Cybersecurity Leader of the Week – Ramón de la Iglesia Vidal, Cybersecurity Manager, Santander Bank
Ramón de la Iglesia Vidal is a Cybersecurity Manager at Banco Santander.
Bachelor’s degree in Computer Science, and certificated CISA, CISM, CISPP, CRISC & 27001, has 15 years of experience in Cybersecurity, most of which in banking and assurance field.
Born in Mallorca but currently developing his profession in Madrid.
Are there any common traits which make a successful security program?
Historically, we have found multiple different strategies in the field of Cybersecurity, either according to trends of technological solutions, or according to the size and maturity of the companies that implement them.
In any case, everyone agrees on the importance of having a clear strategy in terms of Cybersecurity, and that cannot be improvised or defined alone. In this sense, there are 2 basic lines without which the definition of the program will be doomed to failure: proportionality to risk appetite and alignment with business.
As for the implementation of a Cybersecurity strategy, the correct execution of the different plans is key, along with taking advantage of each executed project so that it is one more gear in the day to day running of the business. In this sense, the coherence of solutions with common sense is fundamental. Do we really have that problem in our company? Is it a priority right now?
Finally, the topic that is most relevant to your employees: the knowledge and skill that they need to do their job. It’s true! Training is, quite simply, one of the highest-leverage activities a manager can perform.
How important is to have the CEO thinking that security matters?
It must be recognized that considerable efforts and a lot of progress have been made in cybersecurity, particularly through the support provided by the authorities in the banking sector. Thanks to the importance that cybersecurity has taken on, boards are acutely aware of the security issues and IT risks, as well as the strategies that should be adopted. But not all sectors are at the same point. In those sectors which are non-regulated it is more complicated for management to understand the main risks and see the real scenarios that can really happen to your company, or even understand the real impact of the materialization of a cyber-attack.
Companies in the banking sector are pressing ahead with digital transformation. If they don’t simultaneously realign their security systems and their security culture, they become more vulnerable to attacks.
Almost everybody agrees that organizations need a culture of security. How can security leaders help facilitate that type of culture?
It’s essential to have a complete awareness and training plan in the company. Carrying out isolated or spontaneous actions prevents progress in the maturity of culture, for which reason it is only with planned actions we can achieve goals. Itis well known that without a good awareness plan you are not going to have a mature company in Cybersecurity, and for this you need:
- A way to measure the degree of awareness of your employees,
- A good strategy,
- Resources for that (training of employees, thematic campaigns, exercises that can assess the maturity reached, etc)
In this sense I recommend Phishing exercises (and other types of social attacks), to see the evolution of the campaigns, and the effectiveness of the different training.
Regarding the members of critical positions, there is no better strategy than to perform simulations and war-games to check the skills and learn from the mistakes of improvisation.
Finally, we must not forget to plan actions with our clients in mind, since our main objective should always be to protect them from threats.
Ransomware and Phishing are among the risks that have threatened all industries recently. From your perspective how should financial institutions address these risks and what has really worked for you in mitigating these risks that you would recommend others might also do?
In the last few years, we have seen how phishing campaigns are becoming less seasonal, longer in time and more aggressive. In the same way, ransomware attacks are taking advantage of the latest waves of vulnerabilities and 0-days to wreak havoc on unprepared companies, or those where the timing of patching is higher than the threats.
For the phishing problem, it is very important to have a good surveillance service, capable of closing the fraudulent sites on time, a good service of Intelligence, and again the awareness program oriented to clients and employees. In the case of ransomware, situations like wannacry have taught us that a good policy of “updating & patching” is vital in the company, as well as being a good tool against vulnerabilities and unforeseen behavior.
In general, and applicable in both cases, it is fundamental to align the strategy of awareness oriented to those types of threats, because in most cases the entry vector is basically an e-mail and the pertinent deception. In the same way, the awareness of our clients is the most effective way to avoid both the theft of credentials and the hijacking of equipment.
From the point of view of the companies, the change has also been deep, going from a department seen as a stopper to being seen as an effective aid to implanting projects safely. Nowadays, threats are no longer a fantasy or “possibilities but a reality.
When the business is streaming along and wants to introduce new products or services, how do you make sure security is plugged in?
Security by design is essential. Security teams must participate in the early definition of any initiative, always from the beginning, covering 3 main objectives: security as a part of the solution, avoiding future problems (that will involve more expensive gaps), and preventing delays in production.
Most organizations waste quite a bit of their budget because they have bad business practices, fail to deliver on requirements, and fail to manage projects to meet schedule, cost, and quality goals. If the life cycle was truly embraced with the right people, process, security, and technologies, we would see excellent software and more efficient and effective organizations.
You’ve been in the industry for 15 years. What are some of the biggest changes you’ve seen in terms not only of threats, but also how cybersecurity is viewed in an organization?
In terms of threats, we have seen how cybercrime has been professionalized in the last 15 years: from hackers who looked only for challenges and self-learning, to professional cybercriminals. Organized crime has seen how profitable it is to commit crimes at a distance, without risks and with high rates of ROI. In this sense, the crime has evolved in the same way as the state’s intelligence teams, which has changed the rules in that global game. In the dark web, we found industrial grade products, while dual-use products are freely available on the “surface” web. RAT software, for example, which allows remote system administrators to control machines under their responsibility, has created opportunities for hackers to illegally take over machines without proper credentials.
As organizations, we are suffering sophisticated threats in a very real way. In addition, security departments have gone from being stoppers of business to be indispensable collaborators in the definition of requirements.
In main enterprises, the field of cybersecurity has evolved from being a mandatory requirement to being part of the requirements of all initiatives. This is security by default. In the same way as quality or safety, cybersecurity is an added value to the product and a basic guarantee for our customers.