For a 140-year-old business, Inversiones Centroamericanas SA (ICASA) is very much focused on the future. In fact, it is focused relentlessly on innovation across every line of business—from packaging, real estate and retail to producing the beverage products for which it's best known. In many cases, it is CIO Victor Sagastume and his IT team leading these efforts: making digital transformation a reality while staying true to the organization's values of respect, passion, integrity and sustainability.
But that progress is not without risks. With about 20,000 employees, scores of well-known brands and operations in dozens of countries, the Guatemalan conglomerate could be a tempting target for threat actors. That's one of the reasons why cybersecurity and business continuity are a major priority for Sagastume and the ICASA board.
"Because of the threat landscape in the region and around the world, the board is concerned about what happens when a company comes under attack," said Sagastume. "The owners are seeing companies similar to ours suffer."
With this concern in mind, Sagastume values a long-running partnership with Verizon’s cyber risk management division that helps protect ICASA from potential cyber threats.
Digital innovation amplifies cyber risk
Like many organizations of its size, ICASA has a large attack surface at which would-be adversaries can take aim. And thanks to new digital investments, that attack surface is growing all the time—leading to multiple evolving security challenges.
"We're generating new services and new interconnections with new clouds and applications," Sagastume explained. "This requires a lot of focus from the cybersecurity team, and actually a lot of learning, because in several cases we're implementing new things we don't yet know how to secure. That's a big challenge."
Operational Technology (OT) presents additional security risks. ICASA relies on OT in its factories and distributed locations to sustain critical operations. The challenge lies in securing these systems, as some use outdated communication protocols, increasing the organization's exposure to risks.
"We're already implementing a big OT project for all lines of business," Sagastume said. "We've been speaking about that in top management’s meetings all year long."
Business continuity and resilience planning are also major challenges and a top priority for Sagastume. To address this, the corporate Vice President, Jose Antonio Castillo, tasked him with establishing a dedicated unit to lead the initiative, with a key focus on reducing post-incident recovery time.
"Threat protection is important, but there are no guarantees [it will be successful]," he explained. "Recovery capacity, on the other hand, is where you can measure improvement. We want to build out this capacity so that we have more trust in the position we'll be in, in the event of an incident. We want to give peace of mind to the board and stockholders . We need to professionalize and train the team so if something happens we can recover in the smoothest way possible."
The company realized that if it didn't have the right level of cybersecurity in place, it couldn't be a functioning business. CRP is a cornerstone of our security strategy and posture.
Victor Sagastume, CIO, ICASA
Bridging the gaps to build a more secure business
To help solve these challenges, ICASA turned to Verizon’s Cyber Risk Programs (CRP). The CRP appealed to ICASA because it brought the objective, data-driven, quantifiable risk analysis the firm needed to create an effective risk-management strategy.
ICASA saw the benefit of a trusted advisory partnership that would help protect the firm’s IT assets, reputation and, importantly, its brand. The program includes cybersecurity analysis and analytics, such as qualitative and quantitative risk management, cloud and application security.
For example, ICASA benefits from customized technical assessments that help identify any gaps in their security program, along with suggested remediations. This process is backed by data and analysis gathered through the annual Verizon Data Breach Investigations Report (DBIR). In addition, CRP’s cyber risk quantification feature leverages artificial intelligence (AI) to translate ICASA’s potential cyber risk exposure into estimated financial impact.
"CRP provides an analysis of cybersecurity infrastructure via a combination of 11 cybersecurity assessments and threat modeling," explained Verizon Associate Director James Chen. "This helps companies like ICASA identify potential cyber security vulnerabilities."
"It's all about helping ICASA proactively focus on what's critical to their organization, where to prioritize remediation and where to focus on putting their money," he added.
Local Verizon partner Sistemas Aplicativos SA (SISAP) has been offering CRPs to customers in Latin America for more than 20 years. "SISAP helps to deliver CRPs with local resources and cultural knowledge, as well as local language skills," explained Verizon Global Account Director Isauro Serrano Luna. "They receive ongoing training in Verizon's processes and quality assurance, which helps make SISAP a valuable partner to deliver CRP in Latin America."
Verizon's Cyber Risk Programs help foster a security-aware culture
Verizon and SISAP have partnered with ICASA for over 23 years, helping the firm improve its cybersecurity strategy through regular assessments and targeted recommendations.
"Through the CRP we evaluate security posture every month. So it's like a personal trainer combined with a personal doctor," Sagastume explained. "It's always evaluating us and saying 'you're good here but need to improve there; add this exercise.' It's like having continuous external health monitoring to help us stay in shape, in cybersecurity terms."
Implementing the recommendations generated through these CRP assessments helps ICASA improve its cyber resilience, even in the face of mounting cyber threats. Critically, the CRP offering is customizable to ICASA's industry, geography and business needs.
"It keeps us going in the right direction and [helps us] to be the best prepared we can be," Sagastume said. "It's also highly customized to our way of doing things—our architecture and industry. It brings cybersecurity best practices from around the world and applies them to our specific environment."
ICASA’s cybersecurity team is dedicated to implementing the program's recommendations. Beyond that, CRP has helped Sagastume elevate the security conversation to other senior leaders. These leaders then work with Sagastume to ensure his team has the support they need throughout the organization.
"The VPs of our corporation are aware of the KPIs we share with them and at what level we're performing. They know when we are deviating and they help us to prioritize," said Sagastume. "We use the analysis generated by CRP to help to build cybersecurity awareness, which impacts the culture inside the company. I've worked in a lot of organizations before, but this one is the most security-aware from a cultural point of view."
It brings cybersecurity best practices from around the world and applies them to our specific environment.
Victor Sagastume, CIO, ICASA
Prioritizing cybersecurity helps enable business growth
With a trusted partner and a continually evolving cyber risk program in place, ICASA's leadership has the peace of mind they need to focus on innovation and business growth.
"The company realized that if it didn't have the right level of cybersecurity in place, it couldn't be a functioning business," Sagastume said. "CRP is a cornerstone of our security strategy and posture. It helps address the majority of issues that we need to take care of."
Going forward, ICASA and Sagastume will benefit from the CRP’s continuous evolution as it keeps pace with the threat landscape trends and developments. "You cannot fall behind, because then you open gaps for the dark side to exploit," Sagastume concluded. "Over the past two decades we've come to trust each other. When we need something, SISAP and Verizon are there for us, and that's really important. In a moment of crisis, you need that kind of trust."
Wireless business internet solutions, including both LTE Backup Internet and LTE Business Internet services, are available within the U.S. on Verizon's 4G LTE network, providing either primary or backup/continuity connections. Compatible LTE-enabled router required (Verizon-provided or Customer-provided). Various data plans available; terms apply.