Blind trust is rarely, if ever, good company policy. Especially when it comes to cybersecurity certifications.
As the world grows technologically sophisticated, so does cybercrime. The post-COVID tidal wave of digitalization processes among companies, governments and other sorts of organizations brought with it a school of dangerous fish. Back in 2021, 81% of global organizations reported an increase in cyber threats, according to a joint study by McAffee and FireEye. Throughout 2022, successful ransomware attacks and data breaches have made headlines, pushing the topic of cybersecurity forth in the public conversation.
The latter has tightened the market for cybersecurity specialists and their services, fostering also the concern of any organization which puts sensible information –internal documents or customer personal data, for example– in the hands of third parties.
The situation is particularly dodgy for companies that outsource operations, be that onshore, nearshore or beyond. While climbing costs incentivise businesses to seek lower-cost alternatives, the prospect of trusting important information to a third party can be troublesome.
“Minimizing the trust in other systems can increase the security of your application”—CISA
That’s where cybersecurity certifications come in. They provide credentials that –at least in theory– assure that an individual or a company has the skills to shield effectively against attacks.
“Employers want proof you have the expertise they need. They want to see your cybersecurity certifications. They want to know you’re continually improving your skills to stay up on the latest threats and technology,” explains the International Information System Security Certification Consortium (or ISC2), one of the world’s top organizations of cybersec professionals.
Nevertheless, cybersec experts have warned against a blind trust of certificates, while pointing to the complex relationship that could arise between vendors and customers over the effectiveness of such certifications.
What’s Their Worth?
“Trust, whether it is in external systems, code, people, etc., should always be closely held and never loosely given […] Minimizing the trust in other systems can increase the security of your application,” wrote US’s Cybersecurity & Infrastructure Security Agency (CISA) in a document published almost two decades ago.
Those words still ring true.Today, trust is a major component in the relationship between customers and vendors when it comes with cybersecurity. Certifications are meant to provide an extra layer of trust in a landscape of digital insecurity, positioning those who hold them as partners that can be depended on.
“Companies who haven’t [been certified] and then do change their whole organizational processes. Certifications allow them to address vulnerabilities that arise in order to comply with those certifications. It kick-starts an attitude to get better,” Roberto Lemaître, a cybersec lawyer and academic from Costa Rica, explained to NSAM in an interview.
The reality of certifications and the relationships they foster is more complicated than that, however. Certifications are treated as seals of approval; a one-time checkmark that allows customers to identify who can be trusted. In reality, though, cybersecurity certifications require an ongoing effort. Said another way: they’re not a status that remains, but a process that keeps moving.
“If you don’t activate scans and the certifications themselves don’t turn into an actionable cybersecurity plan, then they aren’t worth much. It’s an ongoing process” explained Guillermo Mendoza, Director of Risk and Political Analysis at Mexican consulting firm Ansley.
The latter can be a source of trouble in a customer-vendor relationship. The fact is that a customer can’t be entirely sure about the current level of protection of its partner from a cybersecurity partner. Not without checking themselves.
This requires agreements that, although necessary, might cause friction between both parties.
“You need agreements in which you can, with your own resources, certify the level of security of those systems. It’s complicated, but necessary,” said Mendoza. “You can’t launch a scanning program to verify that your provider has secure systems. What’s that about? It would be like attacking them.”
Though there’s a growing concience about the importance of cybersecurity transparency, companies remain cautious about what sort of information they share. In a recent survey by PwC Mexico, even when most companies agreed that transparency is required to improve cybersecurity, 67% of respondents expressed fears of losing their competitive edge if they shared cybersec data publicly.
A broader survey done by PwC as part of its most recent Digital Trust Report shows that very few companies (10%) are confident about their capabilities to properly comply with cybersecurity transparency regulations in Europe and the US. Of the over 3,500 executives survedy globally, 63% said they weren’t confident about their company’s capabilities to provide information about third-party cybersecurity risk management.
A Growing Concern in the Nearshore
As US, Canadian and even European companies show greater interest in outsourcing operations in the Nearshore, the concerns over partners in the territory complying with international cybersecurity standards increase.
Industry sources have told NSAM that, while providers of outsourced services tend to remain on the margins of environmental, social and governance (ESG) compliance due to a lack of pressure by clients, cybersecurity is another story. Customers are growing more demanding by the day and expect vendors to be as secure as possible to avoid trouble in their home turf.
Private companies are not the only interested parties. The US government is pushing for stronger cybersecurity infrastructure in the region. The topic was a major part of the State Department’s agenda for digital transformation in the region, as well as USAID’s regional support program. The White House included it also in its conversations with Mexican authorities within the High-Level Economic Dialogue and the High-Level Security Dialogue.
Building up capabilities will require efforts from both sides of the aisle, though. Latin American experts have described the region’s cybersecurity regulations as “toothless”, pointing to laws that define cybersec crimes without imposing effective incentives for compliance.
The international nature of cyberattacks makes matters worse. An attack could be launched from Eastern Europe, targeting operations in Costa Rica from a US company that holds data from European clients. In that scenario, enforcement targets not the attackers, but the companies responsible for the data.
In short: there’s a long way to go before customers can trust blindly in the cybersecurity credentials of their partners, Nearshore or otherwise.
Add comment