Latin America. Responsibility for cybersecurity and data resilience no longer rests solely with Chief Information Security Officers (CISOs), according to Dmitri Zaroubine, Veeam's Director of Systems Engineering for Latin America.
New European Union regulations, such as the Network and Information Systems Security Directive (NIS2) and the Digital Operational Resilience Act (DORA), are changing the practices of Latin American companies with business relationships in Europe. "Laws such as NIS2 and DORA prioritize corporate responsibility, including the entire management team," says Zaroubine.
According to the specialist, "it is important that Boards of Directors are properly trained collectively on cyber threats, as they face responsibility for any cybersecurity incident that occurs under their supervision." These regulations contemplate the possibility of fines for both organizations and executives, individually, in case of non-compliance.
Zaroubine warns that while there is awareness of corporate responsibility, "senior executives are not acting quickly enough to catch up." He stresses that cybersecurity "has become a vital business outcome, as important as any commercial aspect, so naturally it should be the competence of senior management".
To adapt, he recommends that "every executive fully understand their responsibilities in this new era of corporate responsibility, and demonstrate that their organization's incident response plans work in the real world, through consistent and rigorous scenario testing."
NIS2 and DORA don't require executives to become cybersecurity experts, but they do require them to master their incident response plans. According to Zaroubine, this will allow "identifying and addressing the organization's weak points, either with new processes or by incorporating new external skills into its workforce."
The executive recalls that the threat landscape is constantly changing, so "taking advantage of the demands of these regulations as an opportunity not only to comply with the requirements, but to develop a truly security-conscious and data-resilient culture" is key. He concludes: "You can comply with regulations to the maximum, but it is impossible to achieve 100% security if you do not have data resilience and other security measures, such as backups."
