Costa Rica is at a war. A cyber war. Such were the words of the country’s newly elected president, Rodrigo Chaves, who faces a tough choice during his first month in office: pay a US$20 million ransom to a group of cybercriminals or endure the consequences of a ransomware attack that hit almost 30 government institutions at a federal, state and municipal level; consequences which might include, according to the culprits, the fall of the government itself.
Costa Rica isn’t the first country to be critically hit by cybercrime, and trends indicate that it won’t be the last. The health services infrastructure of Ireland and Greenland were recently compromised. In november 2019, Mexican state-owned oil company Pemex reported a ransomware attack that forced it to shut down its computer systems. In May 2021, a ransomware attack against Colonial Pipeline cost the company millions in losses and caused fuel shortages all over the southeastern US.
A combination of rising criminal activity in the digital space and a shortage of specialized talent in the area of cybersecurity has put companies’ and governments’ backs against the wall, forcing them to outsource the protection of their computer systems. Still, coming by a cybersecurity engineer in one’s own country aint’ easy. Thus, some organizations are searching abroad for shielding.
“There are two types of organizations: the ones that have been breached and the ones that don’t know it yet”–Jorge Hernández
This development has given rise to cybersecurity as an exportable service. Firms such as TagSec Group (Mexico) and Netdata Networks (Colombia) are cashing big on the rising international demand. Netdata’s CEO, José Cabello, told Forbes that his company expects sales to double year-over-year in 2022 thanks to the export of cybersecurity solutions to the US, Chile, Costa Rica, Guatemala and El Salvador.
TagSec’s general director, Jorge Hernández, also expects 2022 to be a great year for business. The firm has successfully exported its services to South Korea, providing cibersecurity to industrial plants in the US, China and Mexico belonging to companies such as LG and Samsung.
How Many Engineers Do We Need?
The shortage of engineers specialized in cybersecurity remains the main driver behind the outsourcing and importation of the service by companies and governments.
In spite of an influx of about 700,000 cybersecurity professionals in 2021, the International Information System Security Certification Consortium (ISC2) still reported a workforce gap in the industry. About two-thirds of the organizations surveyed by the ISC2 expressed concern over cybersecurity staffing shortages, underlining how rapidly supply is being outpaced by demand.
“One of the challenges for the industry on a global level is that there are not enough people with the specialized knowledge required to provide cyber-protection to organizations,” said Jorge Hernández. “That goes for in-house operations in companies and for cybersecurity engineers in general; the shortage is worldwide. And we’ll be needing lots and lots of specialized engineers to protect all of these organizations.”
Pressured by the unavailability of talent and the heavy burden of shielding every potential attack vector, organizations prefer to shop for protection outside instead of depending on an inhouse team.
“Assuming you have the budget and the resourcing for it, I think you sort of need that approach. The influx of threats, whether its phone lines being bombarded or servers being attacked or phishing coming in through email, I think you sort of need that full picture,” said Dennis Gotto director of IT Quality Assurance & Process Improvement at the Boston Children’s Hospital. “Unless you’re gonna hire an entire IT department of a 100 people that are dedicated to cybersecurity, you’re gonna probably have to rely on this vendors of automated cybersecurity solutions.”
For companies that feel vulnerable, casting their sights abroad is becoming a common trend, and there’s a growing preference for Latin American talent due to time zone compatibility with North America, added Gotto.
“Unless you’re gonna hire an entire IT department of a 100 people that are dedicated to cybersecurity, you’re gonna probably have to rely on this vendors of automated cybersecurity solutions”–Dennis Gotto
Talent is scarce in Latin America’s too, though. The cyber attack on Costa Rica and recent hits against other countries’ critical infrastructure underlined the absence of robust digital barriers in the region, where experts point to the urgent need for the development of specialized cybcersucirity engineers.
“There’s great cybersec in the area; the deficit can only be fixed with more opportunities, more options to grow and learn,” commented Salomón Ocon, CEO at Costa Rica’s GBT Techonolgies. “There’s no time, though. In the meantime, outsourcing is an option. Cybersecurity is urgent in our region [Latin America and the Caribbean].”
Cybercrime is a Business, and Business is Good
Crime never sleeps, and cybercriminals seem to have been particularly active in the last couple years. Verizon’s latest report on cyber attacks shows that ransomware attacks in the US increased by 13% in a single year, a leap that surpasses that of the last 5 years combined.
The migration to remote work and the digital transformation that’s underway for organizations all over the world multiplied the workload for firms like TagSec, said Jorge Hernández. It’s open season for cybercriminals, who are getting craftier in their methods and more aggressive in their pursuits.
“The cybercrime business grows day by day, and this is only the beginning. They [cybercriminals] are innovating more and more, because they have access to so many resources,” said Hernández. “What we’ve seen in Mexico and other countries is that there are two types of organizations: the ones that have been breached and the ones that don’t know it yet.”
It’s no surprise then that some organizations are shopping offshore for cybersecurity. Then again, it’s not always that easy. Like it happens with the export of other digital services, regulations can make it difficult to pay for a service even outside of one’s own locality.
“We’re restricted to accounting practices within the province,” said Peter Holowka, VP of the Vancouver Chapter of Canada’s CIO Association. “We’re OK with hiring someone who might be in the same province, but outside of that province, the taxing gets a little more complicated. Unless we absolutely have to, we’re gonna hire internally.”
Governments are willing to catch up, nonetheless. The World Trade Organization (WTO) reported that its Joint Initiative on E-commerce found common ground earlier this year in their negotiatons on digital trade, which include provisions for cybersecurity. In December 2021, Singapore and the UK signed an agreement that focuses on cybersecurity and other matters pertaining to the trade of digital services.