Ana Cecilia Pérez & Juan Pablo Carsi, Capa8: “organizations must strengthen their cybersecurity culture”

Cybersecurity often seems like a field best fit for experts and complicated algorithms to figure out and maintain. And more often than not, the human factor of it gets left behind.

Millions of Internet users these days rely on SaaS cybersecurity solutions, such as VPNs for their expensive Mac computers or other devices, to protect their identities and keep them safe online. However, what many tend to forget is that proper security higiene, such as never giving out your real name, passwords, or any other sensitive information online, is sometimes even more crucial than fancy applications.

To talk about the importance of cybersecurity training and actively including people in the processes of protecting organizations, Cybernews reached out to Ana Cecilia Pérez and Juan Pablo Carsi, Partner Directors at Capa8, an information security company.

Tell us a bit about how Capa8 began. How was your journey?

Capa8 emerged after identifying the necessity to provide services focused on people. Thanks to our previous experience, we determined that most cybersecurity industry suppliers concentrate their services on protecting information and technological systems. People are the crucial element for us in a cybersecurity strategy. Often organizations don't think about including people as a key element in their security information and cybersecurity strategy, and the opportunity to mold behavior is lost. In that case, it is no longer possible to lead the use of digital platforms operation – mainly regarding threats and risks.

That is why we created two initiatives with a social focus principally – "Cybersecure Families and Schools." As the name says, we made them for the Internet and digital platform awareness, support, and advice. We want users to know how cyberspace risks could affect the privacy of schools and families. Our ultimate goal is to prevent privacy vulnerability, affecting their integrity.

Can you introduce us to what you do? What are the main challenges you help conduct?

We support organizations in understanding their actual situation. This allows us to find a starting point in designing their security information and cybersecurity strategy. We build this strategy considering three edges: people, regulations, and infrastructure. We know infrastructure is critical, but its performance and use 100% depend on proper regulation definition, training, and cybersecurity culture.

We consider it crucial that organizations adjust their campaigns depending on profiles, activities, and appropriate language. They should base them on different roles the business processes are on. Nevertheless, we've found better results when digital health and civism were included in the family.

We find our main challenges when:

• Support is required when standards are taken-up only to ensure compliance with some regulations. Organizations do this without understanding that the take-up means a cultural change at an organizational level. It is an alive system that needs attention and resources.
• The cybersecurity department doesn't have the management support or resources to build a strategy.
• Many organizations still consider that their information and size could be insignificant, so they don't think anyone is interested in conducting a cyberattack on them.
• Cybersecurity solution manufacturers offer many options. It is fundamental to understand the client's short, medium, and long term needs in order to make better choices and apply better solutions.

What methods do you use for an organization's information security state assessment?

We believe it's fundamental to provide organizations with helpful information to make decisions regarding the path to follow in their information security strategy. That is why our comprehensive diagnosis includes:

• Cybersecurity assessment
• Critical business processes risk analysis
• OSINT intelligence threats assessment
• Penetration tests and vulnerability assessment
• Gap analysis regarding some standard or regulation of its industry

How do you think the pandemic has affected how people approach cybersecurity?

The pandemic has contributed to accelerating the use of digital platforms. We depend on them for different aspects of our daily life. Remote work provoked the expansion of frontiers and controls that we could protect inside our offices. We lost that control, and information processing in our home networks has been left vulnerable. That is why many initiatives, from an organizational to a personal view, and awareness development have been built up about the safe use of digital platforms.

More interest in reporting cybersecurity events that could affect peoples' privacy has appeared. Every year, more and more organizations develop reports that allow them to see from their scope. They can see what is happening in terms of cybersecurity.

Why do you think certain companies struggle with implementing appropriate information security measures?

We believe that the main issues that organizations are facing are due mainly to 5 factors:

• No security information strategy
• Lack of support and prioritizing from the management
• Absence of knowledge or experience in security information topics
• Organizations fail to have a government model. It provokes conflicts of interest between definition, design, and implementing security strategy parties and measuring parties.
• The cybersecurity department should understand the business processes, support, and information security integration into the organization.

In your opinion, which industries should put more attention on employee cybersecurity training?

Evidently, regulated sectors have a significant cybersecurity risk due to their nature and they should be more attentive. However, we do not recommend making distinctions when talking about a culture of cybersecurity. No matter the kind or size of the industry, organizations must think about training and strengthening their culture in this matter. If they do not, sadly, they will face the consequences sooner or later.

Which do you think are the key security practices every modern company should follow?

Even if it regards our perspective, each organization is different. Firstly, we highlight that management must recognize cybersecurity as a fundamental aspect of the business. Then, a resilient organization's vision must be established. It means strategies must be designed to satisfy specific needs and cultures.

A strategic approach to security that we recommend is Zero Trust, but one should never forget that the strategy also must be treated as a whole. We recommend constantly measuring the risk appetite and working following proactive approach initiatives. This will allow for correct management. We do it principally, looking to strengthen the governance, cybersecurity culture, technology controls requirements, and appropriate cyberthreats detection abilities for an effective response when an event occurs.

And what about casual Internet users? What security measures do you think everyone should install?

We know that there are constant threats, but we can reduce the risks by first maintaining good digital health habits and following better practices. Among others, we recommend the internet providers' services (i.e., security protocols, guest networks, firewalls, content filtering with home network restrictions) for device setup. It is essential to keep devices updated, use legal and licensed software, enable antimalware software, and encrypt the disk drives if possible. For browsing, we suggest a VPN and always a two-factor authenticator. Finally, remote working is here to stay, so it is essential to protect privacy, keep up good behavior, and not compromise access information.

Share with us, what’s next for Capa8?

We are very excited about what is coming. Cybersecurity represents significant challenges accentuated by ubiquitous connectivity and new technologies. But in Capa8, we believe there are opportunities for innovation and service development for Mexican and regional organization support. We are working in that very sense to make Cybersecure Families and Schools initiatives consolidate and grow, enabling us to build up secure environments for everyone.