Cybersecurity Leaders – Juan Cobo Páez, Global CISO, Ferrovial
Cybersecurity Leaders – Juan Cobo Páez: a security professional with more than 20 years of IT experience gained in a variety of companies and sectors, Juan possesses an excellent mix of strategy, management and operational security skills developed in multicultural international environments. He is an expert in analyzing and delivering secure, cost effective services in complex and high value business environments. Over his career, Juan has attained CISA, CISM, CRISC qualifications, backed up by many years of practical experience in all aspects of Information Security / Cyber Security, and complemented his education with an IESE Business School Management Development Program (PDD) and an ESADE Business School Global Management Program (GMP).
Juan is trusted and relied upon by executive management to establish security governance and culture throughout a complex and heterogeneous international business environment, developing key relationships with key stakeholders and building and leading internal teams at all levels to transform, embed and improve security into the organization.
What is your overall approach to information security?
According to our approach, Information Security is a formal and global process deployed homogeneously in all the geographies in which we operate, based on market best practices, considering clear objectives aligned with business objectives and goals and integrated into the Corporate Risk Management Framework. It covers the people, process and technology dimensions and allows Ferrovial to keep a global view of security risks for its proper management.
When speaking the language of business to their boards, are there certain phrases Leaders / CISOs should be using?
Definitely. First of all, when speaking at the governing bodies of a company, we must discard the technical language and focus on the language that the business understands. More than specific phrases, I would use specific topics.
In this way, we must use the language of risks and focus on giving insight into our global and geographic exposure to security risks, the potential impacts in terms of operations, reputation, brand and compliance, our current security status and posture regarding the company’s risk appetite, the significant incidents managed during the period and the state of the plans and control initiatives in progress to maintain an adequate level of security.
How do you assess the responsibility of the CISO / Leader for educating the workforce?
The responsibility of the CISO is crucial. In fact, as I always say, CISOs have among their main responsibilities to transform the culture of a company and its way of perceiving and managing one of the most relevant categories of risks for any organization today, such as cyber threats.
No matter how many times it is said, it is still true. Human beings are predictable and confident, and we are still the weakest link in the security chain and the favorite victim being targeted by the vast majority of attacks. Security is not just about technology. The dimensions of processes and people are, if possible, more relevant.
Given the importance that educating the workforce has, CISOs communication and relationship skills within the organization are key and constitute one of their main weapons.
Ransomware and phishing are among the risks that have threatened all industries recently. From your perspective, how should companies mitigate these risks and what has worked for you?
In my opinion, there are neither for the industry in general, nor for us in particular, magic formulas. It is a matter of persisting in the work and providing the control environment with capabilities for the three fundamental dimensions of Processes, People and Technologies.
Within preventive measures, education and training of people through awareness campaigns and simulation scenarios are essential, since threat filtering measures are not one hundred percent effective.
Detection, monitoring, and correlation measures are equally critical, but what CISOs are paying special attention to is the response. Today, CISOs generally assume that sooner or later we will have to deal with a relevant security incident. Our ability to succeed in such circumstances will depend largely on how fast and organized the response is. For that reason, it must be prepared and trained in advance.
Investing in the response and its preparation has become key to surviving in this complex cyber threat we face nowadays.
How can CISOs / Leaders balance security and innovation?
The answer is not simple, but I do believe that CISOs should not think only in terms of security. Our role must be fully aligned with the company’s objectives, and this involves ensuring continuity and business generation, recognizing the vital role that innovation plays in this context, even if such recognition involves facing new risks. In fact, security management is about managing risks derived from business activity, rarely about eliminating them.
On the other hand, innovating does not mean doing what you want without thinking about the consequences. It must have order and control, like any other discipline.
If a company understands that both security and innovation are necessary pillars for business continuity and generation and knows clearly its risk appetite, the necessary balance should be easier to achieve.
How important is information sharing within the sector to keep abreast of new threats and cybersecurity best practices?
Collaboration and sharing are some of the most powerful weapons that CISOs have. It is not possible to win this war in isolation. Many of the capabilities we develop and deploy are based on having intelligence about our context and what is happening around us, and this is not possible without maintaining close relations of sharing and collaboration with our colleagues in both the private and public sectors.
Keeping close relationships and formalizing collaboration agreements with National Cybersecurity Agencies is also key to take advantage of cyber-intelligence. Definitely, sharing information and intelligence can be the difference between reacting well and on time to a severe incident or suffering serious consequences.
We are lucky. We are living amazing times in which technology and digitization make it possible to transform humanity to limits until recently unthinkable. But at the same time, our increasing dependence on technology and connectivity makes us very vulnerable to the complex world of cyberthreats. The leading role of cybersecurity will be essential to guarantee the success of this great transformation.
Cybersecurity Leaders – Juan Cobo Páez, Global CISO, Ferrovial