| | DECEMBER 202519CIOReviewRegulation as well is playing a very important role in the cloud. To be compliant with the applicable laws in each country for data privacy and data protection could be challenging. For a consistent and solid data protection strategy, it is not enough just define data security controls, we should define roles and functions for the people in the organization, and of course, this effort goes hand in hand with security awareness for everyone in the company. Before your stint at Sempra Infraestructura, what are some of your experiences and notable takeaways that empowered you to improve cybersecurity in general and cloud security in particular?Cybersecurity is not that different in many aspects of our life. For example, the first thing a doctor does in a health check is to start gathering relevant information. So, as a beginner, we need to know about risk and security and where we are in terms of it. It is an absolute necessity to perform assessments (internal and external) to get a deep understanding of where we should start to improve, where we want to go, and how fast we could go. Defining metrics is critical as well. Defining our key performance indicators and key risk indicators is going to set the direction where we should move, including the inner pace to improve and how near or close we are to where we want to be. As an ending note, what is your advice for other senior leaders and CXOs working to strengthen the security of cloud technology and services?Only what is measurable can be improved. It is critical to keep an eye on all the relevant metrics related to the risk exposure from the inherent activities of the business. And it would only work with people with a comprehensive understanding of risk management. I would say as well that "A chain is only as strong as its weakest link." So, unless you're providing continuous training and awareness in the organization for all the people, we could foster the security culture from a holistic approach. If this "link" fails, no matter how strong security controls are in place or how much the investment in technologies is being done. Every organization should have an identity and access management (IAM) strategy based on the user identity, access privileges, and authentication related to services in the cloud, including applications.This article is based on an interview with CIOReview Latin America and Humberto Barreda
< Page 9 | Page 11 >