Isabel María Gómez González - The Secret Keys for the New Age of the CISO

We will still have two keynotes before the break. And these will be real life reports of chief information security officers. The first one is going to be from Bel Maria goeth Gonzalez from a Spanish bank. Thank you.
Thank you.
Good afternoon. Okay. Just let me take a look at the audience because I really want to identify what is on your mind. Maybe in Germany will be, could be different, but if we were in Spain, all my, my colleagues has this on the mind. Of course, we are here for speaking about security, information, security governance, and all the things that you can imagine. In my case when my marketing department or my business areas has a new idea, I look at this landscape and I start thinking, okay, where is the danger I need to climb to the top. I can see water. I can see trees. There's no grass, but I'm sure that the danger is there. Of course, I need to protect my business. Our typical environment's this, you need to make decision as quickly as you can. And of course we have new threats, new regulations, new partners. I'm thinking about cloud services, new providers, new data protections, not protections rules that I ask to follow, but of course, this is how I feel day by day, what is going to be the next things that make that my executive board going crazy. In my case, I was thinking about how can I resolve all my problems. Maybe the theme that I can do is expanding millions of aerials buying several hardware and software. And this is what my executive board thinks about my idea.
Well, I have more ideas. And in the next idea, I think, okay, I'm going to spend million of heroes in consultant services, as you can imagine, the reaction of the consultant services was okay, let's party, but I must remember the variation of my executive board. So, okay. We have problems again, and we need to think about another thing and we choose the last option. And the last option was developing my own security model, transforming myself in unable. And of course changed my hub as mass as I can. My first reaction was this. I have man out, but as you can imagine, I was afraid because it was new. My second bar, look at myself and say, okay, this is your idea. Let's do it. But if it doesn't works, lady, you have a problem. Well, I trust my medicals so I can do, I can develop my own methodology and protect my business. My business looks more or less like this in the top. You can see the executive bar. You can see on a stroke perimeter, we are going to protect the cloud services and the rest of the things. But this is a mess. It's not a typical house.
It's a mess.
Okay? What is my playground? Looking all around the world? Ima said that all people has devices to connect themself in every time everywhere. And of course they have another threat in my vision. In my opinion, one tweet can rule your world. And in this case, you can lose the trust of your clients and at least at your providers with only one Twitter that starts growing and UN growing, of course you can see YouTube. And of course you can see more things on Facebook. My reputation is important. It's very important nowadays because my business depends of the trust of the, the clients. I don't know if you know, but we are the fourth largest bank on Spain in Spain, in Spain. Sorry, but the worst threat that I have right now is this. After Christmas, my executive bar has a new device, a new toy that I must protect because the confidential, the confidentiality and the secrets are inside those disposals. And I need to protect it. And after Christmas, if only one member of my executive board has a new device, the rest of the members wants one. So in this situation, I start create, I develop my own risk methodology.
As you can see, we are connected to the operational risk of my company. We can identify how many money are we losing for a threat? And of course
We
Are measure the reputation of my company in this moment. It's possible that you say that, okay, it's not possible, but yes you can. I not a magician. And this is how it works. This is the way that we are working right now. We are connecting with several information systems in the company and we work so hard. Two seconds more for taking a picture, okay, next, put a lawyer in your life. I know, I know a lawyer, all my family are lawyers. Judge. I'm the only engineer in the family. So I know we're there, but they can help you, especially when you are trying to developed systems and transform your business, your traditional bank services into the new area. Speaking about the cloud services after parties, in my opinion, you need to create an information security, annex and included in the contract. This is mine. If someone of you wants to see it or wants it, please, after the presentation, I will give it to you. And this is the rules for the people who are working with my information in the last presentation that say, okay, we are speaking about the trust. Yes, it's about the trust, but it's also about the trust that my company is going to be protected from the insiders
Cyber security. This is my model of cyber security. I know there is a lot of information, but as you can see, I have benchmark. I have threats. I have incidents. I have risks from the operational risks to the corporate risks. All of them are included. I'm also thinking in regulations. I also thinking in all the rules of legislations, I'm thinking about the physical security and also thinking about the awareness. And of course about the future of the services in my vision, the CSO is one person who fill the blanks. The business is going to continue, but you need to protect them to take land or landing in the very way we need to transform ourself into and enable. And it means that we need to learn different language in the past. When we are speaking, when we were speaking or when spoke about Rick's, we said, I have a threat, please buy me two rooters and one firework, but nowaday, the language has changed. And when I have a threat, I said, this threat cool, make that we lost 3% of million euros of the project. Do you want to protect it? Or do you want to look to the side? It's your decision. I'm here to resolve your problems.
Networking. It's important. It's very important for the CSOs. I was working with the a FBA last year because we are trying to recover or, or take back the money that some people, a group of people has still from, has stolen from my bank. And in this case, the networking was the most important part because without the help of the other thesis, I can return the money to my bank, the CISO, I, I dunno, but in the past, for example, when you're speaking with my marketing department, they say, Hey honey, we are making money and you are losing money. Nowadays. We are making money because protect the business. And we can do that. The transfers of the money come back to the bank. So networking is very important. We are together. We are a huge strength for protecting us from the regulators, thinking about it. And the other part is we need to understand what is on the mind of the people who is working for us. It's very important to know to what is in their mind, because sometimes an stop is not an stop. They don't understand what we are doing. If it's simple, better for us.
And of course, every day you must change your heart. Why? Because in our change, we have all those different hats on our head. We need to speak all these different language. And of course, we need to deal with them looking into the future. Okay. After the last presentation, I don't know if I can look into the future, but I'm sure that the most important lesson that I have learned it's that impossible is nothing. There is nothing that we can do. And of course they are CISO. The world is on your hands. You are ready to be part of the executive board, you know, the business, you know, everything that it's inside on your companies. And of course I have more secrets and maybe I could share it, but as you can imagine, I know how to keep these secrets. So thank you very much for your attention,
Isabelle. Thank you. That was perfect. You saved us a few minutes. There are some questions I think I've seen right. There you go. You can look at here as well.
How do you manage short term change on the risk landscapes through vulnerabilities? Okay. I have an intelligence systems that can identify in real time. What has happened in my company. They are, they, this system is connected to the information systems all around the company, including cloud services, and I can identify different, different weight of acting. And of course I have a huge and an amazing intelligence team that can identify something is a threat or not.
Next question.
How do you get from the CEO? Can you show what? See for the CEO? Okay. My co it's a hard worker and, and of course it's a person who, who, who wants to get in contact of the business on the, on the security. So he trusts on me and he trusts on the information on, in the data. So this is the, the best way for have an opinion and share knowledge with your here.
Okay. And I think the last question that just disappeared was added there. How many people are in your team voted three
Times. Okay. We are a group I have more than 20 companies to protect. And one of them has more than 20,000 employees. So I have a, a huge team as you can imagine, more than 100 people.
Okay. Okay. Thank you very much.
Thank you very much.
Thank you. Thank you.