“The Changing Role of a CISO”

According to Christos Syngelakis, Chief Information Security Officer, Motor Oil, when we speak about changing business environment and transformation, we not speak about a security-related domain. "This is an IT and OT related privilege. It is their responsibility to find or adopt new technologies and ways to improve or support new opportunities. But at this point every thought must be supported by a security mindset,” he explains. “We must fill the gaps that the visionary cannot see but which should be recognized and considered. It's our ugly role, to tell the one who is on the roof wearing his unique device that in the next step he will be able to fly but he can also fall into the void.” Christos explains, “Our goal, even if we probably see that everything can lead to a failure, is not to block the next step but to convince him that he should wear a parachute.” As he understands it, their role is not to provide innovations but to support them. Trying to make them work safely with minimal involvement of users or processes. And by giving them knowledge about the impact on security, their business decisions, the potential risk, and the measures we can take to minimize impact and risk to acceptable levels.

Christos states, a business faces dozen of risks every day. Financial situation, liquidity, customer solvency, environmental risks, geopolitical and political uncertainties, accidents, changing consumer habits are just some of them, not to mention the pandemic. It is very selfish and wrong for a CISO to think that everything revolves around and is based on digital security. “Yes, it is a significant risk for the company, but it is one more risk. The only way a business can be secure is by not doing business” he adds. “So, our job is not to make a business safe but to make it as safe as it chooses to be. We are no different from car mechanics. They must create cars as fast and safe as their car industry chooses.”

"Christos states, a business faces dozen of risks every day. Financial situation, liquidity, customer solvency, environmental risks, geopolitical and political uncertainties, accidents, changing consumer habits are just some of them, not to mention the pandemic."

Christos elucidates that they are not unrelated to responsibilities and choices. “It is also our responsibility to prioritize the risks we will point out, to choose products in which to invest and partners with whom to work.” “But we have no right to say that the business will not do something because it is not safe. We will emphasize this with evidence so that, those who should judge it as strongly as possible can do so. We will do our best, based on the specific data and resources we have.” He adds, “We can ensure nothing not only in cybersecurity, but also in everything in our lives. When we are sure that everything is fine, a pandemic arises and the world changes to the core. We are trying, as much as we can, not to be the easy victim. Just doing as much as you can, in order to have a hole-free infrastructure, have a full range of good products as fully set up to protect you ,and have the procedures that will help you overcome what will one day happen. Educate your colleagues to be aware of the problem is and to know how to deal with it.”

One of the most difficult problems is to be acceptable to the Operational Environment Engineers. CISO and CIO have a limited edition in the Office environment and Information Technology-related activities in all industries. But many problems are based on Operational Technology, and most of the time, there is no person responsible from the cybersecurity related industry during the Operational Technology order and implementation. It is a wrong approach of Business as this technology hides very big risks that extend to safety. The European Union with the NIS Regulation requires a security officer in critical infrastructures, but its jurisdiction and its role will take a long time to be understood. “This is one more competitive advantage of our group as I’m already involved with our OT environment and I already have a way of speaking with production engineers for cybersecurity on upcoming projects,” says Christos. IE