately consider structuring a risk management office strategically positioned in the organization. Managed by a CISO who is legitimately responsible for the governance, risk and compliance (GRC) strategy including cybersecurity, privacy, data protection, anti-fraud and all its variations, but can also count on external consultants specializing in specific domains, standards and frameworks in a complementary way, while working side by side with a real CIO responsible for defining the company's digital strategy.

The moment does not tolerate more amateurs even if they are well-meaning. The scenery has never been so potentially disruptive. Reaction time is a determining factor in Industry 4.0, as well as the coordination and assertiveness of actions supported by robust processes.

All of this is driven by a well-defined long-term strategy aligned with business requirements and in the light of the digital transformation journey defined by the CIO. The rules in the new game are there and the coin has only two faces: succumb or survive what the future holds.

What’s hot on Infosecurity Magazine?