For Carlos García Batista, cybersecurity is inseparable from public service continuity. As Information Security Officer for the Directorate General of Emergencies within the Gobierno de Canarias, his work sits at the intersection of critical infrastructure protection, emergency coordination, operational resilience, and regulatory governance. In an environment where communications systems, geolocation platforms, emergency response technologies, and public-sector operations must remain available under pressure, security decisions are never purely technical; they directly affect how essential services function when citizens need them most.
That perspective makes García Batista’s contribution especially fitting for CISO Diaries, a series focused on how security leaders navigate the realities behind the role: balancing operational urgency with long-term resilience, translating cyber risk into institutional impact, and governing increasingly interconnected digital ecosystems. In this conversation, he discusses why ambiguity often becomes the root cause of risk, the growing fragility created by complex dependencies and supply chains, and why future security teams will spend far more time governing AI, automated decision-making, and systemic resilience rather than defending isolated systems alone.
How do you usually explain what you do to someone outside of cybersecurity?
I usually explain it by saying that my job is to help ensure that essential public services continue to operate safely, securely, and reliably, even under pressure.
In my case, cybersecurity is not only about protecting computers, networks, or data. It is about protecting the operational continuity of services that citizens may need in critical moments, such as emergency coordination, healthcare-related services, communications, and decision-support systems.
So, in simple terms, I help ensure that technology does not become the weakest link when people need public services most.
What does a “routine” workday look like for you, if such a thing exists?
In emergency services and critical infrastructure environments, routine is always relative.
A normal day usually combines strategic planning, operational follow-up, governance, procurement, cybersecurity, risk management, coordination with technical teams, and institutional decision-making. But that routine can change immediately if there is an incident, service degradation, security concern, or operational need affecting emergency response capabilities.
Part of the role is precisely that: being able to move from long-term transformation to immediate operational response without losing control, context, or priorities.
What part of your role takes the most mental energy right now?
The most demanding part is balancing transformation, security, and operational continuity simultaneously.
Public emergency services cannot stop while they modernize. Critical infrastructures cannot wait until every process is perfect. And cybersecurity cannot be treated as a separate layer added at the end.
The mental effort lies in making decisions that are technically sound, legally defensible, operationally realistic, and institutionally sustainable. In environments such as emergency services, every technology decision directly impacts resilience.
What’s one security habit or routine you personally never skip?
I never skip questioning the context behind an access, a permission, or a technical change.
For me, security is not only about whether something can be done technically. It is about whether it should be done, under what conditions, with what level of traceability, and with what impact on the organization’s risk posture.
That discipline of asking “why”, “for whom”, “for how long”, and “with what safeguards” is one of the most important habits in security governance.
What does your own personal security setup look like?
At a high level, I try to apply the same principles personally that I defend professionally: strong identity protection, least privilege, segregation, traceability, and resilience.
I use multi-factor authentication wherever possible, strong and unique passwords managed securely, controlled device usage, regular backups, and a cautious approach to applications, links, attachments, and cloud services.
I also try not to expose unnecessary technical details about my own setup. Personal security also depends on reducing the amount of information that can be used against you.
What book, podcast, or resource has influenced how you think about leadership or security?
I have been influenced by many technical and regulatory resources, but probably the most important influence has been working directly in environments where technology, public service, law, and real-world operations intersect.
From a leadership perspective, I am especially interested in ideas around resilience, institutional responsibility, critical infrastructure protection, and decision-making under uncertainty.
Security leadership is not just about knowing frameworks. It is about understanding consequences. The best resources are often those that force you to think beyond the checklist and ask what would actually happen if the system failed.
What’s a lesson you learned the hard way in your career?
That which is not clearly governed will eventually become a risk.
In technology organizations, many problems do not begin as technical failures. They begin as ambiguity: unclear responsibilities, undocumented decisions, informal exceptions, poor ownership, or assumptions that nobody has validated.
The hard lesson is that good intentions do not replace governance. If something is critical, it must be documented, assigned, monitored, and reviewed.
What keeps you up at night right now, from a security perspective?
The growing dependence of essential services on increasingly complex, interconnected, and sometimes fragile digital ecosystems.
Emergency services rely on communications, cloud services, data platforms, integrations, geolocation, telephony, identity systems, operational applications, and external providers. A weakness in any of those layers can have consequences beyond the technical domain.
What concerns me most is not only the possibility of a cyberattack but also the combination of cyber risk, operational dependency, supply chain exposure, and a lack of real resilience planning.
How do you measure whether your security program is actually working?
I do not think a security program can be measured only by the absence of incidents. Sometimes the absence of incidents only means that you are not detecting them.
For me, the key indicators are visibility, response capability, reduction in unmanaged risk, process maturity, quality of evidence, auditability, incident response readiness, and the organization’s ability to continue operating under adverse conditions.
A security program is working when the organization understands its risks, can make informed decisions, can detect abnormal situations, can respond proportionately, and can recover without improvisation.
What advice would you give to someone stepping into their first CISO role today?
Do not try to be the only most technical person in the room.
A CISO must understand technology deeply, of course, but the role is also about governance, communication, prioritization, legal awareness, institutional responsibility, and trust.
My advice would be: understand the business or public service you are protecting; document decisions; build alliances; be firm but not isolated; and never confuse activity with maturity.
Also, learn to explain security in the language of impact, not only in the language of threats.
What do you think will matter less in security five to ten years from now?
I think isolated, purely perimeter-based security models will matter less.
The idea that an organization can be protected mainly by defending a fixed perimeter is already outdated. Digital services are distributed, identities are everywhere, data moves constantly, and supply chains are deeply interconnected.
What will matter less is security theatre: policies that exist only on paper, controls that nobody operates, and compliance that does not translate into actual resilience.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Security teams will spend much more time governing artificial intelligence, data flows, automated decision-making, digital resilience, and systemic dependencies.
They will need to understand not only whether systems are secure, but whether automated processes are explainable, lawful, resilient, auditable, and aligned with public or business objectives.
In critical services, security teams will also become more involved in anticipatory risk management: detecting weak signals, simulating crisis scenarios, protecting data-driven decision-making, and ensuring operational continuity in highly automated environments.
Cybersecurity will be less about protecting isolated systems and more about governing complex digital ecosystems.
