Kaspersky study reveals challenges in corporate cybersecurity investment and strategy in Latin America. The study indicates that 56% of organizations lack a regular risk assessment schedule, highlighting the need for a pragmatic approach based on clear diagnostics to strengthen resilience against cyber threats. An exaggerated perception of protection hinders the justification of investments and the correction of critical points. Daniela Álvarez de Lugo, General Manager for the Northern Latin America Region at Kaspersky, points out that 'many companies advance in cybersecurity almost blindly, without a concrete perception of what their real vulnerabilities are. This lack of systematic practice prevents the identification of hidden vulnerabilities and limits the development of the necessary resilience against the current threat landscape.' Strategic and Trust Challenges Another relevant finding indicates that 29% of respondents say they do not have a clear security strategy. This should be based on a structured diagnosis of the current security state or a risk analysis focused on the potential impact of an incident, such as the Factor Analysis of Information Risk (FAIR). Based on this diagnosis, the security team obtains an objective document that identifies the critical areas that require improvements and justifies the first investments, defining concrete and measurable benefits. Álvarez de Lugo adds that while the budget can be a limiting factor, a pragmatic approach allows establishing the appropriate level of protection for each organization, as well as the investment and time required to achieve it. This data reinforces that the difficulty does not reside only in the execution, but in the absence of a structured guideline that guides the prioritization of resources and the definition of a minimum level of protection. This lack of discipline for reviewing weaknesses and risks correlates with a disparity between companies' self-confidence in their digital protection and their actual security level. The study emphasizes that more than half of the organizations (56%) also do not maintain a regular risk assessment schedule, forcing them to act reactively, reviewing their protection measures only after an incident or an external alert. The absence of structured diagnostics and risk assessments creates a critical gap. The executive emphasizes that the precise identification of the level of exposure is key to organizing priorities and building a coherent evolutionary path. Pragmatic Approach and Continuous Improvement Cycle To reverse this situation, Kaspersky recommends to those responsible for digital security the adoption of a pragmatic approach. According to a recent Kaspersky survey of digital security leaders in the region, making decisions about corporate cybersecurity investment represents a significant challenge for 40% of leaders in Latin America. This causes scattered efforts and decisions that do not always respond to the most urgent needs. Although most companies in the region conduct incident simulations — 43% monthly and 38% quarterly — one in five organizations completely lacks this testing routine. 'From small businesses seeking to establish basic controls to large corporations requiring a more sophisticated architecture, all can objectively propose improvements,' she concludes. To ensure the effectiveness of investments and a constant improvement cycle, Kaspersky suggests the following practices: Key Recommendations for Effective Investments • Establish a recurring risk assessment schedule, with a minimum frequency of quarterly or semi-annual. • Conduct attack simulations monthly or quarterly to measure progress and adjust mitigation and incident response actions. • Define clear risk indicators linked to business continuity plans and operational impact. • Review policies and controls based on data from new attacks or risks, available through Threat Intelligence services, rather than limiting themselves only to compliance criteria. • Align investments with expected results, prioritizing corrections that reduce exposure and strengthen corporate governance. Organizations interested in delving deeper into the topic can consult the full CISO 2025 survey report.
