11월 8, 2022

EP 15 – Navigating a Ransomware Crisis in Latin America

In the spring of 2022, Costa Rica was hit with a series of large-scale, long-lasting ransomware attacks, which wreaked havoc on the government and healthcare system – and paralyzed imports and exports. The ripple effects were far-reaching and the economy was crippled. President Rodrigo Chaves declared a national state of emergency. Trust was shaken. On today’s episode, Vinicio Chaves Alvarado, acting CISO at BAC Credomatic, the Costa Rica-based international bank, talks with host David Puner about being on the frontlines of stabilizing and building back trust. As he puts it, “We are not only cybersecurity professionals – we not only create cybersecurity controls or detect or react to threats. We create trust.”

[00:00:00.160] – David Puner
You’re listening to the Trust Issues podcast. I’m David Puner, a senior editorial manager at CyberArk, the global leader in identity security.

[00:00:23.810] – David Puner
This past spring, Costa Rica was hit with a series of large-scale, long-lasting ransomware attacks which wreaked havoc on the government and healthcare system and paralyzed imports and exports. The ripple effects were far-reaching and the economy was crippled. The President declared a national state of emergency.

[00:00:41.740] – David Puner
What’s inherent to the nature of these attacks? Among other things, velocity. Now, I’m no expert in velocity, but I’m talking about velocity in its high school physics context. Velocity as we know it in the physical world is not just speed, but also the direction an object is headed. In baseball, a pitcher delivers pitches of differing speeds and movements from 60ft six inches away from home plate. They use varying grips and arm angles to deliver the ball. The best pitchers are known to attack batters, and the best batters swing and miss pitches a lot.

[00:01:17.660] – David Puner
In the case of cyber attacks, velocity could have to do with the direction and attacks coming from, and that could be any which way. And as you’ll hear in my conversation with today’s guest Vinicio Chavez Alvarado, who’s the acting CISO for BAC Credomatic, which is an international bank headquartered in Costa Rica, velocity is a familiar professional hazard. And during our talk, he mentions Velocity pretty pointedly, a word that’s fundamental to elementary physics, yet stripped of any predictability when brought into the physics of cyber, which would probably be a good name for a college level elective.

[00:01:56.440] – David Puner
Basic laws of physics don’t apply in the cyber world. So here’s Vinicio Chavez Alvarado talking velocity and about those springtime cyber attacks in Costa Rica and other things that are on his mind as a CISO working in an industry that’s among the leading targets for high velocity cyber attacks.

[00:02:18.790] – David Puner
So we are here today with Vinicio Chavez alvarado. He is the senior cyber security manager at BAC Credomatic. And that role is what is essentially amounts to the CISO at BAC Credomatic. BAC Credomatic is, of course, a large financial institution in Central America. It’s got 20,000 employees, 3.8 million customers, and it operates in seven countries. They are El Salvador, Honduras, Guatemala, Nicaragua, Costa Rica, Panama and the Bahamas. Welcome to Trust Issues. Vinicio, thank you for joining us.

[00:02:55.380] – Vinicio Chavez Alvarado
Thank you very much for having me here. Nice to talk to you.

[00:02:58.710] – David Puner
So we’d love to dig into your role a little bit to start things off. What does your day-to-day job entail and what’s a typical day look like for you, if there is such a thing?

[00:03:09.130] – Vinicio Chavez Alvarado
I always love to do a little bit of exercise in the morning from 5:00 to 7:00 AM. Then I actually like to meditate. I started meditating like a year ago, something like that. For me, it’s interesting because it’s like a moment with me to just close my mind, visualize my day, having the things that I need to be done there in the morning. So I take this little space with me just to meditate.

[00:03:39.360] – Vinicio Chavez Alvarado
Then I just start to look into my agenda. Usually I have the toughest meetings. I have it in the morning, I prefer to do it in the morning. So I jump in different types of meetings with my team. We talk about priorities, we make decisions together and is inside [inaudible 00:03:59] role with my team.

[00:04:02.660] – David Puner
So I should point out that you are located in San Jose, Costa Rica. And what about… Is your team also in San Jose, Costa Rica? Are they divided or scattered across the seven countries that your organization operates in?

[00:04:21.280] – Vinicio Chavez Alvarado
Okay. The core team is here in Costa Rica, but there is people in each country that manage cyber security. The actual meeting that I have on Wednesday is with my core team. Almost everybody is here in San Jose, Costa Rica. And you say almost everybody, but there is a couple of person that during the pandemic, they asked to live to the hometown and they’re living right now like 4 hours from San Jose. But the rest of the team is here in Costa Rica and also in San Jose, Costa Rica.

[00:04:58.050] – David Puner
How big is the team and how big is the core team?

[00:05:00.600] – Vinicio Chavez Alvarado
I think we’re like 28 people.

[00:05:03.900] – David Puner
Is it safe to say that in your world, there is no typical day as far as what may be suddenly high priority?

[00:05:12.580] – Vinicio Chavez Alvarado
Basically, we are in charge of everything that has to be done with cybersecurity. We manage all the different types of tools, we manage all the different types of cybersecurity process. But we also have a really important responsibility. We review every single business initiative or process that needs to be put to our clients. We review it. We review it in a way that we enable the business by identify risk and manage those risks.

[00:05:47.410] – Vinicio Chavez Alvarado
Prior, they’re going into the production environment or prior, they’re going to offer some new functionability to our clients’ retail or businesses outside BAC. And this is really important because it enable us to detect, mitigate risk prior to these businesses or processes put into the general public.

[00:06:15.450] – David Puner
How is identity security a business accelerator?

[00:06:18.940] – Vinicio Chavez Alvarado
We believe that identity is the core of our cybersecurity strategy. So basically we start a couple of years ago trying to develop an identity strategy that is around to the protection of the identity to enable not only cybersecurity practice, but business itself.

[00:06:43.590] – Vinicio Chavez Alvarado
We design every new process, every new business opportunity with the idea to protect the identity of our clients or ourselves, the internal people from BAC and to have different types of layers to protect the identity itself. So we put it right in the center of our cybersecurity strategy from the scratch of the designs of the different solutions that we offer to our clients.

[00:07:12.790] – David Puner
And is there some notable example you can think of from recently or not so recently where identity security has helped shape a solution, or how you go to market with a solution.

[00:07:25.720] – Vinicio Chavez Alvarado
We create like a process. When new technology is add to our environment, all the privilege accounts that is created in the [inaudible 00:07:39] are detected and protected with cyber implementation. And from day one they’re born protected.

[00:07:49.600] – David Puner
And how long has that mindset been in place?

[00:07:52.990] – Vinicio Chavez Alvarado
Like three or four years ago, that we start working differently.

[00:07:57.700] – David Puner
And was there a notable moment where everything changed?

[00:08:02.350] – Vinicio Chavez Alvarado
I think it’s [inaudible 00:08:03] like a maturity process. The maturity process definitely was a changed state of mind that happened not only within cybersecurity, but also within IT and business people. We were able to change the standard mind of people. They were thinking about cybersecurity, protecting the business, creating more secure environment, a secure process, not for ourselves, but also for our client. And that really is a game changer, because when you change the mind of the people and they start to think like cybersecurity people or collaborators, you change something and that’s really powerful.

[00:08:54.030] – David Puner
It’s interesting that you mentioned that you’ve been with BAC Credomatic for a while. How long has it been?

[00:09:03.220] – Vinicio Chavez Alvarado
Fifteen wonderful years.

[00:09:05.360] – David Puner
Okay. So to then look at where things were 15 years ago and then evolved over time, how have things changed, how has that mindset changed?

[00:09:15.700] – Vinicio Chavez Alvarado
That’s changed a lot. Yes, actually good question. So basically I was asked to join the team as a compliance officer. And one of the main responsibilities back then is to help BAC accomplish PCI DSS certification for all the countries. So basically back then, that’s the job that we need to do. But in order to do it, we have to start looking to comply with the 12 requirements that the PCI DSS needs.

[00:09:50.640] – Vinicio Chavez Alvarado
But in that process we start to see that we need to standardize process technology and work together with the people of the different countries in order to standardize everything that we need to accomplish PCI DSS. So we start like a junior. There is one single point that changed cybersecurity and this is the point, that when we start to work to accomplish PCI DSS cybersecurity, not because we have to comply, but because of how we did it.

[00:10:27.030] – Vinicio Chavez Alvarado
And how we did it is we start to look of the requirements and we were not only able to comply with the requirement, but we were able to adopt some of the cybersecurity practices that actually is in the standard and we adopted a standardized process.

[00:10:47.340] – Vinicio Chavez Alvarado
So for example, there is a requirement that talks about antivirus and how antivirus need to be configured. So basically what we do, for example, we check the antivirus implementation back then, we standardized the solution, we standardize the policies that we need in every single country. Back then, we have different types of consult in every single country. We don’t do that anymore. We standardize everything.

[00:11:15.150] – Vinicio Chavez Alvarado
When there is a need to change that policy because there is a new requirement or there is a new threat or there is a new risk that needs to be mitigated. We change the policy, but we do not deploy the changes only to the requirement that need to be done. For example, Costa Rica needs to do something because of the requirement. So we changed the policy because Costa Rica asks us that they need to change the policy, but we deploy to the seven different countries.

[00:11:48.860] – Vinicio Chavez Alvarado
This is just an example because this enable us to mature in a standardized way. And when anybody needs something, and this is meaning from Costa Rica, Guatemala, or whatever, we start to look how to accomplish their requirement and how to level up the cybersecurity maturity that we have and deploy for every single country.

[00:12:14.140] – David Puner
Last spring, Costa Rica was hit with widespread ransomware attacks. They were so bad that the president declared a national state of emergency. As both a Costa Rican citizen and a security professional based in Costa Rica, what would you say the general feeling is about that whole experience?

[00:12:34.310] – Vinicio Chavez Alvarado
I say to my people that we are not only a cybersecurity professional, we are not only create cybersecurity controls, or we are not only detect events and react to threat. We create trust. That’s actually our job. We create trust, and we enable that trust into our businesses in order today, our clients trust us. That is an actual job. It’s not implementing some cybersecurity control. We still need to do it, but we enable trust.

[00:13:18.160] – Vinicio Chavez Alvarado
And saying that replying to your question, is you asked me, how is the feeling here in Costa Rica? I think we lost a little bit of trust, and we are worried that people are worried about their information, about their jobs, about anything that had to be affected because of the cybersecurity event.

[00:13:42.870] – David Puner
And you’re not just saying that because you’re on the Trust Issues podcast. This is for real?

[00:13:47.890] – Vinicio Chavez Alvarado
No, this is my actual verbiage. You can ask anybody in my team. I think I say this like a couple of times in the month because I always see that we are technical people, right? We manage cybersecurity control. We understand technology and whatever. In some part of the role I think we forgot, just remember we enabled trust. Just remember that phrase when you try to implement some cybersecurity control, because if you remember that we enable trust and you create a cybersecurity control that is not trustworthy, you’re not doing the job right.

[00:14:29.310] – David Puner
So a lot has been said of digital acceleration and how financial institutions are changing to deliver better experiences. Are there any interesting recent examples or trends you’re seeing? And what experiences do customers want? And how is BAC Credomatic transforming itself to deliver them?

[00:14:50.170] – Vinicio Chavez Alvarado
Okay, excellent question. Have different type of answers. After the pandemic, we see a lot of businesses. I’m not talking about BAC. I’m just talking about businesses in general, the Pandemic just start this process, this acceleration process. But we see as communities and countries and businesses, we see the benefits, a global digital transformation in all the different countries. And this is going to be accelerated because we see the benefits that we can have in order to change the process that we do in different types of country process, and digital transformation can enable us to do it.

[00:15:32.680] – Vinicio Chavez Alvarado
So basically, I see a change there because as I already mentioned it, if you want to change the process in a digital way, you have to put trust in the core of that digital process. If you want somebody that is 90 years old, for example, change a transaction that’s typically being done, and I’m not talking about financial transactions, just a process that is typically being done physically, you want that person to change to a digital process. Trust need to be in the heart of that process.

[00:16:18.360] – David Puner
The consumers also want ease of use. So how do you balance security and trust and usability when delivering innovative digital experiences to your customers?

[00:16:28.540] – Vinicio Chavez Alvarado
That is actually the other important step that we learned during the process. If you think of cybersecurity controls as a lot of questions, password or whatever, and the more the better, you’re thinking wrong. We learned that a clean cybersecurity strategy is easy to use for the people. It’s seamlessly for them.

[00:16:56.680] – Vinicio Chavez Alvarado
So basically there are technologies right now that you can enable in implementing different types of control, but not putting all the heavy work to the user; tokens, more password, no, no, no. You can enable different types of cybersecurity control using intelligence and using machine learning. This type of technology that is up there right now, you can put that into your validation process, into your authentication process, and you are implementing heavily secure practices, but a seamlessly and UX experience for the user that is really, really good.

[00:17:44.400] – David Puner
As a CISO, what’s your biggest ongoing challenge?

[00:17:49.540] – Vinicio Chavez Alvarado
I will say that the velocity that we are facing, threats and change are one of the biggest challenge that we face. We are seeing more and more advanced and complicated threats out there. So velocity is one of the core enemies that we face. So we need to change also our minds, because all our legacy processes that we might have, that might have used in the past that might be working properly, we need to change that. We see also the need for more cybersecurity professionals.

[00:18:33.570] – David Puner
Is there something that you’re doing now in order to address that?

[00:18:37.860] – Vinicio Chavez Alvarado
So we do different types of process to level up internally. We require that everybody takes several different types of certifications. But more importantly, I truly believe that we need people that is online with the idea what we do is important.

[00:18:59.290] – David Puner
There’s no lack of things on your plate, is there Vinicio, really appreciate you coming down to the podcast and taking the time to speak with us amid your super busy schedule with lots of things going on. And I will say that I would love to do a part two of this interview at some point down the road, and I’d like to do it in San Jose, Costa Rica, so I will come to you.

[00:19:20.660] – Vinicio Chavez Alvarado
Great. Great. It will be a pleasure having you here.

[00:19:35.290] – David Puner
Thanks for listening to today’s episode of Trust Issues. We’d love to hear from you. If you have a question, comment, constructive comment, preferably, but it’s up to you or an episode suggestion, please drop us an email at [email protected] and make sure you’re following us wherever you listen to podcasts.