Román Ramírez is very well known in the world of cybersecurity in Spain. The founder of RootedCon, the most important security event in Spain, and with over 20 years of experience in the sector, he has been Manager of Operations and Security Architecture at Ferrovial for ten years. In this company his role is to manage security operations at a corporate level, as well as to manage security for projects and new developments within the organization. We have arranged to talk to him about corporate cybersecurity in large and small companies, cyber-resilience, and cyberattack trends among other things.
–Do Spanish companies do enough to protect their cybersecurity?
–It’s a complicated question. An IBEX 35 company whose main line of business is related to the financial sector will, of course, have more adequate protections for their assets and a much higher level of cybersecurity. On the other hand, a one-person SME in the construction industry is likely to be on the other end of the scale. In general, companies have the level of cybersecurity that they themselves have planned (that is, that they’ve decided on), though there are areas where, for reasons of cost or culture, there is a lot of room for improvement.
–Is there at least a bit more awareness of cybersecurity?
–Right now, cybersecurity is mainstream. Every day there’s something in the news about it. If that doesn’t make people more aware of cybersecurity issues, what will? In my opinion, awareness training is only effective for people who are already up to speed; we all know what people are like. If we need to get over an obstacle in order to achieve a goal, that’s what we’ll do. No amount of awareness training is going to change that.
–Do you think that the GDPR will make companies take better care of their cybersecurity? Or will we see a myriad of companies being fined for breaching the regulation?
–I think that it’s easier to comply with the GDPR than it was to comply with the previous LOPD (Ley Orgánica de Protección de Datos de Carácter Personal – the predecessor of the GDPR in Spain). We’re moving towards a more “Anglo-Saxon” model, where you’ll be asked for a posteriori guarantees (with proof). I think this is going to help it to spread. And I do think that, with the growing concern for privacy, we’re definitely going to gain something in several different areas. As for the fines, given how hefty they can be, I have a feeling that they’re going to be very cautious when it comes to handing out sanctions.
–What are some possible weak points that companies may have?
–They’re always the same: people and investment. Cybersecurity in any environment is intricately linked to the level of investment. If you have appropriate investment (economic and human), you’ll have an appropriate level of cybersecurity.
–Is it possible that there is a lack of cyber-resilience?
–I think it’s very possible, and it does in fact happen. You might not let your guard down, and you’re always vigilant for threats… And then you face a situation that’s difficult to manage, and where it is hard to be resilient. The trouble with cybersecurity is that it is an environment where there are no predictable ‘positive’ rules (there are plenty of negative rules: if you don’t invest, I can guarantee you that you’re going to have some serious problems). Investing and properly managing security is no guarantee that nothing is going to happen to you. And if something does happen to you, it’s tricky to anticipate outcomes and consequences.
–For years, companies always had a reactive attitude to attacks. Are they becoming more proactive? Or do they still wait for some kind of catastrophe to befall them before they take action?
–Companies that take security seriously systematically test their assets, infrastructure and staff. With Red team processes, constant revisions, threat modelling… it’s unusual to come across organizations that still think reactively.
–What cyberattack trends do you think are the most worrying these days?
–Where we’re seeing a particular increase is in everything that is less technical and more industrialized: a lot of phishing campaigns, a lot of cryptomining… Despite the consequences that they can have, cryptolockers aren’t the most dangerous thing out there these days. I see the boom in artificial intelligence techniques as something that could enhance the tools used by cybercriminals, which will make defending against their attacks more complex: there’s going to be a lot more automation with even more capacities and abilities.
One thing that I find particularly worrying is that intelligence agencies, where traditionally they were going after bigger targets, have been working on our more mundane level for years now. This is having more and more consequences for businesses, as well as for citizens.
–Imagine you’ve the boss of a SME with 50 employees in front of you, who says that cybersecurity concerns don’t affect him, since his company isn’t important enough to be attacked by anyone. What would you tell him?
–That he’s living in a parallel universe and riding happy unicorns, and that it might be a good idea for him to analyze whether, in order to avoid feeling the pressure of the investment that his company needs, he isn’t fooling himself and taking biased decisions. Because any incident is enough to lead to a business closing down if negligence can be demonstrated, if there are consequences for third parties, sanctions from regulators, or theft of intellectual property (which means that you can be removed from the company because someone that has copied you can do it cheaper than you can).