Over 14 years of experience in aligning information technology (IT) with business strategies and initiatives. Experienced and successful in Fortune ~50 companies as employee or consultant, with 10 years in leadership positions.
During the last 10 years I have specialized in Cybersecurity and data compliance, security strategy development for different industries and sectors. I also have significant project management in big scale, auditing and compliance, SOC and Security Ops, consulting services and business development experience for Security and IT space.
As Global Chief Information Security Officer (CISO) for CEMEX, I give executive leadership advice on protecting critical information resources and oversee enterprise cyber security strategy.
As CISO, my mission includes creating a “risk aware” culture that places high value on securing and protecting customer information entrusted to CEMEX. I’m involved in the cyber-security and technology communities in Mexico and the USA and I recently obtained my CISO certified with honours, from Carnegie Mellon University Heinz College program.
What is your overall approach to information security?
I consider my strategy and overall approach to information security based on risk to the business, individuals or even the community, analysing the risks more deeply and trying to anticipate something that might happen and the learning of lessons learned from others.
From a business perspective, I recommend running a complete and complex analysis over each of the main business and IT components, listening to concerns from business and evaluating the current posture and comparing it with the benchmark and future posture that we are looking for.
It’s also critical to consider the compliance and regulation challenges within the strategy.
I also recommend going back to the basics, because it doesn’t make sense to think about having advanced protection in an environment if you fail to take care of the basics.
How important is it to have the CEO thinking that security matters?
It’s critical for the success of the cybersecurity program. Cybersecurity is on the current CEO’s agenda for any company, and engagement can demonstrate the relevance and also support from the organization for the program; I’m pretty sure that, for the success of the program and getting the correct protection and security posture, it’s essential.
How can CISOs better understand a business’ needs?
By steering close conversations with business leaders and being aware of each initiative or requirement, adapting to the business decisions and changes; sitting at the right table of conversations is critical as well, in order to get the information first-hand and be considered as key player and business enabler.
What are the biggest challenges you face in the year ahead?
I could talk about compliance (i.e. GDPR), new cyber risks or complex attacks – however, I would swear that the biggest challenge for a CISO is for running alongside/in parallel to the business with the same rhythm and cadence.
Usually the adoption and understanding of business plays a critical part in CISO cybersecurity strategy because, you know, the business cannot stop and the IT innovation is embedded, so the ability to incorporate and to adapt your cybersecurity strategy is a huge challenge.
Could you offer some advice on how CISOs and CIOs can work together?
In my opinion, considering that both have technical understanding, can measure and address the operational efficiencies and have alignment of accountability for IT risk, they can work together with alignment based on eliminating or minimizing the risks within the IT environment as well as looking at resilience for the IT Services.
How important is being able to communicate with your colleagues?
Communication is the basis for having an alignment and clearly marked goals. Also, collaborate as a team and as members of the organization, looking for compliance with business needs and goals.
This can help to avoid any assumption or misunderstanding across any activity or plan, as well as eliminate any barrier in real time.
Cybersecurity is a reality and the risk, or even an incident, can now reach anyone, including any country, any company in any industry or even individuals, hence the relevance for more engagement and awareness — because security is everyone’s responsibility.