Deloitte’s Cyber-Risk Operations in Latin America

Q: How did Deloitte venture into cybersecurity in Mexico?

A: In mid-2013, I was invited by Deloitte to build the cybersecurity practice in Mexico. Before that, in 1998 I had the opportunity to join and found a cybersecurity company with 5 other partners.   What I did not know when I arrived to Deloitte is that it was already the global leader in cybersecurity. At the time, we started offering cybersecurity services primarily to large companies. The aim was to position Deloitte in Mexico as a top cybersecurity provider. We were offering many services that did not exist in Mexico then, innovating in some services, which helped our expansion. Today, we have 110 people in Mexico and almost 400 professionals across Spanish-speaking Latin America. Another advantage is that Deloitte has close to 350 partners in Mexico alone. They provide many services, including auditing and legal and financial services. Their relations with companies help our cybersecurity division to come in direct contact with C-level executives. What we find is that more than anything, leaders of companies are worried about reputation damage as a result of cyberattacks. While attacks can lead to monetary and information losses, executives’ biggest fear is the fallout in the media after a cyberattack.

Q: Why did Deloitte create the Cybersecurity Community in Mexico and the region?

A: We formed the Cybersecurity Community six years ago. The objective was to gather CSOs and CISOs from different companies so they could get to know each other and exchange experiences. The first event was specifically for banks and out of 30 invitees, 29 banks attended. We decided to define the rules of the community there, agreeing that rather than a forum for competition it would be an opportunity to work together. At this event, 74 percent of participants voted to open the initiative to other industries. Since then, we have organized a meeting twice a year. Today, we have a forum specifically focused on the financial sector across Spanish-speaking Latin America. We founded this four months ago with the goal of talking about cybersecurity and exchanging experiences.

Q: How are you developing talent in cybersecurity?

A: Deloitte Spanish Latam just formed a cyber-academy for the region. There is a huge lack of talent in this industry. Globally, there are 4 million vacancies and in Latin America alone there are 600,000. In January 2021, we will start virtual classes. We have been interviewing students from 16 countries in the region who are finishing university. Our focus in selecting candidates is more on soft skills than technical skills. We are also working to ensure a gender balance. We will pay the first six months of school for each student and after that, we will decide who will continue working with us. The program really has echoed across the industry, to the point that some multilateral organisms are interested in participating as well. 

Q: What cybersecurity services does your division provide to clients?

A: We divide our approach into three different domains: consulting, solution implementation and managed security services. These  make up our strategy, which consists of government and strategy, security, vigilance and resilience services. Each area offers distinct services. To explain, I like to use the analogy of a house. Each house has its own rules regarding how people live, responsibilities for each family member, how they share the space. This is the governance and strategy. Secondly, you apply tools and other controls to secure the place. In a house, these can be locks, a guard and a dog. In summary, security is all security controls organizations have implemented. Thirdly, you implement vigilance. In a house, this would be an alarm system that tells you when someone has breached the premises. In cybersecurity, you use different tools and systems to establish 24/7 monitoring. If done right, you create cyber-intelligence that helps a company to prevent and not only react. Lastly, there is the aspect of resilience. We know today that breaches or attacks are going to happen, no matter how strong your strategy and controls are. Resilience comes down to containing and mitigating the impact, ensuring a fast recovery of operations.

It is important to know which areas of a company require the most protection, we call these the 'crown jewels'. Using exercises such as cyber-simulation and wargaming, we create a picture of the landscape. Today, we are really moving beyond compliance, to the age of complexity. We see today that many companies are implementing controls across their whole ecosystem, including amongst suppliers and clients. This is important because many attacks start with a breach in a third party.

Q: What is your relationship with software suppliers?

A: For the last three years, we have been working through alliances with software suppliers locally, and for the whole region. Some of these alliances already exist in other regions like Europe and US. They are the basis of some of our services and it is important that they have a strategic vision that moves with the latest trends. Today, you see a lot of venture capital moving into startups that are developing new software that meets the needs of companies. Our focus on alliances is to cater to the whole region. Deloitte is the muscle that takes the solutions of technology suppliers to the market and offers them through a SaaS model. This model provides many advantages because many companies do not want to buy an asset or software or do not have the CAPEX to do it. Our Cyber Intelligence Center, operating from Torre Mayor in Mexico City, uses a variety of technology platforms and solutions from different niche vendors. 

Deloitte is one of the Big Four accounting & business consulting organizations and the largest professional services network in the world by revenue and number of professionals. It is headquartered in London