CISO of the Week, Isabel María Gómez, Bankia Group
Isabel María Gómez is a certified security executive manager with cross-functional expertise in Risk Management specializing in Information Security, Cybersecurity, Data Protection, Compliance and Digital Transformation. She has a career of more than 18 years of experience managing and leading multidisciplinary teams and projects that involve different legal, normative, technical and financial areas, achieving the best results even when there is a lack of synergies. She is an expert cited contributor and participant in courses, articles and discussions on issues related to new technologies and regulations.
Bankia Group is a Spanish bank that operates throughout Spain serving 8,2 million clients, with a universal banking business model based on multi-channel management and specialized in serving individuals and businesses.
What is your overall approach to information security?
My approach is that the information security must be the enabler within the company, a controller of the vendors and providers which handle the Group’s information and the key part of the business in order to offer the best products on the markets. It means being the collaborative bridge between the different areas of the company such as legal, technology, compliance, business, etc.., speaking their own languages, understanding what they need and embracing their goals as if they were my own, and last but not least, I want the information security to be the business key to improve the product offered to customers against our competitors
When speaking the languages of the business to their boards, are there certain phrases CISOs should be using?
In my opinion there isn’t a lucky phrase that can open all doors. However, after several years, I have learnt some keys that help me to engage them in the conversation:
- Be simple and transparent.
- Be the best negotiator and a great communicator.
- Change your hat as many times you can.
- Don’t speak about probabilities, speak about the risks: Executive boards can understand the risks and make decision about how to mitigate them.
- Explain the benefits the business is going to obtain
- Remind yourself that nothing is impossible. Believe in yourself no matter what others say, show your passion, your vision and share a real example of what you can obtain. One opportunity can change the world.
How can security executives help the C-suite better understand Cybersecurity?
I strongly believe that people are the key to protecting the business. Let me share an idea to improve your awareness program: Design a plan that includes the kids of the employee and your clients. Play several games to make them understand how important security and privacy are to their lives. Children, young people and parents enjoyed these sessions and the results were unexpectedly good. The families started to help themselves to take care of their own Cybersecurity. Parents changed their way of looking at information security. Children and young people understand how important it is to protect their privacy, to be smart sharing information in networks, do not trust people they haven’t physically met before, to detect threats and be smart managing. They discovered how easy it could be to protect their information and personal data. Sometimes a beautiful memory may be enough to prepare people to take care of your business. And please remember that another key is not to harass them.
Your business is only as strong as your weakest partner. Can you trust that your partners are keeping your data safe from attackers?
It isn’t a question of trust, it’s a question of guaranteeing that they are going to protect your information as you want, establishing the best chain reaction in case of incident.
In 2011 we launched a new process called “Information Security Third parties’ homologation”. This process permits to the company to guarantee that vendors and providers are going to treat the information and implement the information security measures that company has decided and approved. The key to the process is that security measures and ways of working are defined by third parties’ contracts:
- INFORMATION SECURITY ANNEXES FOR SERVICE OUTSOURCING AGREEMENTS: These contractual security rules apply to any provider which accesses, processes, transmits or stores information belonging to Bankia during the provision of its services.
- RULES FOR THE USE OF ICT RESOURCES: This document sets out the mandatory rules and procedures that must be applied in the use of information technology resources by internal and external people.
Maybe we were pioneers in this case, and the results have been so unexpected in subsequent years. These controls help us to react faster in case of incident, to comply with the best practice of the market, to protect the business from the legal perspective, to demonstrate the quality of our control to the supervisors such as ECB, to reduce risks, to establish a new way of protecting business while obtaining benefits for our clients.
When the business is steaming along and wants to introduce new products or services, how do you make sure that security is plugged in?
Following the path of the third parties process and the main goal of being an enabler, we launched one process called “Security sponsorship” which consists of all projects (including SDLC) having an information security consultant in their teams from the beginning to guarantee that security and privacy are by default. This multidisciplinary team helps them to identify the security rules they must implement to protect the information in IT security, access control, monitoring, continuity and disaster recovery, legal and normative requirements from the origins of the ideas to the last review of the information security state before the launch.
This permits us to obtain a way of working that helps everyone to understand what they need in order to protect the information and carry out the project.
How could we address the perception of Cybersecurity holding back the business?
The only way is to link the information security results to the business goals and show them everything that information security can do for the business. We are experiencing the 4.0 industrial revolution. All businesses are transforming themselves into digital.
A few years ago, speaking about artificial intelligence, machines learning were sci-fi, but now, they are here to stay. Let me share an example, increasing the number of digital customers must be an information security goal, too.
Making better products at the security level, more attractive to the customers than the competitors´ products is our goal, the efforts of which will be paid back with better protection when an incident has occurred to let the customers know that the security team has established networks of collaboration with police, attorney, governments, judges and professional all over the world that allow us to recover the amounts drawn on almost any part of the world from the first second it has been stolen to the last moment in court.
Nowadays, the evolution of the information security leaders permits us to find a balance between innovation, people, protection and business. The perception of the CISO role has changed since those years when internet and intranet networks began to be part of the company’s life cycle.
The security professionals, born in the 90’s, have crossed a long path from IT security (when we were considered as stoppers) to becoming members of the top table that is considered as one of the enablers of the company. Our minds are full of ideas for reaching the highest results and benefits, and those ideas are now being listened to.
With these huge responsibilities upon our shoulders, we should never forget that people are the key and the future of our companies’ services. They show us every single day that nothing is impossible as human beings. Kids and young people are the strength that will take our legacy towards future steps. We must teach them how to protect themselves and their personal data while giving them all the opportunities and tools to reach their dreams, even in the security field.