• United States




Maturing information security in Mexico

Aug 12, 20134 mins
CybercrimeNetwork Security

Besides great puerco pibil and greater tequila, I’ve found alarming norms in information security during my visits to Mexico. Public and private sector organizations were substantially behind in information security, even when compared to other emerging markets throughout Latin America.

I just returned from Mexico City and was pleasantly surprised to find much more strategic visions relating to information security and the alignment of that vision with the business.  The puerco pibil and Agave Dos Mil tequila remain awesome.

The Good

Mexico is an emerging market and often juxtaposed with other countries experiencing growth in Latin America like Colombia and Brazil.  Mexico has a lot going for it. Mexico is the 11th largest country in the world by population with over 116 million people. It has about a trillion in gross domestic product; it is ranked as the 13th largest economy.  Under the “new” Mexican government, lead by President Enrique Peña Nieto, industries including finance, manufacturing, and telecommunication as well as emerging industries like solar, biotech and aerospace are all experiencing growth.

The Bad

Many Mexican organizations are extremely behind when it comes to information security. A lack of resources, training and awareness has created an environment where malware and hacking is commonplace and mitigation of such attacks is measured in months if discovered at all. Piracy and intellectual property theft make it unattractive for many businesses. Many organizations would respond by saying, “Even if we knew what was happening, we don’t really have the resources to do anything.”  Fortunately that appears to be changing.

The Maturing

Many folks working in organizations in Mexico, like pretty much the rest of the world, get it. They know there is bad stuff on the wire. They understand the risks and are aware of the impact nefarious cyber activity can cause from external and internal attackers alike.  But the fundamental change seems to be that the folks managing systems, reading about exploits and desperately trying to stay ahead of the bad guys –- you know, the techies that make stuff go — are not the only ones aware anymore. Executives and other economic decision makers are taking notice.

Driving security from the bottom up it a difficult proposition and usually yields very little appreciation from those managing budgets based on business priorities not based on stopping bad things that may or may not happen. But when C-level executives take notice and “get” that a breach of a sensitive database, loss of intellectual property, and downtime because of various malware can have a dramatic impact on the business, things change, strategies are formed, and alliances are made between the techies and the C-levels -– often over some of the before mentioned tequila shots.  This is exactly what I’m seeing in several public and private sector organizations throughout Mexico.

Observations across a maturing Mexico

Here are a few key observations that I took away from my meetings in Mexico.

  • The title of CISO or CSO is becoming more common and the individuals with this title have real power and real budgets
  • Buying decisions are not driven by threats, gloom and doom, but rather by solutions needed to secure current and future business needs
  • Risk is risk – regardless of it being a cyber threat or not, and from a business perspective risk mitigation should be prioritized, managed and budgeted accordingly
  • Disparate technical solutions living in silos are becoming the exception
  • Integration –- a unification of prevention, detection, prioritization and response — is becoming more common
  • Security folks are sitting with business folks more frequently and planning longer-term efforts instead of always fighting tactical fires
  • Security is perceived as a service to the rest of the organization, one that is necessary to the success of new projects
  • A reliance on prevention is giving away to an understood need to reduce the amount of time and resources it takes to detect malicious activity that has bypassed preventative controls and once detected, mitigate the threat
  • Executives are wanting to include security within their business decision making process; solutions that don’t provide any outputs like reports and dashboards that are useful and usable by executives will eventually lose visibility and likely be discounted and deemed unnecessary

I’m curious to know if anyone else is seeing this rise in information security maturity in Mexico. Perhaps you are seeing the complete inverse and my meetings were anomalies. In any event, I would like to know your experience.


Over the last two decades Brian Contos helped build some of the most successful and disruptive cybersecurity companies in the world. He is a published author and proven business leader.

After getting his start in security with the Defense Information Systems Agency (DISA) and later Bell Labs, Brian began the process of building security startups and taking multiple companies through successful IPOs and acquisitions including: Riptech, ArcSight, Imperva, McAfee and Solera Networks. Brian has worked in over 50 countries across six continents and is a fellow with the Ponemon Institute and ICIT.

The opinions expressed in this blog are those of Brian Contos and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.