Cybersecurity, a cornerstone of business: investment, trust, and control at the heart of the strategy
In an increasingly unstable environment, where artificial intelligence is advancing at the same pace as digital threats, cybersecurity faces a fundamental challenge: it is no longer enough to do things well — failure is not an option. The rules are changing, the players are becoming more sophisticated, and the game remains deeply unequal.
Speaking at the Wake Up Spain! business forum organised by El Español, Invertia and Disruptores, Juan Luis García Rambla, Lead for Business Development in Cybersecurity & Defence at Izertis, analysed the ongoing battle between attackers and defenders, questioned the true significance of the human factor, and highlighted emerging risks, ranging from supply chain vulnerabilities to the unregulated use of AI, positioning cybersecurity as a critical asset for business continuity and trust.
With AI expanding rapidly, how would you describe the current balance between the offensive capabilities of cyberattacks and companies’ defence systems? Is there really a gap that favours attackers?
At Izertis, we believe that it is not so much that we are lagging behind, but rather that we are facing an uneven battle. We cannot afford to lose a single battle, whereas our opponents need only win one; that is what is so distressing.
AI is a new factor in play. It’s a new frontier for us to explore, where we need to know what we’re up against and where the rules aren’t all laid out on the table. We use it, but sometimes without the necessary awareness. There’s Shadow AI, or the uncontrolled use of agents. Without awareness, we are bound to lose yet another battle.
However, we know that if we play our cards right, we have an asset that will work in our favour. AI is one of the strategic pillars at Izertis; we were the first consultancy in Spain to be certified to ISO 42001.
AI is one of the strategic pillars at Izertis
Within our cybersecurity division we understand the need to use it, but also to protect it and to help ensure it is used responsibly. We have a peculiar dual relationship with it.
Moreover, this is not unfamiliar ground for us, as we have already gone through a similar journey with other disruptive technologies in the past.
When we talk about cybersecurity risks, where does the real critical issue lie today: in external threats or internal vulnerabilities? Does the human factor still play a decisive role?
Given the progress and leap forward that has been made in the implementation of security measures, the main risk lies in failing to adhere to our own standards and underestimating our adversaries’ capabilities.
The main risk lies in failing to adhere to our standards
The user has had their privileges revoked; we have provided them with orchestration tools to prevent their unwitting actions from causing significant disruption by acting as a conduit for a threat.
However, not all staff within an organisation may have the same requirements. We will probably have to start looking for a different kind of culprit, as the average user today has only a limited impact when a cyber threat arises as a result of their actions.
It is likely that the focus of attacks on more mature organisations has shifted towards supply chain attacks.
However, that chain is not given the importance it deserves.
Has cybersecurity ceased to be seen as an expense and become a strategic business asset? What should be the key elements of an effective strategy in this area?
Cybersecurity should be seen as a business enabler. When we talk about investment in cybersecurity, what we project is confidence; we convey a sense of being in control of the situation and the ability to respond appropriately… Ultimately, these are a series of factors that are not only required by regulations, but also expected by the various stakeholders with whom we interact.
A modern strategy must be understood in three contexts. The first is about who we are as a company. What we do, what we ought to do, and what is expected of us. The second is external in nature: our customers, our suppliers and the authorities. The third, and the one that is often overlooked, is that of the adversary. We must not ignore them.
The less we know about one of our assets, the more attention we should pay to it
We need to understand their stance towards us and be aware that they will exploit any loopholes.
Even when it comes to recent developments such as AI, which we mentioned at the start.
Perhaps even more so there, due to a lack of familiarity with how to use it.
Given the current threat landscape, are companies allocating the necessary resources to protect themselves, or is there still room for improvement in terms of investment in cybersecurity?
There are companies that have reached a point of equilibrium, where the cost of implementing further security measures would not justify the risk, which is already minimal. Their aim is to keep track of developments and stay up to date in every respect.
But that is not usually the case. There is still no complete conviction that it is necessary. In many cases, investment is still driven by a desire to comply with regulations, but this simply demonstrates a tendency to cut corners, and this creates fertile ground for opponents. Meeting the minimum requirements means we are giving our opponent the ability to dominate any battle we play against them.
How should we interpret the European regulatory framework on cybersecurity, given regulations such as DORA, NIS2 and the GDPR? Is it a necessary impulse or a reflection of previous shortcomings?
They’re important, and they might be running late. But overall, they demonstrate the sector’s potential failure by having to impose a series of requirements and measures to be taken into account, without realising that this is something any organisation should have done in its own interests.
No one has passed a law stipulating whether it is appropriate or necessary to install doors, alarms or secure locks in homes… so why do we need it when it comes to technology?
If you had to give a single piece of advice to a CEO in this context, what would be the key to successfully tackling the challenge of cybersecurity within their organisation?
Technology is our ally, and we shouldn’t dismiss any system, such as the AI system we have on the board. But we must do so thoughtfully.
Banning AI out of fear is not the way forward
Banning AI out of fear is not the way forward, as it is easy to bypass barriers and use it without control or outside the organisation.
We must understand it, implement it and use it with the respect that any new development in our lives deserves.