We must change our perception of cybersecurity, repositioning the CISO’s role not just as a necessary advisor for cyber security-related issues, but as a critical advisor to the organisation. They must form an integral part of the safe and successful operation of organisations and their decisions.

Félix Antonio Barrio Juárez is the managing director at INCIBE (the Spanish National Institute for Cybersecurity). Prior to this he was the Programmes manager at the National Institute of Communication Technologies between 2007 and 2014, while between 2014 and 2019 he worked at the National Institute of Cybersecurity. Between 2019 and 2020 he was the director of the Cybersecurity Hub at Tec de Monterrey.

Check out his interview with Samir Aliyev, CEO and Founder of the Swiss Cyber Institute where Samir discusses with Félix how important it is for a CISO to have a seat on the board and who they should report to.

A lot of  CISOs see their role as bringing together technology and business. How do you see the CISO’s role evolving so that it is up to date with the latest panorama of threats?

The CISO’s role has evolved enormously in the last few years going from a job role with a technical focus to something more involved in risk and compliance management. The job role has grown in importance due to digitalisation and a company’s need for an on-line presence. This has raised cyber security issues to the top level. Cybersecurity has become a strong focus for businesses and is now one of the key issues.

It’s because of this that the CISO’s role has begun to tackle the challenges thrown their way due to the constant changes in the panorama of cyber threats. This involves understanding business strategy, staying on top of emerging threats, fostering collaboration and awareness, complying with governance, and adopting new security technologies.

A good way of assessing a senior executive’s impact on the business is to evaluate the impact they have had on the business’s operations. How should an organisation measure a CISO’s contribution to its operations?

The metrics for this evaluation are more tangible compared to other areas. Protecting a business is not an exact science. There are times when the answers are not always straightforward. Not everything is black and white, and work and opinions change from day to day. New risks are always arising, which means that what was protected today can become something at risk the next day.

Nowadays, we can say there in no mathematical formula that can measure a CISO’s impact on an organisation as well as their actual effectiveness.  There is no quantifiable way of measuring a programme’s effectiveness.

This is something we are currently working on, and we hope to have useful and universal metrics to evaluate the strategy carried out, through assessments that are repeatable and reproducible. Slowly but surely, a system for measuring effectiveness is coming together to assess a programme’s ability to generate greater levels of security for the organisation or how something has saved you from having to explain a data breach to customers and partners.

A CISO’s visibility often comes down to how much the company values security. How important is it to have a CISO on the board? Does it matter to whom the CISO reports?

Cybersecurity should be an issue discussed at board meetings and beyond its quarterly convening. It needs to form a central component to the running of the business.  The CISO should have a seat on the board and be present throughout the entirety of a discussions or proceedings.

We must change our perception of cybersecurity, repositioning the CISO’s role not just as a necessary advisor for cyber security-related issues, but as a critical advisor to the organisation. They must form an integral part of the safe and successful operation of organisations and their decisions.

Five years ago, a surprising 74% of executive boards did not consider the CISO’s role to be important enough for the board. In fact, more than 60% believed that it would fail in other non-security related functions.

Fortunately, these views are changing within organisations thanks to greater professional visibility of the CISO’s role. According to a recent study on the topic, 68% of executive boards have recognised that cyber security is a growing issue of importance and 77% consider the CISO to be of increasing influence within their company’s structure.

The pandemic has created a before-and-after situation for boards with CISOs now forming a central role in their functioning when compared with before. The fact that there is greater emphasis on cybersecurity does not necessarily indicate that management hierarchy structures within organisations has changed: 62% of Fortune 500 companies have an employee who is a CISO, but only 4% have given the role leadership capabilities.

What are the key steps an organisation should take to ensure that it is well prepared to effectively respond to and recover from a potential cyber-attack, and how should resources be prioritised and allocated to achieve and maintain effective cyber resilience?

An organisation must undertake risk evaluations, develop security plans and incident responses, provide employees with the resources and the know-how, implement security measures, undergo simulations and tests, and consider external expert opinion.

INCIBE-CERT is one of the reference incident response teams that coordinates with the rest of the national and international teams to improve efficiency in the fight against crimes involving networks and information systems, reducing their effects on public security.

INCIBE-CERT’s team managed 118,820 incidences in 2022. That’s an increase of 9% on the previous year’s figures. From this year’s total figure, more than 110,100 incidents affected citizens and companies, 546 affected strategic operators (broken down by percentages in each sector: Energy 30.4%, Finance and Tax System 25.3%, Water 17.2%, Transport 17.2%) and almost 8,000 incidents affected the Spanish Academic and Research Network (RedIRIS).

In terms of resource allocation, it is important to prioritise according to the risk assessment and allocate adequate funds for different security measures.

In your opinion, what’s the most overrated trend and/or technology on the market for cybersecurity and why?

The cybersecurity world is full of emerging technology and has the potential to transform the way we live, work, and learn. In terms of overrated cybersecurity technology, there is not a single answer. However, some experts think that biometric authentication technology is overrated in cybersecurity.

Another trend that has also been making waves is the “next-generation security solution” or “silver bullet” concept, which promises to be the ultimate solution to all security challenges.

The reality is that cybersecurity is a layered approach that requires a combination of technical, policy and awareness measures.  There is no single magic bullet that can guarantee total protection against cyber-attacks.

While most business leaders are more aware of their organisation’s cyber issues than ever before, would you say that achieving a management consensus on how best to address cyber risks remains a challenge?

Totally. Getting a consensus on how to properly manage cyber risks is still a challenge for many organisations. Fortunately, however, we can count on the work carried out by different organisations, such as the Spanish National Cyber-Security Council, which aims to strengthen the coordination, collaboration and cooperation relations between state entities that work on cybersecurity issues. INCIBE has also been designated as the National Coordination Centre in Spain (NCC-ES) of the European Cybersecurity Competence Centre (ECCC)

Recent cyber threats have tended to focus on disruption businesses and damaging reputations. Has this been your experience and, if so, how has it affected the organisation?

Cyber threats can have a great impact on organisations. They can disrupt operations, lead to fines and lawsuits, loss of assets and business, having negative effects on finances and reputation so significant that they can have impacts on even the most developed organisations.

The continuous advance of technologies has meant that responsible agents for threats have increased the sophistication of their attacks and their tools, giving rise to an increasingly hostile cyberspace. This forces organisations to have the latest technical means to be able to deal with attacks and their possible impact, as well as to adopt proactive security policies to mitigate them.

In order to protect themselves from cyber-attacks, it is important for organisations to implement the necessary measures to guarantee system and information security. INCIBE counts on different tools, notably the “Cyberthreats against Business Environments” guide, which sets out clearly and with examples how to identify cyberthreats and what to do when they occur.

Merging new technology with an organisation’s existing IT systems is a complex task. What are the key elements needed to balance the value of new technology with the potential for increased cyber risk that comes with it?

It is necessary to undergo a full evaluation of the risks, plan strategic installation of the technology, train staff on how to use the new systems and establish solid security controls.  By addressing these key elements, organisations can minimise cyber risks while leveraging the emerging technology’s benefits in their digital environment.

Amongst many things, CISOs are faced with a shortage of talent and staff retention rates in cyber security. What do you think CISOs should do to identify and develop a diverse talent pool to meet an organisation’s needs?

There is a growing demand for cybersecurity professionals. In Spain alone, the number of cybersecurity positions available will be over 83,000 in 2024 (up from 63,191 in 2021), according to the “Analysis and Diagnosis of Cybersecurity Talent in Spain” study conducted by INCIBE along with the National Observatory of Technology and Society (ONTSI).

CISOs can promote an inclusive culture, provide opportunities for growth and development, encourage collaboration and diversity of ideas, establish external partnerships, and re-evaluate hiring requirements.

According to various studies, cyber security professionals would prefer to work from home. Do you think that WFH is a blessing or a curse for CISOs?

Some organisations are turning to “work from home” models with the idea of making it easier to combine work and family life by inviting their employees to work from home, either full time or some hours/days per week. From my point of view, I consider the best option to be somewhere in the middle. An organisation should allow their employees to work two or three days a week from home.

And although it seems like a fabulous idea, working from home can also be inconvenient, for example, less human interaction, loss of corporate values, distractions… And to not disconnect. Although at first there are those who think that people work less at home because there is no constant supervision, the reality is the opposite.  People tend to work more hours and have less of a fixed schedule.