Humans: Cybersecurity’s Most Powerful Asset, For Better or Worse

To protect against today’s cyberthreats, technology alone is not enough. To address the growing risks companies face, it is necessary to address the weakest link in the security chain: the human being, agreed panelists at Mexico Cybersecurity Summit 2021 on Thursday, June 17.  “A cybersecurity strategy has to include an organizational culture plan where all members of the company are involved. The company's network can be well protected but if there are no rules or awareness among employees, the risk does not diminish,” said Maricela Orihuela, President CIO's Mexicanos.

“Even if a company has the most efficient and advanced security technologies on the market, if the user operating those technologies is not trained, the gap is still there,” agreed Heriberto Cabrera, Director of Technical Solutions Engineering for Latin America of Tanium. To start building a cybersecurity culture, companies should undergo a three-phase cycle, added Cabrera. First, companies should raise awareness and educate their staff to understand the possible consequences of being unprepared. Second, an evaluation is required to identify areas of opportunity. Finally, companies should be open to feedback for improvement. “At the end of the day, users are our most powerful assets. They can lead us directly to success, but they also have the capacity to bring us down.”

Understanding the regulatory and contractual needs of the business is key to generating processes with clear objectives to achieve an effective security strategy, explained Eli Emmanuel Ruiz, Information Security Officer of Nemak. Business impact analysis or risk assessments also help identify areas where the business has security gaps or areas that are business-critical, such as operational and financial areas. If all these factors are considered,  “awareness and training strategies can be better focused and yield better results,” said Ruiz. “When we have all this in place we can define clear policies that cover all identified risks, making sure that all employees know their responsibilities”. 

With nearly 200,000 employees worldwide, Huawei is one of the companies implementing a culture of cybersecurity and information protection among its employees for years, according to Martin Portillo, CISO of Huawei. “We consider this area so relevant that before we release a new product or service, regardless of the amount of testing and quality audits, it cannot be launched to the market without prior approval from the cybersecurity area.” Currently, the Chinese company has an independent cybersecurity unit “that is not tied to any administrative process” to ensure that its products comply with established standards and protocols, he said. 

Security strategies must be implemented from the top of a company's management, said Portillo. “The board of directors itself has to be aware of the critical need to deal with cybersecurity and information protection processes.” Once this area of the company is fully involved in the strategy, regular and dynamic training courses involving technical, legal, accounting and administrative staff are key, said Portillo. “At Huawei, even new people joining the company are asked to come in with a basic level of knowledge of some cybersecurity standards.”