At .conf+ I had the chance to speak with Sergio Gonzalez, CISO at Soriana, one of Mexico’s largest grocery chains. We chatted about his career path in cybersecurity, observations on the current threat landscape, the importance of regularly dialoguing with the C-suite and how security leaders can build impactful teams. Our conversation has been edited for clarity and length.
How did you become a security leader?
I started 20 years ago, and I came to love cybersecurity when I started to understand its scope — how it encompassed all areas of the company, from IT to physical security to human resources. Something I’ve particularly enjoyed in my line of work is figuring out how security can be an enabler of all aspects of the business.
What do you think are the biggest challenges that CISOs and security directors today face?
For CISOs, the challenge is keeping up with business needs, new trends and technologies so that all parts of the organization remain secure as we advance in our digital transformation. A lot of times CISOs are seen as project blockers, but CISOs should actually be involved from the beginning on projects and initiatives. That way they can generate a roadmap of cybersecurity that will make sure best practices are enforced across business decisions. For many CISOs, me included, often the business will forge ahead without involving us, and potentially take actions that weaken its security posture.
As a CISO, I’m involved in board-level conversations, understanding where the business as a whole is headed, and then helping them achieve their digital transformation goals while maintaining a robust security posture, remaining compliant and mitigating cyber risks.
Speaking of risks, as a CISO we have to understand risk. Not just the cybersecurity risks out there, but also what the company’s risk appetite is. Risk is part of any project and process, but to what extent can the company incur risk? And the thing about risks is that we have to measure, mitigate and monitor them. Being able to manage that while communicating regularly with the C-suite about the risks at hand is tough, because there’s not always an existing governance culture, especially in smaller companies.
What’s something you wish you knew earlier about effectively communicating with C-level leaders?
It’s a priority for me to have conversations with senior leaders where I talk about security in a nontechnical way and explain how it can support the business. Wherever I’ve started a new role, I’ve asked directors to give me 15 minutes of their time to meet and talk. It’s important to be prepared to explain security’s value at not only a technical level, but also from a financial and business standpoint. For instance, how cybersecurity matters for the bottom line and brand of the organization.
Once I finish conversations with directors and senior executives, I make a three- or five-year cybersecurity roadmap. This helps these leaders see that there’s a vision and direction to what we’re doing, the exact steps we’re going to take to protect the organization, the risks we’re going to assume, the risks we’re going to mitigate, and above all, the what kind of investment and budget is needed to accomplish it. Outlining this roadmap bolsters trust and helps C-level executives understand that the security team has strategic direction.
When I started at Soriana, it took me three months to meet with all the directors, understand the environment, and craft a roadmap for the next three years. After I created it, every three months I’d meet with the board of directors and inform them on progress and the changes we’ve made along the way. For many CISOs, we’re very technical, and often we don’t know how to talk about things like budget. But it’s crucial to understand and articulate the financial aspect; I pay attention to the annual financial report, which contains a lot of information about the company’s direction.
Is there anything that has surprised you this year about the threat landscape?
Something that’s been interesting is the combination of attack specialization and lack of internal security awareness that can pose an especially impactful risk. One hand, we’re seeing attacks that are more sophisticated, and attackers that may know your environment even better than your own staff. As a retailer with so many transaction points, our financial systems get targeted a lot. We’ve found patterns and alerts that are very specialized and suggest that attackers are colluding with internal personnel and contacting them directly. Internal threats are especially challenging because they’re hard to detect. For our organization, we’ve invested more into security awareness and education in response, and that has helped mitigate this risk.
Lastly, do you have any tips for CISOs on building effective teams?
Something that has worked for me is making sure that everyone on the team I’m building really loves cybersecurity. So the first thing I do is check with them if they are really in cybersecurity because they like it. I've had cases where people are there because they were server administrators, or were unwillingly moved to the team from a re-org. Though they were in security, they were not passionate about it. Even if you have a very good vision of cyber security, you won't be able to execute it unless your team is passionate.
Finally, you have to have consistent leadership, and your team has to trust you. The way you handle yourself is the way your team handles itself. You have to be consistent with your responsibilities, with your knowledge, and your team can do extraordinary things that the whole organization can appreciate.
Sergio Gonzalez has more than 15 years of experience in corporate governance and IT. He’s managed technological-strategic compliance projects in the food, manufacturing, publishing, mining and financial sectors in Mexico.
