THANK YOU FOR SUBSCRIBING
As the CISO at Jack Henry™, Yonesy Núñez aims to promote and inculcate innovative information security and risk management strategies to protect organizational data, client information, and associated assets. He specializes in formulating and executing the company’s cybersecurity strategies to create a data-protected and transparent ecosystem for clients. Honing his extensive experience and in-depth expertise in the information security domain, Núñez positions himself as a leader in mitigating organizations’ internal and external IT risks. In addition, he directs information security functions and manages global implementation efforts to optimize system stability, functionality, and interoperability while ensuring compliance with established data security regulations.
According to you, what considerations should be taken to establish a successful cybersecurity program?
The success of any cybersecurity program depends heavily on leadership's ability to first develop a strong security-centric culture. A leader must help shape the organization to ensure the security team is independent: if they are beholden to other technology departments, they will likely struggle to highlight security issues.
On the other hand, security must not be seen as an impediment to the business, or this arrangement can become adversarial in nature, defeating the intended purpose. When the business inevitably comes to security seeking a "yes/no" approval on a proposal, security should always seek to safely enable the business. "How can we do this securely?" is a much more effective and respected response than simply "No".
With the right culture in place, your teams will feel empowered to objectively raise security issues without the sugar coating. They'll also have a healthy influence on the business who now respects security as an enabling force instead of an obstacle to overcome.
Beyond culture, your next area of focus should be the three pillars of business transformation: people, processes, and technology. Each of these pillars are critical and must be balanced to establish a successful security program.
First things first, you need the right staff to defend the enterprise. Talented security professionals are in high-demand, and this can make staffing challenging. One opportunity for relief is to ensure you have adequate training and development resources available within your organization. With this foundation in place, it then becomes much easier to widen the lens on potential candidates as you can now cultivate premium security talent. The opportunities are tremendous for organizations that invest to level up junior staff and/or hire folks from non-traditional backgrounds.
Process is equally important in the formula for a successful cybersecurity program. Even if you have the right people, without processes, they'll have no clear idea what they are supposed to do. Ensure your security teams have clear processes that are tied to meaningful metrics. It is essential that every team member understands their role in contributing to the organization's larger objectives. Security teams thrive on solid, specific goals where progress is measured. You cannot build a program off a mantra like "stop hacks, eat snacks,” because it is not enough direction.
“You can't effectively prioritize vulnerabilities if you don't know how they interact with your environment. For this reason, asset management is critical to vulnerability management”
Lastly, I'd be remiss if I didn't mention the technology aspect of a successful security program. Obviously, choosing the right technology stack is a critical piece of establishing a successful security program. However, all too often leaders jump straight to tools and expect them to be a panacea that solves all their problems. Without established people and processes, you'll be left careening in the wind while trying to grasp ahold of the latest shiny new technologies.
In contrast, when you have passionate people working together toward clearly defined objectives, choosing what security tools to implement becomes a much easier task. Then it's simply a matter of determining your immediate needs and looking for a suitable product. Or even better, taking advantage of a technology you already have and are underutilizing. The main question you should answer is, are we enabling our business securely?
As a CISO, what are some of the steps that you adopt to help organizations alleviate the challenges in the cybersecurity space?
There are so many challenges in the cybersecurity space it can be daunting to know where to even begin. Two areas of focus that will serve you well as you set out on this journey are ensuring you are asresilient as possible to disruptive threats like ransomware and building a risk-based vulnerability management program.
Let's start with ransomware and resiliency. Years ago, ransomware was a relatively petty concern; the ransom demand was small, and the victims were indiscriminate. Today, organized crime groups are “big game hunting,” i.e., targeting large firms capable of paying a multi-million-dollar sum in exchange for a decryption key. Rather than locking up individual files, these gangs now target entire enterprise networks. The monetary damages associated with this type of business disruption can be enormous, even existential, for businesses.
Of course, the ideal scenario is to prevent having your network taken for ransom in the first place. Still, it happens to a company every 11 seconds. Being prepared to respond to and recover from a cyber emergency is at the heart of resiliency. The paradigm shift forces us to think beyond just defending the castle walls. Instead, we are forced to consider how we would thwart an attack at every step in the intrusion and even how we would resume operations if an attack were to succeed. A key first step is thinking about holistic resiliency to cyber threats, not just repelling the initial attack.
A second step I would implore you to take is ensure your vulnerability management program is modernized. Numerous vulnerabilities are churned out daily and patching anything and everything is typically not feasible for operations teams. Despite the deluge of disclosed bugs every year, only a small fraction of these vulnerabilities areever weaponized and used in real-world attacks. A risk-based strategy to vulnerability management is essential to help you identify and prioritize the subset of vulnerabilities that will be used for cybercrime.
You can't effectively prioritize vulnerabilities if you don't know how they interact with your environment. For this reason, asset management is critical to vulnerability management. Knowing what software and hardware is deployed in your environment is key to a functional program. Determining if a bug is applicable to your enterprise will be a cakewalk if you simply know what products are running on your network and the components your enterprise applications are built from.
What would your piece of advice be for the upcoming professionals in this field?
There's currently a massive talent crunch as organizations seek to recruit cybersecurity experts. Strong security leaders are striving to be more intentional toward mentoring, growing, and sponsoring new talent—especially from diverse backgrounds—from the frontlines on up to advisory and leadership roles. This is because they know an inclusive and diverse team will naturally innovate, challenge assumptions, and break down barriers. The outcomes can include enhanced cybersecurity programs and achievement of more organizational goals.
If you're looking to join the field of information security, first of all, welcome aboard!We're glad you're here. My advice to you is stay passionate, learn everything you possibly can, and seek out an employer that will value your contributions while allowing you to be your authentic self. We're looking for you.