Sensible About Cybersecurity

An interview with Nicolás A. CISO at Corona. Part II.

solution Sensible About Cybersecurity

In this post, we share the second part of our conversation with Nicolás Acosta, Chief Information Security Officer (CISO) of Corona. We spoke about risks, setbacks, and truths and falsehood in cybersecurity. If you have not read the first part click here to read it.

Risk Management

Thinking about risks is not easy, and risks are everything in cybersecurity. Furthermore, fitting cybersecurity risks with those of business is challenging. We wanted to discuss a bit about this topic with Nicolás.

Is it difficult to quantify the risks you manage in monetary terms?

  1. "Remarkably difficult, as is usual in other fields. We have a traditional approach, and we face the same common issue: prioritization. Which risk is redder than the other reds? We still rely on probabilities and impact. Broadly speaking, the current approach to risks in cybersecurity has three commonalities: we are not good translating hazards to money; we are not good creating business cases for cybersecurity —that’s why it’s often perceived as costly—; finally, we are not good at achieving approvals for what we want to do. As a whole, cybersecurity is poorly understood, and we are responsible for that. I’m not saying that we still speak in terms of IT assets to top management. Nevertheless, in Corona, we have started to build a new language to speak directly to the business, referring to risks. We have managed to speak in financial terms to senior executives by leveraging on the expected loss paradigm, something we came across by, among others, exchanging ideas with Fluid Attacks. Though, it’s still an enormous challenge. The expected loss indicator is not perfect, and it’s complicated to understand. Nevertheless, it’s the best approximation we have to speak in business terms. (Interested in Expected Loss? Take a look at Risk Indicator Roundup.)

  2. In organizations where security breaches translate quickly into money, it’s easier to connect the dots. For instance, the risk of a successful hack targeting an online banking user with USD 5,000 in his account is easy to quantify. However, a scenario where a hack reveals personal information or industrial secrets is not straightforward to numbers. In the latter, you have to analyze more. How much does it cost that someone steals you a food recipe or an industrial design? You just try to take what seems more readily available, for example, sales forecasts."

Get started with Fluid Attacks' DevSecOps solution right now


How companies and cybersecurity teams face struggles are diverse. Nicolás shared with us some of his setbacks as CISO.

What setback was particularly relevant for you as CISO?

  1. "I think of technical and managerial examples:

  2. In one occasion, we should have waited to deploy a protection. We proceeded, and in doing so, we also hindered major operations by taking down some critical systems. That was never the intention, but we ultimately caused the whole financial department of one of our companies to be halted for half a day.

  3. In another time, it was my first presentation to the board of directors. I assumed they were aware enough about cybersecurity, but that was plainly not the case. During my presentation, they started asking whether my topic was worthy of attention. They simply did not understand what I was conveying and I should have started by sensitizing the audience

  4. What I learned in both instances was pretty clear: not to rush when a control or protection is missing; chances are that some blind spots play a big role in the middle of the rush. Second, that the first contact with a board of directors should be focused on sensitization, even if they already are cybersecurity aware. Common language must be established from the beginning to succeed in the difficult task of speaking to the board."

Truths and falsehoods in cybersecurity

To conclude our conversation, we talked about what Nicolás consider false in the discipline, as well as what is true. We wondered what a CISO like Nicolás could tell us.

What do you think is a ‘lie’ in cybersecurity, but most people seem to believe in?

  1. "I sometimes see cybersecurity as a cult. For me, cybersecurity is not as severe as the market tries to show; people usually overestimate what happens. We are not the most targeted organization, although we receive daily attacks. And think about our size: we are a team of seven protecting a 10,000-people organization.

  2. When there is ‘no time’? When are circumstances so urgent that you can’t even blink? When are we ‘on fire’? It has happened once in the last seven years. In my previous job in a bank, it happened twice in about the same period. It’s odd: I see a cult of stress, a cult of being relevant by being busy. It seems to me like an inertial thing that is just not true. I don’t buy that stressful scenario we sometimes see on TV or the movies. Sometimes you do have to worry about and to act quickly to contain an incident, for sure, but it’s not every day, not even every week. In my experience, cybersecurity is not that stressful.

  3. In this discipline, you don’t have to do everything. You can leave to randomness some things. Take, for example, theft. Every day, people are a victim of some theft. Yet, local institutions don’t place a policeman in every corner of the city. That’s the value of the expected loss approach because it allows you to better weight your actions. To do nothing is also a managerial decision. Sometimes it’s better to accept that some incidents happen, and when they arrive, you deal with them. Not every time you get a fever, you go to the doctor. In cybersecurity is the same. We need to be sensible about cybersecurity.

  4. Fluid Attacks, for instance, I’m certain will always manage to breach some of my protections in the projects we work together. How much do I have to invest to be immune to them? There is no point on that. I just accept that fact, and I protect from more likely scenarios. The lie is to go until the end. You have to know when to stop. Many professionals should discard the go-until-the-end idea".

And, what is ‘a truth,’ but most people don’t seem to believe in?

  1. "People and organizations usually think that nothing will ever happen to them. You hear from time to time “It will never happen.” The truth is that something will happen eventually. The thing is, not as many people are aware of cyber risks. For more than 130 years, some events seemed to have never happened in our organization. It’s better to say: for over 130 years, we’ve never known that something has happened. Botnets exist; ransomware exists. If I’m not cautious in my digital behaviors, something terrible could happen to me. So, It’s vital to have “healthy” digital habits. This is a game of balance, a game where you should never feel safe enough that controls just stop making sense, but at the same time, a game where you have to be mindful about how much you really have to do just for the sake of having a reasonable cybersecurity posture."

We are thankful to Nicolás for this conversation about our job as cybersecurity professionals. We hope you have enjoyed these insights from the lens of a CISO. Do you want to share your thoughts? Do get in touch with us!

And remember our solutions. Take a look at our Continuous Hacking service. We can help you with detecting improvements in your cybersecurity operations, as we do it with Corona.


Subscribe to our blog

Sign up for Fluid Attacks’ weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by JC Gellidon on Unsplash

Definition, implementation, importance and alternatives

Photo by Jason Krieger on Unsplash

Keep tabs on this proposal from the Biden-Harris Admin

Photo by Tamas Kolossa on Unsplash

Vulnerability scanning and pentesting for a safer web

Photo by Alexander Ant on Unsplash

Definitions, classifications and pros and cons

Photo by John Schnobrich on Unsplash

Is your security testing covering the right risks?

Photo by Marino Linic on Unsplash

How this process works and what benefits come with it

Photo by Saketh Upadhya on Unsplash

Get an overview of vulnerability assessment

Photo by Anchor Lee on Unsplash

Benefits of continuous over point-in-time pentesting

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial
Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.