Cybersecurity Leaders – Hernan Veglienzone
Cybersecurity Leaders – Hernan Veglienzone – Cybersecurity professional expert with 26 years of experience in IT and Information Security. He has held executive positions related to information security in multinational companies, including: Corporate CISO at Correo Argentino based in Argentina, being responsible for all Information Security operations; CISO for Latin América at PROSEGUR based in Argentina, being responsible for Information Security operations in Argentina, Uruguay, Paraguay, Brazil, Chile, Peru, Colombia and Mexico; Senior Security Product Manager at TELMEX based in Argentina; Corporate Professional Services Director (América & Europe) at I- SEC Inc based in Argentina; CISO for América & Europe at BRIDAS OIL Holding (Argentina, México, Italia among others); Information Security & Business Continuity Manager for Argentina & Chile at EDS
He is also a consultant, lecturer and International instructor of courses and seminars related to information security, both in the civil and military fields; the author of articles and notes for major newspapers, television stations and magazines in the national and international market. Additionally he has extensive technical, consultant, marketing and management experience in Financial Industry, Banking, Retail, Petroleum, Automotive, Security, Manufacturing, Telecommunications, among others.
Cybersecurity Leaders – Hernan Veglienzone: What is your overall approach to information security?
Currently information is the most important asset that all organizations have (private, public, military, government, etc.), and in this sense any leak, unauthorized disclosure or theft seriously puts at risk, not only the organization itself , but also an entire country (depending on the degree of sensitivity of the data, of course). So it is therefore vital to have a strategy for information security that is focused on the correct protection of sensitive dataand implement technological and process efforts, for which it is necessary to have a classification process that allows us to identify those critical assets and thus be able to carry out an adequate risk protection and management strategy.
Additionally, our Information Security strategy must contemplate various aspects, not strictly technical, such as:
- Generate and maintain Awareness Campaigns for employees and third parties.
- Identify the business’s own regulations and generate compliance plans.
- Identify and comply with privacy laws.
- Create Business Continuity plans.
- Security processes of human resources.
- Physical Security Aspects (Access Controls, Electronic Security, among others).
The CISO’s role is a very high-pressure, high-stakes job. What is the right profile for this job?
In my opinion, the correct profile of a CISO must be made up of a combination of skills, among them: technical background, handling of interpersonal relationships, excellent negotiation skills, tolerance to failure, perseverance, self-motivation and above all leadership and business understanding.
It is important that the CISO has 70% executive skills and 30% technical skills, often the opposite happens – that is, the technical knowledge predominates over the executive. This situation, in my opinion, generates a great inconvenience when managing daily high-pressure situations and incident management, since if their capabilities are strictly technical, it is very difficult to lead an area that requires excellent management of the “business language” to be able to communicate efficiently with the Management , to be able to clearly transmit an incident situation and to contain the pressure in every sense.
What should corporate boards know about conducting information security?
Primarily it is important to create a Master Plan for Information Security in the short, medium and long term that describes “Graphically and Clearly” what the existing risks in our organization are, and what the activities will be that define the appropriate security strategy to protect the Business and minimize risks. For this plan to be successful it is essential that it is 100% aligned to the Business Strategy.
As a second step, it is extremely important to be able to incorporate the presentation of the Master Plan status into the Board’s agenda (I recommend doing it at least 1 time per quarter). Presentations should be short, concise, graphic, and it is vital to “translate” the “security language” into “business language”.
When speaking the language of business to their boards, are there certain phrases Leaders / CISOs should be using?
Definitely, we must speak the same “language” with the Board, which is strictly the business language. If we talk to the Board about how much malware we detect / avoid and use technical language, I’m sure that our presentation will not last long …
We must use phrases related to the loss or gain of money for the business when it comes to topics related to Information Security, and it is vital to quantifythe losses and gains.
It is important to explain, with the appropriate words, the importance of investing in security and what the positive and negative consequences of doing it or not are for the Business. As negative impacts, we must report how much money losseswould be due to SLA breaches with our clients due to Security Incidents, economic damage to the image of the company, loss of contracts with our clients or directly termination, among others); from a positive approach, to demonstrate that investments in security contribute considerably to the possibility of generating new businesses and new clients, for example obtaining Safety and Quality certifications suchas ISO 27001, ISO 22301, ISO 9001 that differentiate us from our competitors in the market and that they demonstrate solidity and commitment in terms of protection, having a Business Continuity Plan, periodic audits, all of which generates confidence in our active and potential clients.
How can security executives help the C-suite better understand cybersecurity?
In my experience, the best way to help C- level executives understand the importance of safety is to carry out realistic, tangible and high visual impact activities.
One activity that generates a lot of impact on senior executives and is one of my favorites is to hire specialist cybersecurity consultants and carry out controlled attacks within the company, for example live phishing , information theft, social engineering to secretaries, call centers, among others, and show the results live. A picture is worth a thousand words…
We have recently witnessed a spate of massive DDoS attacks via IoT devices configured as botnets. Do you think legislation should mandate device manufacturers to meet minimum cybersecurity requirements to avoid this kind of incident?
There should definitely be legislation that requires minimum security requirements from manufacturers of IoT devices. I think that it should also be accompanied by a committee made up of information security specialists who are compliance auditors.
Currently there are smart TVs, alarm systems, air conditioners, heating, game consoles, household electricity, audio and video equipment, etc., all linked and integrated, which can be remotely controlled by a Smartphone and have high processing and intelligence capabilities.
In my vision, the current goal of large companies that generate IoT devices is linked to designing more intelligent, autonomous, friendly and integrable devices. However, in general, information security issues are not considered as part of the development process of these devices and this generates large vulnerabilities that affect both the security and privacy of people. Some may be attacked and taken as bots to attack other devices, but they are also vulnerable to remote audio / video execution for example on SmartTVs that violate privacy.
When the business is steaming along and wants to introduce new products or services, how do you make sure that security is plugged in?
To carry this forward, it is vital that the Safety Master Plan is integrated and 100% aligned with the business objectives.
It is important to converge on a Single Corporate Strategic Plan or Master Plan where the different Plans of the Organization are reflected: Marketing Plan (area where the new products and services of the organizations are generated), Business Plan, IT Plan, as well as the Information Security Plan.
In my experience, I recommend generating a General matrix, where new products and services are detailed, which should be accessed and reviewed by the different areas that will participate (Example, IT, Information Security, Legal, etc.). In this way each area can identify what are the requirements and needs to comply with product quality and safety standards. In this way we ensure, among other things, that the security requirements are considered in the analysis stage and subsequent development of new products and services.
How might we address the perception of cybersecurity holding back the business?
In my opinion, the most tangible way to eliminate negative perceptions regarding cybersecurity is to demonstrate the positive contribution that security activities generate to protect the Business, making it clear that the Cybersecurity area is there to accompany and protect the critical assets of the organization and that the business is first and foremost.
In many cases the speed of the Business and the pressure to go to market quickly with new products or services tends to be very high and there is a probability that there is some tendency to “shorten paths” of control and continuous improvement. If this happens I recommend generating a process of formal risk analysis which determines the level of risk to which the business is exposed, which threats it is exposed to, the likelihood and the level of impact if the threat materializes and what the elimination / mitigation activities would be of the identified risks. If the Risk and Impact levels are High / Critical, it is important that the board is immediately made aware and takes active participation in the decisions to be made.
Cybersecurity Leaders – Hernan Veglienzone