CISO of the Week, Victor Cayupil Amaya, Regional Information Systems Security Officer, LATAM for BNP Paribas Cardif
-Currently the Regional Information Systems Security Officer, LATAM, for BNP Paribas Cardif
-Responsible for the Latin America operation in terms of Systems Security Information, with regards to the global security framework and compliance. In charge of 6 countries and 7 operations across LATAM.
-With a 14+ years record of establishing and leading Enterprise information security programs across different industries, with the main focus being on financial services.
– Victor has a Bachelor of Science degree in Information Technologies and Electronic Engineering and extensive experience in Information Security, Enterprise Risk Management and Data Privacy.
– Certifications: ITIL, COBIT, ISO, SSAE16, SOX, CISSP, CEH, NIST among others.
What should corporate boards know about conducting information security?
I always recommend seeing the “big picture”, understanding the business and how it is run on a day to day basis, starting at the operational and process level all the way down to the technical aspects, normally thinking about the information security mission with a horizon of between 2 to 4 years and taking in account the business strategy and the most significant projects from the portfolio.
Using all those elements to define a baseline will bring up the most relevant threats to which the company is exposed to the table and show how the security mission is working on “clear tactics” when needed. It is also crucial to have a “shared understanding about the risks and mitigations” and the root cause in a non-technical way. This is always a good point of attention.
Why did the role of CISO appeal to you?
Technical understanding is a key aspect for good communication in the enterprise environment particularly when referring to cybersecurity.
Information security always seems like a very complex and technical topic for the business side with the potential risk of losing focus on the cybersecurity matters and the importance that they have today for the financial industry across all the business lines including B2C, B2B, B2B2C, the regulatory environment and other key areas.
I saw in the CISO position the possibility to play the role of a link between the technical and business worlds, to educate and stay close to the business. Seeing the smiling face of executives when they understand a technical conversation becomes addictive and very fulfilling.
What advice do you have for security leaders?
Promote and share your security passion every day with everyone and do your job with positive energy, paying special attention to the smallest details when you engage with the executive boards and CEOs.
Moreover, it is absolutely crucial to identify your main supporters that are indirectly helping you on a daily basis, even if you don’t see them.
Identify and promote talent in your security organization, not only the technical or subject matter expert skills, but also the “soft part” which is very important for several situations in your security mission. Team and individual recognition is vital for the motivation of the team as well as defining clear priorities and goals.
What are the biggest challenges you face in the year ahead?
I have to recognize that I love challenges!
I am very eager to face them and every year is a different challenge.
The initial ideas that come to my mind are not only budget commitments, but also managing a regional services catalogue and its consolidation and maturity.
When the business is steaming along and wants to introduce new products or services, how do you make sure that security is plugged in?
You need to be ever present!
From the very beginning, although it is not easy, trust me. Moreover, you need to present yourself as somebody to whom all the areas see as a facilitator and not as a problem. You must be able to add value and to demonstrate the relevance of your contribution.
In this way you will be a relevant part of the value chain and the executives, board and CEO will always include you in the process.
You will see that everything is flowing when you needn’t raise the security topic, because it has become a natural part of the conversation for everybody.
Could you offer advice on how CISOs and CIOs can work together?
To be honest, when I read this question, my first natural reaction was to laugh.
When I first started in the organisation, I always saw the CIO as our “distant cousin”. A cousin that you see once a year or in other cases only for tragic news. From the beginning you need a plan to improve communication quickly. You need to improve the relationship. I’m not saying that you only need to coordinate a dinner – it is not as easy as that!
In general terms my first recommendation is to put two catalogues of services on the table: IT and Security. Then, clarify the accountabilities.
Two years later, when you have finished that discussion you can select another one, establishing both informal and formal periodic meetings between these two areas. This approach can help you to move faster.
Finally if you are still alive and you now see a trustworthy brother or cousin, then you rock!!!
Give me a high five!
To sum up, always maintaining good communication and coordination, having a clear view of the roles and responsibilities of the areas, a good balance between the project portfolio and the budget taking into account the priorities is, I believe, a very good starting point.