Mexican Leaders Struggle to Prioritize Cybersecurity Investments

Forty five percent of business leaders in Mexico do not know how to prioritize cybersecurity investments, and 66% of organizations lack a regular schedule for risk assessments, reveals Kaspersky. This problem forces companies into reactive operational models where they manage vulnerabilities only after critical incidents or external alerts occur, rather than preventing them through proactive governance.

The uncertainty in capital allocation derives directly from limited visibility regarding digital infrastructure and the absence of clear performance metrics. “When there is no real visibility into the state of cybersecurity, investment decisions become uncertain, intuitive, and more difficult to measure correctly. As a consequence, justifying investment becomes a challenging task,” says Claudio Martinelli, General Director for the Americas, Kaspersky.

Martinelli emphasizes that the Return on Investment (ROI) in information security should not be calculated through revenue generation. Instead, he compares the infrastructure to a corporate insurance policy: an asset that companies need to possess but hope never to utilize. The true value lies in avoiding operational interruptions, financial losses, and reputational damage.

A Hostile Threat Landscape

The digital threat environment is expanding rapidly within Mexico. Data from 3Q24 indicates a 30% increase in cyberattacks targeting companies in the country. During this time, organizations suffered 42.4 million malware attacks, which represents an average of 116,000 daily attempts. The manufacturing sector stands out as a primary target, and it concentrates nearly 30% of these offensives.

Despite this aggressive landscape, a critical disconnection persists between the security perception of executives and the actual resilience of their systems. Marinelli details that 15% of leaders in Mexico do not have a clear security strategy, which means they lack structured guidelines for decision-making and resource prioritization. Furthermore, one in 10 organizations does not execute any routine tests or attack simulations. This systematic omission prevents IT teams from identifying hidden vulnerabilities, evaluating the effectiveness of existing controls, and building a coherent defense against sophisticated attack vectors.

Complementary Details and Market Projections

The cybersecurity ecosystem in Mexico reveals concurrent data from other consultancies that validate the upward trend in digital risk. A report from ManageEngine indicates that 65% of companies in the country reported an increase in security incidents in 2023 compared to previous years. This positions Mexico as one of the countries most affected by digital breaches in the region.

The perception of risk has also evolved regarding the integration of new technologies. For example, 78% of companies consider cyberattacks powered by AI a grave threat, and more than half confirm they have been targets of offensives that use this technology.

Faced with the insufficiency of current practices, a modification in corporate spending patterns is expected. According to information from PwC, 86% of companies in Mexico plan to increase their cybersecurity budget by 2026. This suggests a gradual transition toward a preventive management of digital risk. However, spending without strategy does not guarantee safety.

Moving Toward a Pragmatic Strategy

To bridge the gap between investment and effective protection, experts recommend implementing frameworks based on quantitative analysis. Martinelli suggests that a pragmatic approach, based on formal diagnostics and analyses such as the Factor Analysis of Information Risk (FAIR), allows organizations to justify investments and define measurable benefits regardless of the size of the company.

Kaspersky proposes restructuring security governance based on four operational pillars to ensure a continuous improvement cycle:

1. Recurrent Evaluation: Establishing risk assessment calendars with a minimum periodicity of every three to six months guarantees the update of defense protocols.

2. Incident Simulation: While the majority of companies perform simulations, consistency is key. About 42% execute these monthly and 48% quarterly. Experts recommend monthly or quarterly simulations to measure response times and the effectiveness of containment protocols accurately.

3. Continuity Indicators: Companies must define Key Performance Indicators (KPIs) linked directly to business continuity and not just regulatory compliance.

4. Threat Intelligence: Updating policies and controls must be based on threat intelligence in real time, prioritizing corrections that reduce the surface of exposure.