The digitization of companies, accelerated by the coronavirus crisis, has set off alarms among companies due to the significant increase in cyber attacks and the increasing consequences they have on their work. It no longer only affects large companies in the financial sector, but any company can already be involved in a cyber attack, that can wreak havoc as significant as stopping production or activity, which could mean heavy losses for the company.
Hackers now have more attack surface and more sensitive areas. Too many open doors to watch closely. And to fulfill this task is the figure of the director of information security, the CISO, for its acronym in English –Chief Information Security Officer–. It is a figure that, according to Capgemini’s Cybersecurity Director, Andrés de Benito, is increasingly important and relevant in Spanish companies but, due to the very special characteristics and the very specific knowledge that they must treasure, it is not always easy to find.
Professionals are missing
This expert attributes it to two reasons. First, because
there is not enough volume of professionals in the market, a huge problem considering that a sudden need has come and, therefore, all companies have started looking for these professionals at the same time. The other reason is because of the worker’s own profile. It must be a person who gives confidence in the organization “so that it is understood that the work they do makes sense and, in addition, he must have enough vision to see where he is going and the new trends that cybersecurity generates. Cybercriminals are evolving their ways of attacking a company, so the CISO must try to go ahead to cover their organization. Therefore, the manager of Cybersecurity of the National Institute of Cybersecurity of Spain (Incibe), Félix Barrio, considers it essential to promote the training offer of this profession since the demand for these profiles is greater than the supply: «We have a shortage of professionals in the cybersecurity sector is very important ”.
The same deficit is affected by the Risk Advisory partner specialized in Cybersecurity at Deloitte, Eduardo Ferrero, You see that if the shortage of professionals has already been identified as one of the main problems,
“Having trained professionals to act as CISOs is an even bigger challenge.”
Precisely because of the importance and how critical a cyber attack can be for a company, De Benito believes that if a company has a high level of maturity, the CISO has to sit on the company’s board “without any doubt” . «If you have an impact on certain technological systems, you can absolutely knock out the functioning of the entire organization, so it is important that the CISO is able to deliver this message to the highest levels of the organization, so that it is listened to. ” Likewise, de Benito sees that sitting the CISO in high positions in the company is “a very relevant gesture and sign” that shows both executives and shareholders and everyone around them “how seriously the company takes protection against cyber risks ».
However, the current Director of Information Security of Unicaja Banco, Eva Cristina Cañete, believes that it is advisable, whatever the position he occupies, «is that it has the ability to act with total independence from Technology and Business, as well as the existence of the necessary reporting channels according to the structure of the company in which they carry out their function ”.
Even so, Cañete sees that he is an “indispensable” figure for companies, and more so nowadays, since clients demand more and more services from the digital world. “Companies are obliged to provide them in order to better adapt to current circumstances, and that is where the CISO must play its role, generating the confidence necessary for customers to consume these services with the best possible guarantee,” he argues.
Hole in SMEs
But where this figure is being found to be lacking is, above all, in small and medium-sized companies. According to data from Incibe, 75% of the more than 133,000 cybersecurity incidents they managed in 2020 were SMEs, This can be a problem since all sectors are “interdependent” and an attack on a small supplier can end up affecting the large company you work with. “It has been shown that criminals take advantage of small suppliers to get to large organizations and paralyze large industries” so, according to Barrio, it is “essential” that all sectors have a well-managed cybersecurity through one person that it is capable of “managing technological risk and identifying those dangers that may put business continuity at risk.” Therefore, Ferrero is clear: “We can discuss where to locate this figure within the company, but not about its convenience and need in companies.”