What do you learn at an OAS cybersecurity symposium?

Originally published on Fintualist (in Spanish, November 2024). The hero illustration first appeared on that publication and is reproduced here with credit to Fintualist.

In September 2022 I entered a cybersecurity competition in Chile that I didn’t expect to win — I’d barely prepared, and my main motivation for signing up was avoiding something else at university that same day. It was an online competition held in most countries across the Americas and the Caribbean, and in the Chilean edition I was placed on a team with two women I didn’t know. We became friends quickly and worked through the challenges step by step until we ended up in first place. The prizes were a heap of AWS credits and a cybersecurity diploma at USACH — though I never got to use the diploma, because I was finishing university while working full time. There just wasn’t time, and by the time I was free they told me I couldn’t anymore (sad, but nothing to be done).

A year later, in 2023, we met in person in Bogotá facing a bigger challenge: we’d been invited to the regional final of the same competition. That November we gathered at Colombia’s Ministry of Information and Communication Technologies to compete against the winning team from each participating country. I met women interested in cybersecurity from all over the region, and with my friends we won 1st place again.

These competitions, called OAS Cyberwoman Challenge, put women interested in cybersecurity through team-based challenges where you rack up points. In the edition we entered, everything was hosted on Amazon’s cloud and we worked across many different services to advance — there were challenges on cloud security, log analysis, secure code, and blue teaming (the work of a team that defends a company). Each of us on the team brought something different, we complemented each other really well, we had a great time, and in the final we just kept our heads down and kept solving. We were so locked in that we forgot to check the leaderboard: with one hour left we finally looked, realized we were in first, and only then did the nerves kick in (we held first all the way to the end). You can read a bit more about it here.

What did we win? A trip to the OAS Cybersecurity Symposium in 2024.

We came back to Chile full of anticipation: we knew nothing about the symposium and were told the location wasn’t decided yet, so we waited for news. We were nervous it would be in Chile — what a bummer to miss out on visiting a new country, especially since we live in Santiago and everything always happens in Santiago. In July of this year, thankfully, we found out it would be in the Dominican Republic, and that felt wonderful.

Time passed and it was time to leave. We flew out from a cold Chile, with a layover in Panama, on our way to Santo Domingo. As a Chilean who had never traveled to the Caribbean, several things stood out about the Dominican Republic. The most striking was stepping off the plane and hitting a wall of dense, humid heat, then checking the phone to see 34°C feeling like 40. I was also surprised that by default everyone speaks to you in English the moment they realize you’re not local, and that they throw out very explicit catcalls assuming you won’t understand — but oh well. Prices were similar or higher than Chile and almost everything was imported, which I imagine is the norm on any island.

Day 1 of the symposium

The symposium ran for two days of really interesting talks, plus a third day dedicated to RICET — a regional initiative on cybersecurity education and training across the Americas and the Caribbean. Day one opened with the welcome and went straight into a great talk on the misuse of generative AI by attackers and terrorist organizations, stressing how important it is to build secure platforms and prevent abuse of new AI models.

Throughout the day there was a lot of discussion on AI’s impact on companies, the need for usage policies, and how risky it is to start using these tools without responsible data governance already in place. The point kept coming back: public, private, and academic sectors have to work together as new technologies — AI, quantum computing — get adopted safely.

Another recurring theme was the need for collaboration within the same industry. If every company in a sector is facing the same challenges, the right move is to set up communication channels to share that information securely and work together, strengthening everyone’s ability to respond to incidents.

The day closed with security and privacy by design — the way we build the products and solutions we create. If you’re a startup and you want everything to ship fast and well, adopt infrastructure as code with templates you know are secure, so any developer can spin something new up with all the security layers built in from minute zero. Internally, run programs that reward people who push for security and privacy on their teams, self-regulate when the law isn’t there yet, and aim high to turn it into a competitive advantage. Externally, be transparent about everything to do with data — especially if you’re using AI. There’s a reason Microsoft and GitHub named their AI assistants “copilot”: humans (the “pilots” in Microsoft’s metaphor) are still the ones responsible for decisions made with AI.

Day 2 of the symposium

On day two, Costa Rica’s CSIRT (Computer Security Incident Response Team) presented on the large-scale 2022 attack against the country’s public sector — and how it affected so many people that the State simply ground to a halt. They couldn’t do things like pay out pensions, and across many areas they had to start from scratch, all in the middle of a change of government. They told us they’d lost databases of citizen records and had to rebuild that information from zero, as if those people had never existed digitally. The biggest problem was being unprepared: in every prior cybersecurity incident, the preferred response had been to hide the problem, and as a result the institutions never felt the urgency to update or patch things. The losses were in the millions, but the lessons learned and the preparation that followed are vastly larger — and a detail they highlighted was the international collaboration (they mentioned the United States, Israel, and Spain), proving that security is a team sport and that support networks need to exist when problems show up.

There was also discussion of data and disruptive technologies through a human-rights lens. The misuse of data was a central concern, and the message was clear: organizations have a duty to use data responsibly, especially when feeding AI models that make automated decisions affecting people’s lives. AI models should always be used as guidance — decisions belong to people, without over-trusting the models, owning what goes wrong, and protecting people’s integrity.

Geopolitics took over several discussions on critical infrastructure, cyberwarfare, and quantum computing. That last one I really enjoyed, because a few years ago I worked at two research centers on quantum-computing projects and even attended an IBM Quantum summer school on quantum machine learning. I loved quantum computing, but in Chile there’s no funding for it, so I moved into cybersecurity and drifted from it a bit. In case you’re wondering: quantum computing is a way of computing that exploits the laws of quantum mechanics, and it’s very useful in domains where classical computers aren’t efficient — modeling particles, factoring primes, and others.

The current landscape for quantum computing has changed dramatically in just a few years: nation-states now want to keep their advances to themselves, and scientific collaboration has been closing up because of it. There’s an obvious risk to all this, known as Q-day: when quantum computers become good enough to decrypt content that wasn’t encrypted with quantum-resistant algorithms. This has been a concern for a while, and NIST has spent the last few years narrowing down a long list of candidate algorithms to settle on a standard (I remember a list of at least twenty; now there are three).

Data bias in financial inclusion

In a talk closer to what we do at Fintual, the topic was financial inclusion and its intersection with AI. It’s well-established that models trained on traditional financial data consistently disadvantage women, because banks and other financial institutions have historically made gender-biased decisions — and the goal is to build AI that’s neutral on this. There were many examples, including the one about Apple Card giving women lower credit limits than men with the same parameters. And financial inclusion isn’t only a gender conversation: there are many small actors (startups and others) who don’t have access to credit or specific financial tools, whether due to historical human bias, sampling bias, or because a bank purchased a model trained on financial data from a context that doesn’t match the country it’s deployed in — among many other reasons.

Cybersecurity in the financial sector

On collaboration in the financial sector specifically, the session covered strategic and international alignment around AI and cybersecurity, and shared the experience of standing up a banking CSIRT in Colombia. The takeaway: better collaboration across actors leads to success in a shared financial ecosystem, and when the banking CSIRT was created, few institutions believed in collaboration — but trust grew, and what had been ad-hoc collaboration (WhatsApp groups, Telegram, email) moved onto a formal, automated, anonymous platform. With that, companies can share malware samples and indicators of compromise with each other, protecting their own and the sector’s reputation, getting to common benefit without adding risk.

It was all great, and to close out the day we visited the Fortaleza Ozama, built by enslaved African and Taíno people in the 16th century when the Spanish wanted protection from English pirates and from French and Portuguese invaders. The history of that fortress from its origins to the last century is brutal, and it was an excellent way to see how digital threats echo physical ones — learning how this place was used for protection, for hiding things, for good and for ill, and how the security it provided could be breached.

Day 3 — RICET

The last day brought a really pleasant surprise. RICET is the regional initiative for cybersecurity education and training, organized by Florida International University together with NIST and the OAS, supporting the work of organizations across the Americas and the Caribbean.

It was all about how to train and re-train a society in cybersecurity — a field so dynamic that anyone who isn’t keeping up gets left behind — looking at how to help as many people as possible while remembering that time is the scarcest resource. This matters because every organization is only as strong as its weakest contributor, and given the diversity of roles inside any organization, the educational material has to be tailored to each.

There’s a knowledge gap shaped by many factors, and we have to address them all. Cybersecurity isn’t only for nerds: the audience is enormously diverse, and the technical and regulatory language has to be translated into something quick and practical to digest. Do that, and you get a more secure population — and maybe a few more people making the jump into cybersecurity work. On that note, there’s a huge gap in soft skills in cybersecurity that we can’t keep ignoring, and part of that is the fault of today’s educational infrastructure, which can’t keep up with demand. Remember there are even self-taught people in this field — so the standards for both education and hiring need to be excellent.

Another big topic was employment and team-building. One speaker described how the cybersecurity industry has always sold pentesting, or whatever else technical, as the cool thing to do — while overlooking the importance of the executive side and administrative skills. That’s leaving us short on people for fundamental roles like CISO. Cybersecurity practitioners need to be able to talk to a company’s C-level (the CEO, CTO, CPO…), and the C-level needs to talk back, and we have to build the spaces where that happens. Maybe the C-level keeps cybersecurity in mind and aims for a standard or certification, but that’s just the floor — not a place to settle.

My favorite line of the day was: “In Latin America, we all know we have to be careful in dangerous neighborhoods, and we know how to do it — but we don’t apply the same logic online.” That has to change, and we have to find ways to be safe even when there’s no money for it.

What I took away

At this event I realized that the problems I faced working at Global North tech companies are just as relevant in our region. When I worked in Europe, we focused intensely on GDPR compliance (with good reason — there was real concern for users, not just for avoiding fines). Seeing those discussions in our region, contextualized by country, makes me really happy, because AI and other disruptive technologies affect us all and hit hardest in less-prepared countries due to gaps in digital literacy and weak cybersecurity institutions.

This event helped a lot in my career change, because I’d never worked for a Latin American company nor a financial one. Honestly, I’m very thankful I got to attend, and I think events like this serve anyone tied to tech — especially those who aren’t there at the technical level but who do make decisions inside organizations. It isn’t a DEFCON, it isn’t aimed at hackers, but it touches the same topics in a way that’s much more accessible to non-technical people.

There were a lot of talks on disruptive technologies given by lawyers who are deep in the field, and having that vantage point was great. Closing on training and retaining people in cybersecurity was the perfect way to wrap, and for that reason I’d recommend this event to CISOs, or anyone in cybersecurity who manages others. It’s also strongly recommended for relevant public-sector actors (CSIRTs, cybersecurity leads, and so on) — states have a duty to keep their populations safe, and the leverage to guide the private sector toward that.

The most valuable thing of all: I left the Dominican Republic happy, very motivated, and with a lot of new connections. And of course, then I went straight to the beach.