Expert Insights: Leading the Cybersecurity Charge – Perspectives from a Top 50 CSO, Marco Túlio Moraes
CISOs are tasked with the responsibility of designing and deploying security technology architecture and interacting with executives on a daily basis. In an age where a lot of regulatory compliances are deemed mandatory and technology is advancing rapidly beyond one’s imagination, CISOs are expected to work above and beyond, leading security teams in all enterprises to success. From policy development, governance, and compliance reporting, board member meetings, designing the cyber risk culture of businesses, and prioritizing budget allocations according to business objectives, it is a career that’s challenging and fulfilling but not easy. Today, we have the honor of having our esteemed guest, Marco Túlio Moraes, a highly acclaimed CSO, join us to shed light on the life of a CISO and more.
Let’s dive into the questions.
1. What is the one key trait every CISO must have that you find is sometimes lacking in today’s times, basis your interactions with other CISOs?
Security executives are well prepared to face the technical challenge of the job but need to improve their management skills, such as strategic thinking, leadership, and coaching. Leadership is vital, mainly now, when we see mental health issues and a lack of talent in our industry. Besides, given the strategic cybersecurity value at organizations, Cyber Executives must be able to lead the role as a Business function and to prepare their team to take a new approach on this journey. It requires coaching and leading technical teams to transform them into business partners, risk advisors, and cultural change agents. They must prepare leaders to train more and more leaders for this mission. It takes work.
2. What were some of your critical career decisions toward becoming a security executive for a Fortune 500 company? What was the turning point or catalyst?
My first turning point to becoming a leader was when I was required to work as a manager and lead a security program, leading budget, people, operations, strategy, and third parties. Still, I was a very young and shy technical specialist with no management preparation, poor communication capabilities, and many other soft skills gaps. To get worse, I faced some critical life changes that made things a bit harder.
Performing an MBA to get trained in management skills, a theater course to enhance communication skills and better deal with shyness, and a coaching process to work on my soft skills gap, were some of the initiatives I took to enable my transformational journey as a manager and business leader.
3. Which are the top 3 cybersecurity books you recommend for cybersecurity professionals transitioning to managing and leadership positions?
Three books helped me understand the other aspects of being a security manager. The first one is “CISO Leadership – Essential Principles for Success” from 2007 and which speaks about business alignment, security as a business function, leadership, organizational culture, and Governance. It helps understand how to position the security function to provide value to organizations strategically.
Peter Drucker’s book “The Effective Executive in Action: A Journal for Getting the Right Things Done” provides practical reflections and actions that helped me with management practices.
The third one, “The Other Kind of Smart”, guided me in understanding emotional intelligence and how to leverage this critical component as a professional, peer, and manager.
4. What message from your professional career journey would you like to share with cybersecurity enthusiasts as a recipient of the honor of being in the top 50 CSOs by IDG?
We face, as security professionals, a challenging journey of ecosystem education, fixing technical debt, and deploying solutions to protect against very structured and advanced cyber-threat actors while managing crises and cyber-attack events. In general, there are many high risks, and we want to fix all of them immediately. Dealing with this challenge considering this mindset is stressful and unsustainable in the long term. This critical understanding is essential to not be frustrated, overwhelmed, get sick, or worse, cause all of that to your team.
Some of the awards that my team and I earned resulted from a complex and intense job that brought value to the companies I worked for, which I’m very proud of. On the other side, we could better manage expectations and the rush for some of the programs I led, creating a better rhythm and a more enjoyable walk. Security is a journey that takes time and many strategies to accept that your organization may not be prepared to absorb some of the stakeholders’ expectations, including ours. Driving the focus for that moment is necessary to make things sustainable in multiple aspects.
5. Given the global scope of your profile at work, what are some of the best practices in the LATAM region that can be applied globally in improving cybersecurity defense?
We have good competencies on the mission to protect organizations against fraudsters. Due to the fraudster’s skills in the region, good companies are providing world-class cybersecurity services and a sort of technologies that helps companies to be more protected against it, such as cyber-threat intelligence services and biometrics solutions.
Ethical hacking services, for example, have been doing a fantastic job of testing application business logic and simulating fraudsters’ behaviors. The security community is also committed to helping each other, sharing information, and collaborating. It is a cat and mouse play, of course, but there are a lot of good practices we can share.
6. What are the top cyber risks organizations are failing to address but facing in the 21st century?
The lack of capability to deal with the technical debt, where everything is built without security from the beginning. This snowball grows when emerging technologies and innovation bring more risks to the organization, such as AI/ML, IoT, Cloud, and Big Data.
Other relevant business risks are third-party and digital supply chain cyber-risks. Organizations have been transferring their operations and data to external business partners and need to know the cyber risk they accept when doing that.
7. We have seen a trend of CISOs taking a seat in the Boardroom. You have done this movement as well. What were your steps to achieve this, and what benefits can CISOs bring Board Members?
When I moved to a digital company some years ago, I realized that my profession needed to be more prepared to be a digital business enabler, moving from a “sheriff” mindset.
I started a transformational journey to become a much more business-centric executive. Through coaching, business mentoring, and Corporate Governance preparation, I had the chance to be an executive director and a board advisor, where I spoke about business strategy, risks and technology, and cybersecurity.
CISOs can be an excellent asset for the Boardroom. We bring technology, product, cyber, GRC, and digital risk competencies to the table. I have seen many security professionals being board members for digital companies while acting as executives in their companies. It is a strategy that brings a win-win situation for companies and executives.
8. How do you juggle family time as a CISO?
Being present. I spend quality time with my family by being really present. I’m there when cooking with my daughter, reading, singing, or in a park. The same with my wife, and I’m entirely present. I also love participating in the family routine, putting her to sleep, preparing her for school, and giving us time to play and talk about something. We are now living in a special moment with a new baby coming, and I try to participate in every phase of this moment.
The role of a CISO at organizations is usually stressful, but we always need to invest in the things we value, and it is not zero or one.
Most organizations on their digital transformation journey need to keep up with the speed of emerging technologies. It is a process of continuous learning, innovation, refinement, and improvement, with security goals and milestones pivoting to adapt to changing events. As a result, the responsibility of a CISO is intricate, and their role can entail wearing multiple hats in the organization.
About the Author
Marco Túlio Moraes
Director, Chief Information Security Officer, Oiti