Investments That Matter: Strategies for Business Protection

The industrialization of cybercrime and a growing talent gap demand a new focus on security in Latin America, shifting it from a cost center to a fundamental strategic investment.

“It is essential to maintain alignment when it comes to supporting security functions, as understanding the risks, challenges, and threats is key to focusing efforts effectively,” says Ana Cecilia Pérez, Founder and Director, Capa 8, during the Mexico Cybersecurity Summit 2025. 

Cyber risks present an economic threat of unprecedented magnitude. Projections from Cybersecurity Ventures indicate that global costs associated with cybercrime will reach US$10.5 trillion annually by the end of 2025. Latin America faces a particularly complex environment. The region faces a sustained increase in both the volume and sophistication of cyberattacks. This scenario is aggravated by an estimated deficit of 329,000 cybersecurity professionals, according to ISC2’s 2024 Global Cybersecurity Workforce study.

“Today, companies must decide where to invest, how to avoid mistakes, and how to maximize the value of these decisions,” says Pérez. She adds that the most expensive mistake is investing too late, as resilience is directly linked to timely investment decisions.

This confluence of factors places the region in what could be defined as a "risk incubation period." Although the average cost of a data breach in Latin America is about US$3.22 million, lower than the global average, this figure can be misleading. Leading risk indicators, such as the 15% increase in regional victims named on extortion sites, suggest that the actual risk is escalating rapidly. The calculated cost of cyberattacks in the region is likely attenuated by a less stringent regulatory framework and potential underreporting of incidents. This masks a latent vulnerability that, if unaddressed, will result in significantly higher financial and operational costs in the medium term.

In response, the cybersecurity market in the region is projected to grow from US$21.6 billion in 2024 to US$40.9 billion by 2033, reflecting a growing awareness of the need for investment. “Cybersecurity should not be seen as an expense but as an enabler of business continuity and growth,” says Israel Gutiérrez, CISO, Gentera. Separating cybersecurity from business operations is unjustifiable, he adds: “Sooner or later, everyone will have to pay the price of cybersecurity, either by investing in prevention or paying for the damage.”

Phishing has consolidated itself as the most frequent infiltration method, responsible for 16% of data breaches globally, reports IBM. However, malicious insider attacks represent the costliest vector, averaging US$4.92 million per breach, which highlights the criticality of internal security controls. In parallel, supply chain compromise is the second most expensive vector and the one that requires the most time to contain. This mode of attack has seen an alarming increase in Mexico, where 68.8% of organizations reported being victims of these attacks in 2024.

“We must identify the core of the business: what must be protected,” says José Treviño, CIO, Dicka Logistics. He emphasizes that beyond direct financial costs, reputation damage is often more expensive than fixing a breach. “Use business-aligned metrics to justify cybersecurity investments, and relate them to headcount, costs, and revenue impact,” he adds.

Given this landscape, the allocation of limited resources must be based on a structured framework. The National Institute of Standards and Technology’s (NIST) Cybersecurity Framework offers a methodology to align investments with business objectives and risk tolerance. The process involves defining a security profile, establishing a desired target profile, and, through a gap analysis, identifying and prioritizing the security initiatives with the greatest impact. This approach allows security leaders to justify investments to senior management using the language of business risk, rather than purely technical metrics.

Evidence shows that investment in certain areas generates a significantly higher return. The application of AI and automation in security operations is the single most impactful investment. IBM shows that organizations that extensively adopt it save an average of US$1.9 million in breach costs. Given that 68% of breaches involve a human factor, investing in continuous employee training and awareness programs directly addresses one of the main causes of incidents. Finally, the implementation and regular testing of an Incident Response (IR) Plan can reduce the costs of a breach by an average of 58%.

“Every company should update its cybersecurity strategy every three years, including risk assessments, business impact analysis, and contingency panels,” says Rommel García, Cybersecurity Advisory Partner, KPMG Mexico. “Executives will ask: Is this generating value or saving money? Establishing metrics that link cybersecurity to business performance helps justify investment and strengthen leadership support.”

Looking toward 2026, investment trends are shaping up around three main axes. First is the AI arms race, where the technology is both an attack tool and a pillar of defense. Deep Instinct’s Voice of SecOps 2024 report indicates that 59% of professionals cite AI-powered social engineering as a primary threat. "Shadow AI," or the unsanctioned use of AI tools, is already a factor in 20% of breaches, demanding investment in the governance of this technology.

Second, a paradigm shift is observed from reactive defense to Threat Exposure Management, a proactive approach focused on remediating risks before they are exploited. Finally, within this proactive approach, Identity Exposure Management (IEM) emerges as a critical area. Since stolen credentials remain a primary cause of breaches, IEM, which focuses on protecting exposed identities, could be a strategic investment with a potential return of 321%, according to Forrester.

The future of cybersecurity in Latin America will depend not only on technological capabilities but also on how effectively leaders integrate resilience into their strategic, operational, and financial planning. “Resilience equals investment; investment equals resilience,” says Pérez.