latam Cybersecurity

Cybersecurity: building a culture
of protection

The necessity and the ideal approach to implement best practices in cybersecurity and data protection were at the core of the recently promoted event by the M&A Community. 

At the time, four experts from different corporations spoke on ways to strengthen information security, data protection, and governance, to avoid cyber crimes and frauds, which have grown exponentially in the last years. 

The renowned specialists also addressed corporate capacity to detect, respond, and recover from such occurrences. They provided tips on avoiding mistakes and making the proper data protection and privacy decisions. 

Participants:

· Alexandre lbrahim, Banco BV Risk Executive Director

· Daniel Beltran Motta, Eletrobrás DPO

· Márcia Tosta, Petrobrás Information Security Officer

· Marcos Sêmola, Ernest Young (E&Y) Cybersecurity Consultancy Services partner

Why are companies more sensitive to cyber-attacks today, and what are the main risks?

With the world’s digitalization and higher dependence on technological asset transactions, the volume and sophistication of cyber attacks have also grown significantly. “The pandemic accelerated the digital transformation of businesses, which are increasingly more tied to digital technology and information to produce wealth today. Thus, companies became more sensitive to the damages caused to digital assets, and the result is that there was, simultaneously, an escalation of volumes of crimes committed by organized groups, which has demanded more investments and attention from companies to fight these violations and mitigate the risks generated”, states Marcos Sêmola, from E&Y.

With broad experience in the fight against risks and fraud, Alexandre Ibrahim emphasized that, though the Central Bank and Basel Accords highly regulate the financial sector, it has also felt the impacts of this new reality. “We seek to follow a framework, with mapping of all risks, which includes processes of identification and assessment of each risk to measure management needs,” he says. According to him, it is evident that there are risks to which it is hard to find quantifiable KPIs (Key Performance Indicator). Still, today there are criteria that enable measuring operational and reputational risks per product and per area to estimate effective or practical losses in each occurrence.  

Sêmola complemented by stating that today’s challenge is multifaceted, with different types of risks and specificities that facilitate or hinder their detection, classification, follow-up, and response. “These characteristics make it even harder for risk and cybersecurity managers to present to administrative councils the impacts of these risks, in the short, medium, and long term, for them to understand and make suitable decisions to mitigate their effects in the management of companies,” explains the E&Y partner.

What are the challenges to informing administrative councils of the risks that impact or may come to impact the company’s business and help them in decision making?   

For Márcia Tosta, the information security work must be advisory and drive the business, not only make it feasible. Therefore, it is an area that must understand the company’s business, its future expectations, and its risk appetite. “The big challenge when a security professional joins a company that does not have security as core business, as in the case of Petrobrás, is to show the relevance of security to the business, its consistency, and continuity. That is, learn to speak the language of the company board so that they can see security as an aggregating factor for the business”, says the Petrobrás CISO.

Security areas must be well structured in the company and go hand in hand with the other areas of the company, including in all conceptions and prospects. “This is fundamental because costs become very high if the concept of Security by Design is not adopted, which includes security at the start of all projects. After all, correcting conceptual or architectural security mistakes with projects in the process is much more complicated and expensive”, explained Márcia.

In a scenario of major digital transformations, where new technologies emerge all the time, and new vulnerabilities are constantly found, the company must always be updating and adapting its internal processes. It means that companies must operate to avoid being plastered in operation or creation of new businesses, but, at the same time, keep an efficient security ecosystem (processes, people, and technology), which is requested by the other areas whenever there is a new opportunity of business or a new project. “The great changes in Petrobrás occurred because the security area started to speak the language of the business. The world changed, and we must adapt by giving due importance to the area inside the whole corporate context. In other words, we understand the company’s risk appetite, the best way to communicate with leaders and structure a good ecosystem”, remarked the Petrobrás director.

 Sêmola commented that the desire to show security value for the business is old. However, it emerged some years ago, at the wrong time, when cybersecurity problems didn’t reflect directly in the business. “Today, the moment is perfect because the Administrative Council and C-Level are much more aware of cyber risks and their consequences for the operations, finances, and reputation of companies,” added the E&Y partner.

What is the importance of data protection and privacy in the security ecosystem?

In information security, a fundamental aspect today is data protection and privacy because it ensures compliance with the General Data Protection Act (LGPD), a new law that still needs time of validity to generate jurisprudence, while the National Data Protection Authority (ANPD) is still polishing and regulating their requirements.

“It’s important to understand that the movement to adapt to LGPD warned companies on the relevance of information security for their businesses. That because accountability on data collection, storage, analysis, and processing increased, not only corporate data but personal data as well; and the understanding of the risks involved in these processes has also expanded,”  said Daniel Motta.

In the case of Eletrobrás, according to Motta, there was already a structured work on information security, in the compliance area, based on GDPR and its cases of jurisprudence, in addition to data protection laws from other countries. Since the company already counted on a mature structure, it was not necessary to remake the security ecosystem or have a specific LGPD project. It was only necessary to follow the existing path, which already counts on constant assessments to ensure continuous improvement. “In short, we fitted in our risk assessment matrix those referring to privacy, as well as their reputational and financial impacts, in terms of the sanctions provided in the LGPD, to reduce to the maximum eventual calls from ANPD or due to other legislations in force,” explained the Eletrobrás DPO.   

Motta informed that Eletrobrás added only the management of privacy risks of holders, which contributes a lot to reducing corporate risks. “Our challenge was to explain this specific need to the board and show the relevance of communicating rules of personal data management to all managers of the company,” he added. Another essential measure at Eletrobrás was the inclusion of DPO in the whole company’s workflow, with the promotion of events and mandatory training on data protection and privacy in all areas.  

Sêmola also commented on Eletrobrás adoption of the MIST, a framework that organizes controls with five different functions: risk identification, asset protection, detection of ongoing risk, response to a materialized risk, and damage recovery. “Earlier, 20 years ago, only the two first functions of MIST were observed because, theoretically, they were sufficient to stop the risk at the start. Today, with the investment and destructive capacity of cybercriminal groups, it is essential to observe the five functions to minimize risks to the business”, he emphasized.  

How can risk management, information security, and data protection areas work jointly in favor of the organization?

“To do a good job as DPO, I need to have access to risk and cybersecurity reports, sponsorship for communication, and constant monitoring of data protection and privacy risks. That because, with these resources, we can draw the attention and win the support from the business areas to be more effective in our work, and better report to the board and administrative council”, said Motta

Ibrahim agreed that communication with the other areas and involvement of the organization board is essential for the processes of risk management to work. “We classify relevant risk under three aspects: financial, regulatory, which includes LGPD, and perspective, where cybersecurity was always relevant, and with the pandemic became even more relevant,” informed the BV director. For him, this recognition makes it indispensable to know how to appropriately communicate risks to the top management, their volatile aspect, and the company’s vulnerabilities. That is, in addition to technical capacity, the CISO must be a good communicator of his/her analyses and measures to be taken for mitigation.  

To provide a more comprehensive and complete view of the need to invest in security to the board members. First, it is necessary to get closer to the company’s risk management area to understand how risk identification, measurement, and classification are made. The second step is to know how to communicate using the language of the business areas to obtain a chair in the organization risk committee and then address subjects of the other sectors and contribute to the safety of all. The third step is to develop a routine of meeting with the different areas to convey the relevance of risks in each project clearly and objectively. “Inside a company, each area sees its business from its point of view, and you must understand that to efficiently communicate with them all, that is, be involved and present in all areas,” added Márcia.

The Petrobrás executive reinforced that the technology area must apply the controls defined as necessary, whether from application security or data privacy. For this reason, IT must implement, execute and operate all security and privacy guidelines. The security area, in its turn, must see that they are applied and where the problem occurs on a dashboard in order to prioritize the decision to be made correctly. “The secret is to work together, synergically, to meet and even anticipate the organization’s needs and expectations,” says the Petrobrás executive. Sêmola concludes that “information security must be aligned with the company’s purpose.”   

What is the relevance of “Security by Design” and “Privacy by Design”?

The idea is that all companies adopt these two concepts in all their processes and apply them from the beginning of any project. “It is very important to include these concepts in the onboarding and collaborators integration program of the company so that they will be informed and trained since the moment of admission, requiring even a test and a given score to receive their credentials,” says Márcia.

Ibrahim confirms that they are essential for the safety of companies and should be absorbed by all talents of the company, who need to be guided to keep on practicing them in all actions inside the company. “Companies very often keep the focus on “Security by Design,” placing it in systems, but the right thing to do would be to include in all the company’s routines and processes, in the daily routine of professionals,” remarks Motta, from Eletrobrás.

Summary

·         With the world digitalization and higher dependence on technological asset transactions, the volume and sophistication of cyber attacks have also grown significantly.

·         It is mandatory to prioritize the most valuable assets. To respond to the damages caused to digital assets, companies must adopt and constantly update their risks mapping, including processes of identification and assessment of each of them to escalate the management needs. 

·         The information security work must be advisory and should drive the business, not only make it feasible. Therefore, it is an area that must understand the company’s business, its future expectations, and its risk appetite, there is a need for a business connection.

·         Today, Administrative Council and C-Level are much more aware of cyber risks and their consequences for the operations, finances, and reputation of companies. The CISO plays an important role as the glue between the executive and the IT departments.

·         The entry into force of LGPD reinforced the relevance of information security to the business because it expanded the accountability for data collection, storage, analysis, and processing increased; not only corporate data but personal data as well; and the understanding of the risks involved in these processes has also expanded.

·         Risk managers, CISOs, and DPOs must be involved in the companies’ business areas to be more effective. It is indispensable to know how to communicate appropriately with the top management.

·         “Security by Design” and “Privacy by Design” concepts must be adopted today in all processes and since the beginning of any project.