In Uruguay, several studies show that companies face challenges in recruiting professionals with specialized expertise in this field; for this reason, the School of Engineering at Universidad ORT Uruguay a Specialization Diploma in Cybersecurity as part of its educational program.
In addition, the Cybersecurity Chair aims, through talks with experts and faculty members of the diploma program, to make the subject accessible not only to the industry but also to anyone interested in learning more about it.
The series began with a lecture titled “Threats of the New Normal” by Ethel Kornecki, a faculty member in the diploma program, in which she highlighted the changes brought about by the COVID-19 pandemic, such as connecting remotely and securely.
The second session will focus on Legal and Compliance Risk Management and will take place on June 28 at 7:00 p.m. via Zoom.
To shed some light on these issues, Roberto Ambrosoni, Ph.D., professor of Cybersecurity and academic director of the diploma program, explains what risk management is, why it is important to have professionals trained in this field, and what the risks are of failing to comply with current regulations.
What is risk management?
Risk management, in any organization of any kind, plays a critical role in reducing exposure to potential targeted or untargeted attacks.
I make this point because sometimes incidents aren't caused by a deliberate, premeditated attack from an external source, but rather—for example—by a lack of maintenance on computer equipment; so by not keeping them up to date, I'm actually creating a problem for myself.
Risk management involves reviewing every aspect of the organization to determine what steps need to be taken and what actions need to be implemented to prevent vulnerabilities and avoid incidents.
Should all companies have professionals trained in this area, or does it depend on the size of the organization?
Today, we live in the information age, where everything is available to everyone. Therefore, those who process, safeguard, and handle information most effectively will be more successful in a fair and competitive market.
The thing about information processing technologies in today's world is that they must be able to handle larger volumes of data per unit of time and support a greater number of devices simultaneously—we see this, for example, in a cell phone. As a result, the technological landscape is becoming increasingly ripe for security incidents.
In today's society, it is unthinkable not to prioritize information security management in every aspect of our lives—from our personal use of cell phones and email to higher-level operations in any business, whether small, medium, or large.
What does cybersecurity compliance entail, what is its purpose, and what are the risks of non-compliance?
The goal is for them to comply with both legal and ethical obligations. In other words, it involves a set of actions that an organization must take to meet various requirements. The biggest mistake is to think that when we talk about this, we are referring only to cybersecurity or IT security, but that is just one of the components.
Other factors include, for example, the organization’s legal requirements. In our country, this would involve complying with the provisions of the Personal Data Protection Act; at the national level, it would mean adhering to the Law on Access to Public Information; and combating and preventing money laundering and terrorist financing offenses as defined by current regulations. We also have compliance obligations regarding the safety of people and facilities.
Failure to fulfill all these obligations carries the risk of becoming vulnerable to incidents and falling into legal non-compliance, which can result in fines, penalties, or—more seriously—damage to the organization’s reputation.