We recently interviewed Carlos Morales who is a Senior Information Security Consultant. Carlos is a resourceful leader with over 10 years of experience and a track record of successfully reinforcing information security as a business enabler by developing and implementing comprehensive cybersecurity strategies, and Information risk management initiatives for global and multi-vertical companies. He holds in-depth knowledge of information security standards, with proven expertise in vulnerability remediation, risk identification/mitigation, security optimization, and security architecture.

1. Firstly, thank you very much for taking part in this campaign, Carlos. Can you tell us about your professional background and areas of interest?

With more than 15 years of experience in multinational companies throughout the Americas, I have had the opportunity to learn and develop various roles related to information security. Mainly in the areas of strategy, risk management, governance, compliance, culture development and security operations but always seeking to turn cybersecurity into a competitive advantage.

However, I have always had a genuine interest in helping others and I have not missed the opportunity to collaborate with universities as a professor of the Master in Cyber security to increase the development of talent. In addition to participating in national and regional councils that have allowed me to develop public-private collaboration initiatives, promote regulations and strengthen the cybersecurity strategy in Mexico or promote the adoption of cyber security in Latin America in companies and organizations of all sizes.

2. You are currently working as a Senior Information Security Consultant. Is there a typical workday for a security consultant and more specifically, what are some of your primary concerns on a daily basis?

I work as a Senior Security Consultant at Bulletproof and I really enjoy it. Bulletproof is headquartered in Canada with offices across the United States and around the world. We have over two decades of experience in the security business, protecting clients’ privacy and data and we were recently awarded Security Partner of the Year by Microsoft for demonstrating excellence in innovation and implementation of customer end-to-end security solutions. I’m glad to be working with an award-winning, growing organization that is considered a thought leader in security and compliance.

My role allows me to collaborate with numerous colleagues to continuously innovate and improve our internal security posture. Not only that, what I enjoy the most about my role is having the ability to collaborate with companies from all around the world while being able to work together with a great team of highly skilled professionals, delivering solutions that have a great impact on improving security posture for organizations.

My main concern is always to deliver timely pragmatic services and recommendations, which help organizations maximize their existing resources, have an adequate security posture and above all, achieve their business objectives. The cyber environment is constantly evolving, and each organization has its own peculiarities in terms of maturity, resources, industry, business objectives, threats, vulnerabilities, risks, etc., and therefore needs its own tailored suit.

3. What is anything you wish you knew when you first went into a career in information security?

I would have loved to know the great variety and wide spectrum of profiles, roles and tasks that are required to cover what cyber security encompasses. At first, you usually think that everything is technology, and the solution will be technological. Knowing that it will not always be like this, would have helped me to propose solutions aligned to strategic business objectives and influence people in favour of the cyber security of the organization.

In this increasingly digitalized world, cyber security is totally transversal in all aspects of our lives. This broad-spectrum is precisely what makes the technical aspect, although it is very important, it is not the main one, but the human aspects around it become indispensable.

The ability to generate an effective interaction between people to achieve consensus, work as a team, keep constantly updated on threats, best practices, regulations, etc., and achieve the objectives that are set out in the security program of each organization will mark the success or failure of it.

4. What policies and practices would you recommend to small businesses defending against the latest malware threats?

There are many points to expose on this topic, however, I think the main thing would explain it on 3 points mainly:

1) Don’t try to reinvent the wheel. Learning from the experience of others is something that we must develop further. There are also many frameworks that are available to help you develop your cyber security program and measure its improvement.

2) Ask for help from experts who will actually design the suit to fit the needs of your organization. It will be more economical, practical and will put the experience gained from many resources in different industries, geographies, and organizations in favour of your own organization. Your cyber security program must be alive and part of the culture of your organization.

3) Start at the beginning, although it sounds obvious, it is not always the path that many SMEs have taken. Frameworks such as CyberSecure Canada, Cyber Essentials in the UK or the Basic Cyber Security Manual for Mexico’s Micro, Small and Medium Businesses, are a good first step to begin in a structured way and tackle the basic cyber security issues on which later the information security program will be developed. The NIST 800 series, ISO 27000 series, and CIS 8.0 are good examples of frameworks you can count on as the next step in your path to grow your cybersecurity program.

5. How do you stay up to date with industry news and updates regarding information security?

Being up to date on cyber security issues, even if it seems simple, has its challenging part. There is a sea of information and the important thing is to be able to identify what is really relevant. Spending time in the morning to read about the latest news has already become something I do every day even on vacations or weekends. There is always something interesting in development that we must be aware of, as well as topics that we must continue to learn about.

A good quality network of LinkedIn contacts is a frequent source for sharing relevant information. Twitter and the Flipboard or “Security” apps are also sources that I often check and have configured so that I receive timely notifications. Groups of friends that I have been making over the years are undoubtedly one of the best sources of information and collaboration of which I am always aware. Especially collaboration is something that we need to promote with greater force, sharing relevant information that helps prevent incidents, learning from other people’s experiences and sharing best practices or lessons learned are topics that all of us who participate in cyber security can still improve.

However, we must bear in mind that not everything is relevant to us, there is information that may seem interesting, but it is only a distractor from some other topic to which we really should pay attention.

6. What would be your one piece of advice to every young information security enthusiast?

Cybersecurity requires a wide spectrum of profiles, find the one you like the most, enjoy each step on this journey, don’t lose your ethical compass and never give up. Resilience is a great asset and needs to be developed.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.