According to one Gartner research, only 12% of Chief Information Security Officers (CISOs), executives responsible for digital security, stand out in all four categories of the effectiveness index created by Gartner to assess the performance of information security directors, called the CISO Effectiveness Index. The survey was produced in January 2020 with the participation of 129 executives from different countries who work in risk functions in companies from various sectors. The study indicates that the effectiveness of these professionals is determined from four categories: functional leadership, ability to deliver information security services, governance and responsiveness. The scores for each executive were added to calculate their overall effectiveness score. Gartner defines as “effective CISOs” those who scored better than other professionals. In the opinion of Thiago Branquinho, CTO of TI Safe, the Gartner research draws attention to the need for the leadership to adopt a cybersecurity strategy based on awareness, controls and processes. “Awareness goes beyond the initial understanding of what cybersecurity is. It is necessary to deepen the knowledge about the threats that can exploit the vulnerabilities of the infrastructure to, from then on, have the real visibility on the risks related to industrial processes. This requires effective internal communication about risks, in order to alert people about their existence and about their respective responsibilities in relation to risks ”, evaluates Thiago.
According to Gartner, a clear trend among the best performers is the high level of proactivity, whether to keep up with evolving threats, communicate emerging risks with stakeholders or have a formal succession plan. This is exactly the point of reflection for the TI Safe CTO. For him, in addition to cybersecurity being understood as a continuous process, of constant improvement, in an industrial environment it must be, mainly, collaborative and participatory. “Based on awareness, it is possible to define the appropriate controls to protect the process, based on the impacts / costs of the controls. Finally, once the controls are in place, it is necessary to structure processes that will keep the environment safe, such as, for example, incident response, continuity plans and continuous improvement of security solutions ”, he details.
For Thiago Branquinho, specific security training can offer CISOs a view on threats, vulnerabilities, risks and controls, allowing the manager to anticipate actions in a structured way. “There is no single path to develop competencies in the four categories used by Gartner (functional leadership; security delivery capabilities; governance; corporate responsiveness). These capabilities are matured over time "and he adds:" In TI Safe training, for example, general aspects are covered, from governance to security controls for industry 4.0, serving as a reference for managers and technicians in critical infrastructures ", explains.
Other training courses that deepen the knowledge in the area can be obtained from regulatory bodies such as ISA and IEC, are also offered by technology suppliers such as Siemens, ABB, Palo Alto Networks. There are also short courses and undergraduate and graduate programs offered by management schools.
In TI Safe's view, achieving safety excellence requires intense preparation work, which is based on training.
Profile of efficient cybersecurity professional
TI Safe mapped the fundamental characteristics for the effectiveness of a security team. According to the company, these professionals need to be able to:
- Identify laws, rules and contracts and translate them into internal policies;
- Identify non-conformities, analyze risks and plan security countermeasures;
- Establish and configure security controls for networks, computers and systems;
- Plan and establish a zero trust network architecture;
- Establish a communication channel with suppliers of automation systems to improve cybersecurity;
- Monitor and constantly improve security controls;
- Respond to incidents and manage security crises.
To learn more about the training offered by TI Safe visit Academia