The lack of maturity in the cybersecurity culture of companies in Spain - 86% consider that it does not exist or should be improved.

This study carried out in 50 organisations nationwide -through interviews with experts, surveys of cybersecurity managers and research-, aims to respond to the current paradigm of cybersecurity culture within organisations.

Vicente Moret  believes that "there are several reasons why companies are still not putting cybersecurity at the top of their agenda. The first is the speed with which digital transformation is happening across the board”.

At the same time, he believes that "another factor to consider is that we cannot speak in general of a lack of cybersecurity culture in companies. There are sectors such as the financial sector in which there is a perception and prioritisation of these issues".

In his opinion, "in terms of the framework of regulatory compliance in this area, this is still low in some sectors identified as strategic, despite the fact that for two years now there has been an applicable regulation, Royal Decree-Law 12/2018".

"Therefore, there is still no urgent perception of compliance in this area, unlike what is happening in the area of data".

Moret believes that "it is possible that this lack of risk perception on the part of companies is due to the fact that there has not yet been any sanctioning activity by the Administration in this area that has been deployed with the same intensity as in the area of data".

This expert stresses that this Tuesday a regulation was published in the BOE that could mark a turning point in this matter, since the new Royal Decree implementing RD-Law 12/2018 "may be the missing piece for obligated companies to have to take a lot of internal organisational measures".

As for how to convince companies to increase their cybersecurity budget, now 9% of the total, this expert points out that "I don't think it's a question of convincing, but of observing the reality of the times we live in".

He believes that "digital reality is imposing itself and this is a wonderful reality that is going to bring us a great explosion of talent, new jobs and, in general, economic activity that we as a country must make the most of".

This expert believes that "the flip side of this reality is the need to take the cybersecurity of networks and systems seriously, especially in the context of a pandemic with teleworking as a protagonist".

Moret believes that "the possible consequences for companies and their managers of negligent management of these risks, which can lead to serious economic losses, reputational consequences or administrative or civil liabilities, should be pointed out".

For this jurist, "the three basic pillars of cybersecurity, in its defence in depth version, have been defined by the EU in its latest regulatory standards. Cybersecurity is made up of three elements: technology, people and processes.

"Therefore, people are essential, because in many cases it is not the technology that fails, but the human element," he warns.

In his opinion, "this must be taken into account, because if we spend on technology but do not train and do not develop internal regulations, strategies, policies and protocol, we will continue to assume many risks, especially large companies that have already been designated as operators of essential services or that are digital service providers".

Vicente Moret believes that "building a strong cybersecurity culture within the enterprise must be a combination of training, internal standards and policies, tailored to the enterprise itself. These elements must be developed in such a way that the company is protected as far as possible and according to its activity," he says.

The full article can be read in Confilegal.