CISO of the Week, Glauco Sampaio, Banco Original
Information Security professional since 1999 operating in financial services, media and ISP companies, Glauco Sampaio is following the development of the area in Brazil while helping companies to adopt cybersecurity best practices. Glauco has a bachelor’s degree in Information Systems Management and specializations in Information Security, Cyberlaw and Business.
What is your overall approach to information security?
I believe in two maxims that are: solve the big and easy problems first and security must work very closely business needs. This is the most relevant success factor to any information security strategy, if one is to avoid turning information security into a set of antagonistic roadblocks.
Second, we cannot leave behind the security technologies to support our strategy, without them is almost impossible to implement the controls and process designed by the security team.
Third is visibility. Without visibility we cannot provide the correct information and support to define the security strategy. Visibility needs to expand beyond the one’s organization towards the broader ecosystem including other companies and the reported public information security incidents.
Other aspect that is crucial for the security strategy is keep the controls and processes already implemented working as designed. Create a process to continuous monitor and test or our infrastructure is a key component of any strategy. This include a periodically Cyber War Game aimed at one’s Blue Team with the main goal of validating if the security ecosystem is responding as per the original and the team are responding accordingly.
What should corporate boards know about conducting information security?
At the right level, they must know the risk level and the plans to support an acceptable level of risk that defined by the company. It is easier said than done but it will go a long way to improve the maturity level of the organization.
As infosec professionals we have to provide the correct message to the board, what are the main concerns and issues that must be addressed, gap analysis and the plans to bring our risks to an acceptable level.
Leveraging publicly available information to illustrate the potential impact to business reputation and customer trust is another important area of communications with the board. It is not about scaremongering, but we need to drive the attention of key stakeholders to the potential irreparable effects of significant incidents.
Almost everybody agrees that organizations need a culture of security. How can security leaders help facilitate that type of culture?
This is a security discipline where you cannot apply frameworks or industry market models without a clear understanding of the company culture. We need to establish partnerships with key areas as human resources and marketing as a means of streamlining communications to both external and internal stakeholders.
The use of specific type of material and approach to the different type of employees is crucial to foster corporate culture that values information security. Different individuals have unique training needs and it is the responsibility of the organization to define the most effective vehicles to deliver actionable knowledge.
Security and IT professionals are bombarded with news about cybersecurity issues. How can they filter out the noise and determine what issues really matter to them?
Create a curated list of sources that are reviewed on a daily basis before any communication is released literally. There is a lot of noise in this data and it is our responsibility to avoid disclosing unnecessary or misleading data.
You can additionally use a partner for the technical issues, and consulting services to compile trustworthy information about the technologies used in one’s environment, not just for “patch management” but also improve the use of new features and configurations to address new security issues.
How can CISOs balance security and innovation?
The real balance isn’t security and innovation, is risk management and innovation.
We must help the business to achieve the company goals, continuously managing the risks. The innovation process brings to this cycle a lot of new challenges, it is very important to have a security team with the ability to continuously provide measurements of risk assessment.
The same is valid for the technical innovations, it is a responsibility of the security team to help IT to adopt innovations with the best possible controls in place.
You’ve been in the industry for 19 years. What are some of the biggest changes you’ve seen in terms not only of threats, but also how cybersecurity is viewed in an organization?
It has been a long way from 1999 and I see the security needs of all companies grow significantly every year. While I believe most organizations are advancing the general information security practice there is still a lack of consistent attention and support from senior level executives.
We are witnessing a set of new regulations over the last years such as GDPR, from Central Banks and others older like PCI that guide companies security practices, but also a better understanding of the impacts of a security incident were seen last year with Wannacry and Not Petya. Remembering that they were caused by failure in one of the oldest security process: Patch Management.
We see a lot of new job opportunities in information security and news about the shortage of people on the area, this represent a better understanding of the importance of security to the business.
As companies increase focus on security, CISOs become the key player across all corporate levels of the organization in creating a sense of shared ownership. We must be prepared to continuously work with the broader organization clarifying the role of all stakeholders in the diverse initiatives driven by the security teams.
There is a lot of work to be done though.