Search AFCEA Site

Enable breadcrumbs token at /includes/pageheader.html.twig

South America Adopts Zero-Trust Principles

As cyber threats are at a rapid increase, nations across Latin America work to adopt and implement the strongest cybersecurity strategies.
By Nuray Taylor
South American nations are working to adopt zero-trust principles for a more secure environment. Credit: k-stock.adobe.com generated by AI
South American nations are working to adopt zero-trust principles for a more secure environment. Credit: k-stock.adobe.com generated by AI

While the U.S. Department of Defense (DOD) works to meet its 2027 zero trust cybersecurity framework deadline, South American nations are adopting the concept across their own infrastructures. 

Zero trust, a term coined by Forrester Research analyst John Kindervag, refers to the principle of continuous verification for information access. In general, it promotes high-level data security to mitigate risks of adversarial breaches. The DOD, having released its first zero-trust strategy in 2022, is on track to meet its goal by September 2027, according to the office of the DOD Chief Information Officer.

Meanwhile, nations in South America are adopting the architecture to secure their own data and protect the privacy of their citizens.

According to a 2024 World Bank report on Cybersecurity Economics for Emerging Markets, “Latin America and the Caribbean is the world’s fastest-growing region for disclosed cyber incidents, with a 25% average annual growth rate in the last decade, and it is also the least protected region, with an average cybersecurity score of 10.2 out of 20.”

The growing implementation of zero trust is suggesting a market compound annual growth rate of 17% from 2025 to 2030, according to Horizon Grand View Research. 

To better understand the status of zero-trust implementation across South American public and private sectors, SIGNAL Media spoke with Jose Maria Gomez de la Torre. Gomez is president and chief information security officer at Grupo Radical, a business that offers cybersecurity services through various certifications and procedures.

“Some people don’t like zero trust because of its many controls. But when the attacks come, they say, ‘but I had very good antivirus and firewall,’ but that’s not enough,” he stated. “They are conscientious about the need of something like zero trust.”

Operational since 2000 and with over 200 employees, Grupo Radical also serves clients in Peru, Bolivia, Colombia, Panama and Chile. Most recently, the company has been making efforts to grow its portfolio with new clients in Spain.

In South America, Gomez says, the outlook on cybersecurity has distinct similarities. For most, the financial sector is the most regulated, therefore dealing with the biggest budget. “They must incorporate cybersecurity services,” Gomez said. 

Certain critical infrastructures also have enough means to secure their information, Gomez said, referring to the oil and mining sectors. And while the interest in strengthening cybersecurity is growing across other sectors, budget remains the biggest hurdle. 

Small to medium businesses don’t feel comfortable investing in cybersecurity, Gomez shared. “They need it because they have attacks,” he continued. 

The work starts with awareness and the implementation of policies and procedures. For companies with smaller budgets, Gomez suggests starting by implementing ISO 27001 or NIST CSF 2.0.

That specific standard from the International Organization for Standardization is the “world’s best-known standard for information security management systems,” according the ISO website. 

The National Institute of Standards and Technology Cybersecurity Framework, or NIST CSF 2.0, is split into six key functions: govern, identify, protect, detect, respond and recover.

For further security, however, zero-trust implementation has already played an important role. 

Ecuador’s governmental information security framework, the Esquema Gubernamental de la Seguridad de la Información (EGSI), incorporates zero-trust capabilities and concepts, Gomez stated. 

According to a report by the World Bank, EGSI 2.0 is on track for public institution adoption and implementation. The report states that public agencies are required to submit EGSI 2.0 compliance reports every January. “As of 2020, the great majority were in the range of 70 to 90 percent compliance,” it reads. 

Still, common challenges remain.

“Legacy infrastructure and systems in ministries and local governments,” Gomez said, are an issue. “The full trust within international networks and lack of segmentation” is another.

Firewalls are not enough, he repeated, calling for microsegmentation. “Now it is necessary to have better endpoint control,” he said, referencing advanced detection and response, also known as ADR.

“It’s important to mention the many relevant zero-trust components of Ecuador’s public sector,” Gomez mentioned, following his statement by listing the level of implementation for each component.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Firstly, identity and access management processes are at medium implementation, Gomez suggested. “We recommend enforcing multiple-factor authentication, role-based access controls and centralized single sign-on,” he continued. 

“Another component is network segmentation, [which] I think is still low,” he said. “We suggest applying microsegmentation to protect critical systems and data silos.”

Continuous authentication is also at a low, Gomez said, for which he noted the need for risk-based adaptive authentication and sessions control.

Additionally, endpoint security, which has become more complicated with an increase in remote work since the COVID-19 pandemic, requires strengthening ADR and endpoint posture. This is especially important for government devices, Gomez explained. 

Data governance and data loss prevention are also key in classifying sensitive data. While many institutions have the necessary policies, technology and controls for implementation are vital. 

“Monitoring and response are developing and increasing,” Gomez added. Behavioral analytics are very important for zero-trust implementation, he noted, speaking specifically for Ecuador. 

Similarly, Colombia’s CONPES 3995, the nation’s policy and framework on cybersecurity, emphasizes zero-trust principles and is being implemented in the government of Colombia. “This is very good for us because we have a lot of work there,” Gomez stated.

Argentina also has an emerging market for zero trust, he highlighted. “They are very interested in the services, particularly in fintech and health care ... but there is a lack of strong national cybersecurity,” Gomez said, adding that government adoption of cybersecurity and privacy frameworks remains low. 

“In Peru, the adoption is a little bit slower but growing, especially among regulated sectors [such as] banking and utilities,” he stated. “Many organizations are still transitioning from basic models to better concepts such as zero trust.”

 

Many government and public sector organizations still require external support, however. 

“We need zero trust because internal attacks are growing in the companies,” Gomez said. And that could be unintentional, he added. “There are some employees who don’t know that they are part of a bad gang of attackers or that the computers are part of a zombie network,” he explained. “They don’t know, but they are attacking their own institutions ... and that’s something that we are dealing with.”

Due to challenges like these, most of Gomez’s clients are adopting zero-trust framework policies, he said. Across all South American nations, the financial sector is the closest to full zero-trust implementation, Gomez noted, adding that 80% of cybersecurity attacks are on the financial sector. 

The public sector is also increasingly interested in investing in cybersecurity and zero-trust implementation. Certain agencies, such as defense ministries, have better zero-trust deployment than those like tourism, Gomez added.

However, national agendas are helping smaller institutions meet cybersecurity standards and procedures, he said. “I think in two or three years, they will be fine also.”

For the more vulnerable smaller businesses, however, Gomez suggests it may take four to five years for zero-trust adoption.

While concluding his discussion with SIGNAL Media, Gomez listed recommendations for effective zero-trust adoption across South America. First, start with identity as identity fraud is at a rapid increase. 

Gomez also suggests focusing on sensitive data and defining a protected surface. The use of software-defined perimeters, especially for remote access, is also important. 

Gomez additionally stressed the need for upskilling analysts and information technology staff on zero-trust principles for effective zero-trust adoption.

Comments

The content of this field is kept private and will not be shown publicly.
About text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
Enjoying SIGNAL?
SIGNAL Magazine is available through subscription or as part of your membership in AFCEA.
SUBSCRIBE NOW
LEARN MORE
JOIN AFCEA