David Taboada
Director General
código verde
/
View from the Top

Education at All Levels the Best Approach to Cybersecurity

By Andrea Villar | Mon, 01/18/2021 - 05:00

Q: What solutions does código verde offer to the Mexican market?

A: We have an intervention model that has three stages. The first is the Dimensional Diagnosis of Information Security, the second phase is the implementation of a management system and the third is the optimization of risk. Within the first of these phases, we do penetration testing to simulate a cyber-attack. The only way the industry has been able to measure the risks of an attack is with penetration testing. For the implementation of the security management system, we have the ISO 27000 certification. However, the reason why there are not many companies certified in this area is that this certification has 114 controls and for many companies, it is complicated as it requires significant investments. 

We have been doing penetration testing for almost 12 years and we know what hurts companies in Latin America. Based on our findings, we have developed a lean management system that we call 5SI. Now, when a client wants to become ISO 27001 certified, the first thing we do is implement the 5SI system and then we complete the rest of the control implementation. By doing so, companies maintain a better risk profile from the beginning of the implementation and it is cheaper. Moreover, it is a project that is done in less than a year. This means less uncertainty regarding budget overruns. Implementing a program like this in a short time with tangible results achieves greater support from direct stakeholders who then continue to invest in the company's cybersecurity.

The implementation of the security management system also includes training for the whole company as well as specialized training for the IT staff. código verde is accredited by three leading international certification bodies to provide this training. 

Q: How aware are companies of the need to have a cybersecurity solution?

A: There has been a shift toward greater awareness. However, it has not been significant and we are not where we need to be. If you ask company managers about cybersecurity, you can see that a great deal of education is still missing. This certainly affects the areas below that may have this awareness. 

A few weeks ago, we did a penetration test at a company and handed them the report, where we demonstrated to executives that we were able to access an application in the testing environment. This is the third test we have done with this company and it has improved every time. In companies, it is sometimes very common to have no risk management. This means that managers are not aware of the areas, data or infrastructure they are leaving vulnerable by not allocating budget or a targeted strategy. We have encouraged the habit of having a conversation with the directors of the company and not just with the IT department. Information security still needs to be brought closer to decision-makers. 

Q: What sets código verde apart from the competition?

A: There are players in the market who sell information security solutions. In that area, the competition is very tough. On the other hand, there are also many players who offer services like security operation center solutions. However, there are very few companies like código verde that can provide penetration tests, implement a management system and optimize risk management. 

We have a client portfolio that has developed over 12 years and we have highly competitive services. We also have a business line of certified IT training, making us one of the few cybersecurity training centers in Mexico. The industry is still very young in Mexico and when it matures, there will be very few competitors left. 

Q: What other training programs will you introduce in the short term and why?

A: We are rethinking the business line of certified training. código verde is going to start offering self-designed training. We have a course called Information Security for IT Professionals, which is aimed at all IT professionals, regardless of whether they are interested in security or not. This training is an introduction to cybersecurity and, therefore. we cover many topics. It is the best way we have found to introduce all IT professionals to information security and allow them to specialize afterward. 

Q: You recently outlined a new business plan and unveiled new products. What are the near-term goals of your new plan and how are the new products tied into this?

A: Starting on January 2021, we are launching CONSEJOSI, which stands for ‘Consejo de Seguridad de la Información y Ciberseguridad, A.C.’, a research and training non-profit organization. During the next three years, we have agreed with CompTIA, EC-Council, ISC2 to allow us to co-market their certified training programs with CONSEJOSI. This will focus código verde’s efforts on developing our consulting practice and also draw from research conducted by CONSEJOSI.

The stated mission of CONSEJOSI is to “produce and disseminate information and knowledge to contribute to legislative and regulatory processes, the design of public policies and decision-making in Information Security and Cybersecurity”.

Andrea Villar Andrea Villar Journalist and Industry Analyst