17 April 2020

Cybersecurity management must be transversal, in Jornal Económico

Companies should consider that their computer security depends on several actors, both internal and external.

Cyber risk management is the process of identifying, analyzing, evaluating, and addressing computer threats within an organization. The cycle also involves monitoring and prioritizing these risks, but the first mission of company executives must be to assess them, as it will automatically allow them to understand the severity of the dangers and which ones can, in fact, compromise the IT security of their systems.

José Casinha, Chief Information Security Officer at OutSystems argues that the best approach is to take into account international standards, such as ISO 27001 or the NIST Cyber Security Framework (NIST Cyber Security Framework) and establish a methodology / strategy for each risk phase: accept it and mitigate it ("reduce the risk to an acceptable level"), transfer it ("take out insurance, for example ') or avoid it (" stop doing some tasks if it is high').

The question remains whether this computer risk management should be centralized in the company or distributed among those who develop the software and those who produce or supply the hardware, or even transfer it 100% to insurance companies or consultants.

"It is one of the oldest questions in technology. Do I suffer more risks if it is technology from many suppliers (which, then, I have to integrate) or from a single one (which is integrated)? There are many different answers. It is essential to test implementations and stay tuned to the safety information of suppliers whose technologies are chosen ', suggests Jonathan Sowler, vice president of Engineering at Unbabel to Jornal Económico. Specifically, for this health and economic crisis, Jonathan defends that the same pre-pandemic procedures remain - even because these methods should already be virus-proof. "Security systems should never rely on a single individual, but team members trained to perform the duties if another is available", he says.

Both Diogo Mendonça, Director of Operations at Bee Engineering, or Bruno Rodrigues, Noesis Cybersecurity specialist, are advocates of a transversal approach, which includes all stakeholders to reduce exposure to danger, taking into account that today the IT landscape is complex, distributed and involves third parties.

"Involving the end user will only have practical results from the point of view of 'prior' to prevention. And mitigating a vulnerability that originates in the hardware later entails high costs", adds António Ribeiro, Cybersecurity manager at Claranet.

However, a collateral management approach does not mean several approaches for each of the stakeholders. 

*Published in Jornal Económico.

Cyber security