What is Cybersecurity?

Few subjects have moved as rapidly from the IT department to the boardroom as cybersecurity. With Chile's Law 21.663 now in force and the National Cybersecurity Agency (ANCI) already exercising oversight, the question is no longer how much to invest in technical controls, but how to structure a governance model capable of sustaining operations —and responding— when, not if, an incident occurs.

Why the textbook definition falls short

Technical literature defines cybersecurity as the set of measures designed to protect systems, data, and operations from unauthorized access. The definition is accurate, but incomplete for those who have to make decisions. In practice, what is at stake is not merely the integrity of a server: it is the continuity of contracts, the validity of financial statements, the personal liability of directors, and the relationship with regulators that now require incident reporting within hours.

This is the tension Chilean organizations have faced since July 2024. Cybersecurity has stopped being a problem that can be solved by buying technology and has become an ongoing risk-management exercise —comparable, in regulatory pressure and corporate exposure, to tax compliance or anti-money-laundering programs.

Conceptual Foundations

Confidentiality, integrity, and availability

Any serious technical framework —ISO 27001, the NIST Cybersecurity Framework, and others— builds its controls around three properties of information. Confidentiality requires that data be accessible only to authorized parties; a breach may trigger violations of Law 19.628 and, starting in 2026, of Law 21.719 on personal data protection. Integrity ensures that information and systems remain accurate: an attacker who alters an accounting entry or modifies a payment instruction can cause more damage than a large-scale data leak. Availability, finally, is what allows a bank to process transactions, a hospital to access medical records, or an electricity operator to maintain dispatch; its loss translates directly into interruption of essential services under Law 21.663.

These three properties are not protected with isolated tools, but with decisions about architecture, governance, and contracting. Designing a cybersecurity program is therefore, above all, a legal and organizational exercise.

The Threat Ecosystem

Cyber threats come from multiple actors with different motivations:

Cybercriminals seek direct economic gain, primarily through ransomware, fraud, and data theft. Nation-states conduct espionage, sabotage, and influence operations. Hacktivists seek to promote ideological causes. Insiders - disgruntled or negligent employees - represent threats from within the organization.

The Modern Attack Surface

Digital transformation has dramatically expanded what needs protection. It's no longer just servers in a data center. It's every remote laptop, every cloud application, every IoT device, every exposed API, every employee with a smartphone.

This expansion isn't reversible. Digitalization is competitiveness. But every technological advance multiplies attack vectors.

The Technical Dimension

Defense Architecture

Modern security abandons the perimeter model for defense in depth. There's no single wall, but multiple layers an attacker must traverse:

Network Layer: Firewalls, segmentation, intrusion detection
Endpoint Layer: Protection on each device, from antivirus to EDR
Identity Layer: Strong authentication, privilege management
Data Layer: Encryption at rest and in transit, information classification
Application Layer: Secure development, vulnerability testing

The IT/OT Distinction

IT (Information Technology) handles data: servers, databases, business applications. Its compromise affects information and digital services.

OT (Operational Technology) controls physical processes: SCADA systems in power plants, controllers in factories, control systems in hospitals. Its compromise can cause real physical damage.

This distinction matters because:

• OT historically operated in isolation, now it's connected without being prepared
• IT security protocols and tools don't always work in OT
• The impact of an OT attack can include loss of life
• Regulation treats OT with particular severity

Detection and Response

Perfect prevention is impossible. Rapid detection and effective response determine the difference between a minor incident and a major crisis.

The global average time to detect a breach is 200 days. In that time, an attacker can exfiltrate all valuable information, establish persistence, and prepare destructive attacks. Modern detection systems use behavioral analysis and machine learning to identify anomalies indicating compromise.

The Organizational Dimension

Cybersecurity Governance

Cybersecurity cannot be the exclusive responsibility of the technical area. It requires a governance structure involving the entire organization:

The Board must establish risk appetite and oversee its management. Senior Management must allocate resources and establish security culture. The CISO or security officer translates between the technical world and business. Business Lines must understand and manage their specific risks.

Risk Management

Not all risks are equal nor can all be mitigated. Effective management requires:

Identification: What assets are critical? What threats do they face?
Assessment: What's the probability? What would be the impact?
Treatment: Mitigate, transfer, accept, or avoid?
Monitoring: Risks evolve constantly

Security Culture

90% of successful incidents involve human factor. The most sophisticated technology is useless if employees open phishing emails or share passwords.

Security culture isn't imposed with policies - it's built with continuous education, aligned incentives, and visible leadership. Employees must understand not just the "what" but the "why" of security measures.

The Chilean Regulatory Framework

Law 21.663: The New Paradigm

This law marks a before and after in Chile. It establishes concrete obligations, active oversight, and significant sanctions. It's not a best practices guide - it's a mandatory framework with legal consequences.

Sectors defined as "essential services" include energy, water, telecommunications, transport, health, financial services, and public administration. If your organization is in these sectors, compliance isn't optional.

Fundamental Obligations

The law establishes differentiated duties according to criticality:

For all Essential Services:

• Implement security measures proportional to risk
• Report incidents to authorities
• Maintain operational continuity

For Vital Importance Operators (additional):

• Continuous Security Management System
• Certified continuity plans
• Designate formal responsible officer
• Mandatory periodic audits

The National Cybersecurity Agency

The ANCI isn't an advisory body - it's the regulator with oversight and sanctioning power. It can conduct inspections, require information, and apply fines up to 40,000 UTM for serious infractions.

Its role includes issuing mandatory technical standards, coordinating national incident response, and serving as contact point with international organizations.

Practical Implementation

The Management System

An Information Security Management System (ISMS) isn't a technological tool - it's a continuous process integrating:

Policies and Procedures: Formal documentation of how security is managed
Risk Analysis: Systematic and periodic evaluation
Controls: Specific technical and organizational measures
Metrics and Monitoring: Indicators demonstrating effectiveness
Continuous Improvement: Learning and adaptation cycle

Incident Response

When (not if) an incident occurs, the difference between crisis and controlled management lies in preparation:

Detection: Systems and processes to identify compromises quickly
Containment: Ability to limit damage spread
Eradication: Eliminate attacker presence
Recovery: Restore normal operations
Lessons Learned: Improve based on experience

Chilean law requires notification within 3 hours for critical incidents. This requires predefined and practiced protocols.

Continuity and Resilience

Operational continuity transcends technological recovery. It includes:

• Identification of critical business processes
• Definition of maximum tolerable interruption times
• Tested recovery strategies
• Prepared crisis communication
• Coordination with external stakeholders

Looking Forward

Emerging Trends

Cybersecurity evolves constantly. Trends redefining the field include:

Artificial Intelligence: For both defense and attack. Attackers use AI to automate and personalize attacks. Defenders use it to detect anomalies and respond faster.

Quantum Computing: Future threat to current encryption systems. Organizations must begin planning migration to post-quantum cryptography.

Zero Trust Architecture: The future of security architecture. Assumes no user or system is trustworthy by default.

Organizational Preparation

Chilean organizations face critical decisions:

First, they must honestly evaluate their current maturity. Not against an abstract standard, but against the real threats they face.

Second, they must decide what capabilities to build internally versus what services to contract. This decision has implications for cost, control, and responsibility.

Third, they must prepare for an increasingly demanding regulatory environment. The global and local trend is toward more regulation, not less.

Closing

Law 21.663 has installed a framework with concrete requirements: a formally designated cybersecurity officer, a documented management system, reporting protocols within strict deadlines, periodic audits, and cybersecurity clauses in third-party contracts. The ANCI, as the sectoral authority, has already issued its first technical regulations and announced oversight criteria for Vital Importance Operators. Organizations still treating these duties as a technology project —rather than as a cross-functional compliance program— are accumulating a regulatory debt that will be difficult to settle within the timeframe of an inspection.

The useful work in this area is rarely the most visible. It consists of defining with precision which processes are critical, documenting risk decisions, demonstrating diligence in vendor selection and oversight, and maintaining evidence —not just policies— that controls actually function. That is the standard ANCI, the CMF, and the courts are beginning to apply, and it is what will distinguish organizations that can prove compliance from those that can only assert it.