This week on the podcast, Marc and Corey sit down with Paul Harris, CEO of BGLA and Futurity Corp at WatchGuard's Impact Partner Conference in Tulum, to explore the evolving cybersecurity landscape across Latin America. Paul shares his journey from early days in cybersecurity to leading organizations in the region, while breaking down the biggest concerns facing LATAM SMBs today. The conversation also covers how AI is reshaping cybersecurity, the challenges of securing partners across diverse markets, and practical advice for business leaders looking to stay ahead of cyber risk in LATAM.
View Transcript
Marc Laliberte 0:00
Hey everyone, welcome back to the 443 security simplified. I'm your host, Mark liberty, and joining me today is
Corey Nachreiner 0:07
Corey l ombre fuerte Nachreiner.
Marc Laliberte 0:11
How bad was that?
Paul Harris 0:12
He was okay. He was okay.
Corey Nachreiner 0:14
wrestling theme,
Paul Harris 0:15
yes. Well, we are in Mexico, and it's valid.
Marc Laliberte 0:18
You don't have to lie.
Marc Laliberte 0:19
Joining us today also is Paul Harris, CEO of Futura Corp. I butchered that real bad
Paul Harris 0:24
futurity Corp.
Marc Laliberte 0:26
Futurity Corp, fantastic. Thank you, Paul. Thank you so much for joining us. We are coming to you from watchguards IMPACT Conference here in Tulum, Mexico, and we're going to give you some insights from Latin America, from one of our great partners, talk a bit about a new story as well. And I guess with that, should we go ahead and
Corey Nachreiner 0:47
swim on in the oceans right next to it?
Marc Laliberte 0:49
Swim on and that sounds good.
Paul Harris 0:51
Let's dive in.
Marc Laliberte 0:53
So, Paul, we always like to start first with what we call the hacker origin story, or the cyber security origin story, just to get to know our guests, and really we want to learn about like you and what got you into cyber security, what got you to where you are right now. You've clearly had a long and storied career, but maybe give us like the background on what makes you in cyber security.
Paul Harris 1:16
Yeah. Well, thank you Mark and Cortney for having me too. It's great to be here. I'm a telco guy. I come from the telecommunication side of solutions in the industry, and really, back in 2012
Paul Harris 1:30
2014
Paul Harris 1:32
we started packaging cybersecurity with connectivity for corporate customers, and the goal was to make the relationship
Unknown Speaker 1:41
sticky and anchor those connectivity customers so they would be less price sensitive, and we would extend those contracts. And that was optional. I mean, we pushed it, we incentive the customers, but it was optional. And then 2014 2015 we built two data centers in Ecuador, one in Quito and one in Guayaquil, Site A and Site B. And that time, it wasn't optional. We had to have cyber security built in all the infrastructure as a service
Unknown Speaker 2:14
portfolio, and also in the backup and also in the all the processes that
Unknown Speaker 2:21
implied accessing that mission critical infrastructure and the information like literally, but we had nine. I'm not sure if it's the same in Mexico, but emergency services and like the telephone, is critical beyond just internet, we told the customers that their information would be more secure in our data centers. We had to implement good cyber security practices and infrastructure that was, that was the beginning. Awesome. How we got into the industry. Did you like I think it's interesting that telephony and cyber security actually happened before the internet. Like Maya hacker story has a little to do with plain old television, telephone system, before we had digital phones, and it was all digital tone, like the Internet didn't even exist for most people. It was BBSs through telephone systems, and the first hacks I remember were like Captain Crunch's whistle, where you could actually get free conference calls by just knowing the right tone that they played. Before we even had digital telephone systems. Did you ever deal with plain old, the older telephoning I did have a friend that I cannot disclose, of course, but
Unknown Speaker 3:30
he would emulate the frequency of the coins going through the phones. Yes, yes. And so that was a hacking of the telephony system, the old PSTN based on new electronic devices that would charge the call with a balance so you can speak for longer time. And I feel like that was the first time that really we implemented security measures on technology. And we had to be back then. It had to be a mix of logical and physical security. Yeah, for sure, as we moved to the digital world. It became old software. Yeah, cool. It's nuts. So you are finely tuned with like, Latin America, and specifically Latin America, Latin American small, mid sized businesses, even some larger ones. And we're really interested in hearing about like, what is, what are the cybersecurity challenges many of these businesses are facing down here. Like, hate to admit it Corey, and I tend to focus a lot on North America and Europe, just because that's what we tend to experience the most in. And it'd be really interesting to hear from you, like, first off, like from your customers that you talk to, just generally when it comes to cybersecurity, like, in 2026 what concerns are they talking about right now? Well, it's surprisingly
Unknown Speaker 4:48
high rate of low security awareness, I would say, even as digitalized as we all are today, and people sharing personal information.
Unknown Speaker 5:00
Action for almost everything and every transaction. Ecuador was one of the first countries to achieve a really high penetration coverage of cellular phones, and so mobile internet surpassed fixed Internet access in Ecuador a long, long time and interesting. So people are heavy users of technology and communications, but the security awareness was just not there.
Unknown Speaker 5:29
Today we implement the GDPR started in 2025 and that has awakened the market and the customers in terms of the risks that are present when you share information on any network. Yes. So I think security awareness is one of the main concerns for everybody, both partners and customers, the government,
Unknown Speaker 5:54
and then for the customers, SMBs in particular, they have a hard time trusting the security provider because it implies opening up their local network, their processes, their devices. So our challenge is to establish enough trust so that they would give us the opportunity to protect everything from the inside out. So is it more like, are they worried about, like you finding skeletons in the closet, or is it more like, just there, where you might be the the entry point for an incident, if they open themselves? Yeah, it's like it happened with the cloud about 10 years ago.
Unknown Speaker 6:37
They they're afraid to delegate the dependency and not be in full control. When you move your infrastructure to the cloud, you depend 100% on the connectivity. Same thing here. They open certain processes and you are the one in charge of the firewall and the endpoint. They feel they lose control, although they gain prevention and protection. By the way, I'd like a follow up to that. It reminds me of something that even even if you do generally trust security vendors, there's actually a new thing where supply chain issues are a problem. So say it's not the giving up control. Eventually you convince them to trust a security vendor. Obviously we want them to know that. You know, we want our MSPs to help control their network, not to take control from them, but just to help them out. But there have been cases of the vendors themselves not being good enough at security. Does that come up in Ecuador and or Latin America much? Or how do you deal with those type of issues? I think that technology in the market is overall a good level, but it has to do with the price constraints. I think I mentioned it in the panel yesterday, that large corporations in LATAM use up on 60% of all cybersecurity spending. So SMBs are left with a smaller budget, and they're more threats every day, attacking SMBs, yeah. So more attacks, more risk, less budget. That's a real challenge. In fact, they're sometimes a good target because the threat actors know that they have less budget, and the lowest hanging fruit sometimes is the easiest one. So if you pair that with a limited amount of specialists and talent in cybersecurity, you know you have a combination of challenges great for I mean, that's exactly why I think folks like MSPs that we have at Watchguard and you can help the SMBs take care like really SMBs want to do whatever their business is. It's our mission and our opportunity to fill in that gap and establish that trust and help our customers be protected and focus on their business. Let us focus on their network and their security. Awesome. So if that's like what they're concerned about in cyber security. What do you think that small and mid sized businesses are maybe overlooking in cyber security? Maybe where, like, a risk gap might be for them, that they're just not thinking about it well enough to understand that they've got something there that needs to be solved? Yeah, many people think that by installing a firewall and paying for an antivirus subscription,
Unknown Speaker 9:25
they're protected against everything. And you know, recently, the amount of attacks and penetrations due to stolen credentials and just user level, weak password attacks and things like that have proven them wrong. Yeah, this is why MFA, for instance, has picked up our largest contract in 2025 was MFA against all predictions, because we were selling more firewall and endpoint. But MFA was a big opportunity for these companies that had a.
Unknown Speaker 10:00
Sort of a good level of maturity in premature and endpoint security. Yeah, but had so many uneducated users that MFA was a nice way for them to establish a control I love that. Obviously, we sell firewalls and network security to watch guard, so we like those, but we also do MFA. I've I believe it's one of the biggest ROIs of security, you can have one of the things I think people don't think about with security is there's a technology problem, like there's technological attacks. That's why you need fireware, firewalls, endpoint protection, but the human attack, even if you fix all the technical problems, the human can still be tricked to give away something MFA, while it's a technology, it's one of the few things that can help if a human makes a mistake. Yes, and I don't know if it's a coincidence, but in the past couple of months, I've been invited to give security awareness talks in chambers of commerce, and for certain private customers, cool. So it's a good sign that the awareness education is there is improving, and we're touching on things like MFA to help
Unknown Speaker 11:07
close the circle with firewalls and endpoints. I have an offshoot follow up question that I don't we plan, but one of the things that like, when you have a region or an area that is less aware of like, they still have the threat. But it's about showing people that if you don't do something about this, you might lose money one day. One of the things that helps is if there's either like government or organizational regulations or compliance that forces, like a global one that you certainly have in Ecuador is PCI, if you take credit cards, you do have to do that, so that will at least teach credit card companies. But are there any regulations from the government that are focused on you say, GDPR, so data privacy from a consumer level is getting anything on cyber security? Yes, well, GDPR is new, and the sanctions began in 2025 Gotcha. But we also have a new cyber security law, but it's more focused on the on the public sector than the private sector. It mentions critical infrastructure practices, critical infrastructure, and it adds more red tape than real good practices, unfortunately. So we need to go back to the lawmakers and add, you know, some thought in terms of the technical side of things so that they focus not only on
Unknown Speaker 12:24
the regulatory and reporting, but also on making it more efficient. Seems like a lot of first implementations like that tend to like, kind of miss the mark the private sector we're pushing towards, for instance,
Unknown Speaker 12:38
asking the government to give us a tariff break in all imports of firewalls and software licenses related to cybertize it, because it will help local business, which will help the lower the barrier for you to acquire more technology. It's funny, because in the US, we're in the process of banning all foreign made. It is what
Unknown Speaker 12:59
it is, right?
Unknown Speaker 13:02
I'm curious. Like, from your perspective, you probably encounter a lot of different maturity levels for companies that you deal with. Some, maybe you just come in to, like, put in the last little piece. Some, maybe you have to fundamentally help them change, like, how they're approaching cybersecurity and technology as a whole, if you had to, like, summarize it, or maybe pick a few things, like, what do you think separates the companies that are doing things well in your region versus companies that maybe still have a lot more room to grow? Yeah, well, thanks for the question mark. It's interesting and very relevant to LATAM. LATAM is not a homogeneous market. We have all levels of maturity, all levels of regulation, different countries, but even within one country, different levels among customers. What I think makes the difference is if a customer has a person in charge of it that is cybersecurity, aware and manages the risks, and they've done their internal homework in terms of evaluating their risk metrics and prioritizing what they should protect first, with the lower with with the highest impact.
Unknown Speaker 14:16
That makes the difference once the customer has appointed somebody who's responsible for those digital assets to protect. We go in and we find structure that we can protect. Otherwise we are in charge of surveying and inventory for their side of things, and that slow things down. And also, there are more steps too,
Unknown Speaker 14:39
even if you are really good at doing it for them, if there's no one accountable there, they may
Unknown Speaker 14:45
go out over weight, maybe a third party to help us with that. And that's not just as efficient. It's funny how when you make someone accountable, they suddenly start doing the right thing.
Unknown Speaker 14:57
You're gonna get fired if you don't. Yes.
Unknown Speaker 15:00
That's the old way. Do you see them? Anyone leaning heavily into like frameworks or anything to really help get that process started? I imagine that would help with that kind of structured approach like you mentioned. Yeah, well, ITIL was a new and widespread standard back, I guess five years ago, it's lost some track, but now ISO 27,001
Unknown Speaker 15:26
is more important, and it's the basis for the GDPR as well. So we are starting an ISO 27,001 certification process because larger accounts are requiring that from their security providers, yeah, so I think that's helping
Unknown Speaker 15:45
improve those processes. And it's a big area where LATAM seems similar to the rest of the world, where that pointed ISO 27,000
Unknown Speaker 15:56
is becoming like a de facto requirement for a lot of organizations when you work with each other, for sure, yeah, it's a great framework. We use it, and even as a company that thinks we do good, it's a good framework. It always does help. Just reviewing things helps you align areas, align people, making an aligned infrastructure. Yeah, 100%
Unknown Speaker 16:19
so a big topic this year at impact was AI, both from a attacker's perspective, like we are up against big threats from automated attack chains from start to finish with totally hands off keyboard now, from threat actors as well as from like the defender side with tools that we've been using For a decade and a half, and new tools continuing to come up as these technologies evolve. I'm sure that AI is also a popular target in your neck of the woods, and I'm curious like, how has AI just changed the conversation over the last couple of years, or even just the last year, within the people you're talking to, it's starting to pick up. I think right now, lead time overall is a little bit behind in the AI adoption curve, but starting to pick up at a fast pace. Right now, the challenge is not only deploying it, but simplifying it enough to find the right alignment with each customer's need. So just do a little bit of hype, but we're starting to see interesting things even at this show, I spoke with some other partners that are using nice tools to monitor the cybersecurity side of things, dashboards and things that help the customers with compliance and also to even check on their
Unknown Speaker 17:44
strategic partners'
Unknown Speaker 17:47
level of maturity, to
Unknown Speaker 17:49
understand the people they're working with, yet to monitor who they're working with. And so there must be a line there in terms of legal and confidentiality terms, but if it's public information out in the internet that probably definitely a good research tool, like you can give an agent to tell me a little bit about this, and like you say, from public data, you get a lot. So I think the challenge right now is finding that particular good use case for AI, for each customer,
Unknown Speaker 18:17
in terms of defending against AI
Unknown Speaker 18:21
We've not heard of AI based attacks or AI based infrastructure that has been
Unknown Speaker 18:28
vulnerable yet, but it's going to happen. We have some stories.
Unknown Speaker 18:33
Tune into the 443, security simplified podcast as people move their mission critical services to the AI based processes that they will get, I would say, I think globally, one thing, even if you said Latimer is a little behind, I actually think it's smart that they're trying to I think globally, AI has a lot of hype and promise, and there is areas where, quantifiably, it makes a difference, but everyone's talking about How much productivity it can add, and there's in the business sense of things, no one's really quantified that yet. So I think we're at the point where we've enjoyed the technology we've had to hide. But now to your point, what is the use case where you can get a business measurable, quantifiable benefit? And I think secure, yeah, over time, and security is one of the easier places to do this, when it's used for detection, because it's kind of on or off switch, but for things like efficiencies and processes, I don't think the people that were making it were measuring how much better it was, but that's changing. Ask us about AI in cybersecurity. I tell them it's already built in most of the tools we use. So don't get too creative, because you know, you might open up vulnerabilities if you try and implement things without or outside of that framework. Yes, curious from your own personal perspective, maybe, do you see AI more as a potential opportunity or more of a threat? Or maybe like both?
Unknown Speaker 20:00
Yes, we should try to find a balance. Right now, I think part of the group of not such a heavy user, but like, I'm a teacher at college, I have one class, so twice a week, I interact with the students, and so I try to listen to how they're using that technology. And right now, it's basically helping them save time and optimize research
Unknown Speaker 20:25
volumes of things,
Unknown Speaker 20:27
but at the same time, we don't know yet how exposed their devices and their information is to AI. I'm careful not to put anything confidential in an AI platform. You are one of the few
Unknown Speaker 20:42
so excellent point, because the reason AI works is the more data it has to train, the better it gets. So AI companies are data hungry, but perhaps if you give it to them, they will those filters effective if I configure them not to catch anything confidential from my side. Is it true that they want I feel like are you also not posting anything on Facebook and instead, like, I feel like we've lost that window back when everyone started using social media without thinking about what they post. But I what you should do when you pay for it and you have an official data processing like, if you're using free AI tools, you should be very careful what you share. If you pay for a license, hopefully you have lawyers that will look at the license data processing agreement, and those have teeth that they will like if you pay the right amount of money to say you can't use my data with training. I want it to be tenanted. Yes, I think they honor that, but that's assuming they don't get breached in some other way, because we still have your data there. You know, we lost physical borders with the internet, absolutely long ago.
Unknown Speaker 21:50
Where are the borders with AI? Yeah, and legislation. And you know, your right to consent and confidentiality, integrity and Exactly, yeah, sure, my question, right? Not a whole lot of right to consent with AI. It's already gobbled up all of my info, that's for sure. And then the tax you mentioned, me and Mark have talked about a number of attacks to AI, a lot of them. The thing AI is good at is, if you tell it to do something, it will go and do it for you. But prompt injection attacks, a lot of the modern ones are hiding bad guys, finding weird places to hide additional instructions to AI. And if it has the data, you tell it to do something, and it has your credential, it's going to take all your data, so you still have to be careful. Yeah, so we've talked a lot about, like securing the the SMB, like your customer. I'm curious from also, from your perspective, like you and your company need to make sure you maintain security, because otherwise you could be that intrusion vector for your customers too. So from your perspective, in Ecuador and Latin America, like, what do you think that MSPs themselves should really be focusing on right now? Yes, well, we have a big responsibility of taking care of customers, most precious assets, right, mission critical.
Unknown Speaker 23:09
We have started using some distributed cloud storage with heavy encryption,
Unknown Speaker 23:15
you know, more like blockchain, type of distributed security. And so we feel that is adds a layer of security to the store, even if they got access, that is, they would encrypted, block immutable backups have added a layer of concluded to us as well, in terms of protecting the necessary with ransomware, ransomware.
Unknown Speaker 23:37
But then, you know, we use watch guard cloud as a main repository of all the inventory of active services. So we're trying to rely less on local on premise ERPs or data sheets or any local controls, and rely more on the live tools such as Watchguard cloud. Now, of course, what your call needs to be up and running. You know, 100% of the time, by the way, that does transfer in the same way you have to be responsible for your customer security. You're literally talking to the people that help make our company secure enough to be no pressure.
Unknown Speaker 24:20
You're talking about accountable and being fired?
Unknown Speaker 24:23
No, we're good. We have Mark
Unknown Speaker 24:27
too much pressure. So that's, that's what we're trying to do, in addition to getting our internal processes certified under ISO 27
Unknown Speaker 24:37
which is, let us know we've, we've been doing that one for years. It's a fun one. Yeah, yes, I did in my previous business. I certified that for and renewed it once or twice, so I'm familiar with it, but doing it in a new company, you always find that you have to do the gap analysis and see what it means to fit through the process. Again, curious from your perspective and.
Unknown Speaker 25:00
Like just overall between different countries within the region too. Are you seeing any like differences that stand out? Or maybe, would you have any guidance for anyone looking to expand beyond, like an individual company or country within Latin America and succeeding in that effort? Yeah, well, you know, one of the companies I run, it's pgla, which stands for Business Gateway Latin America. So it's basically, you know, a door of entrance to the Latin market. And
Unknown Speaker 25:30
you know, there's such a variety of scenarios and environments in LATAM Ecuador is small enough to run proofs of concept and proofs of market, and we use the dollar as our currency, so there's no exchange rate variability during that test phase, but it's a good way to test the local market and the mindset of people in terms of, you know, introducing new technology to the market. So my advice would be for a company trying to expand into LATAM.
Unknown Speaker 26:03
We have countries small enough, like Ecuador or Uruguay, where you can test the technology and test the market, and then try to be ready for Brazil, Mexico, Colombia. And you know, the bigger, the bigger markets would you almost say, like, if it works in Ecuador, it will work in LA time. As long as you can scale, you can replicate it at a bigger scale. If you're successful.
Unknown Speaker 26:29
That makes sense. It does make sense. So as we just round things out, want to give you a chance. Like, what do you think in terms of cybersecurity trends? Are we not talking enough about when it comes to like issues that are impacting Latin America, like, what do you think deserves more attention than it's getting right now? Yes, well, working on security awareness definitely deserves a lot more attention in all of all of Latin America, but also it's difficult
Unknown Speaker 27:02
to achieve
Unknown Speaker 27:04
a good level of efficiency when you have such high tariffs and such high cost of importing everything. So I believe we should as a region, get more creative in terms of generating our own technology and try to protect certain layers without generating dependency on on, by the way, we apologize for that, or I apologize for that, maybe that will change, sometimes,
Unknown Speaker 27:31
not necessarily, our choice. That is a very good point of if you've got tariffs, the point is to try and encourage more within the country, within the region, development and that, and that would be interesting to see. Like Ecuador, for example, was is known for good core banking, core banking software. So we have very good software developers. We just haven't focused on the cyber security side of things, maybe lack of an incentive, or it's just easier to buy the technology and install it.
Unknown Speaker 28:03
Like we said, there are no borders anymore, and the threats are global, so there's no incentive to do everything local. You mentioned MFA before, and like one of the threats, I think that may not be Ecuador based, but LATAM based, that I think was very unique to Brazil, is banking and ATM theft is apparently very big in Brazil, down to things like mobile phone theft and cloning to get certain types of tokens. So the company we acquired to get MFA data blink was a Brazilian design company, and they had very specialized tokens that they were a bank, e commerce banking company before we brought them into SMB based MFA, and it felt like a very unique use case to Brazil. ATM test was so big that they needed a special token for every one of their bank customers just to do in the past couple of months. And thank you for mentioning that reminded me WhatsApp accounts that for fraud purposes, has been really big in the past few months. Even in the past few weeks, I had a close friend that, on an Android device, got his WhatsApp account penetrated and installing credentials activated somewhere else, and he couldn't use his phone. He had to depend on the phone company, cell phone company,
Unknown Speaker 29:22
somehow trying to
Unknown Speaker 29:25
revoke everything so he can do a new chip and a new number. But that has been big in the past few months. And you mentioned before too that I think maybe because of the dynamics of Ecuador, you might have skipped a lot of old school networking wires and went to wireless. It, it seems to make sense that you could maybe lead in mobile security, like wireless device securities. Yes, there too big. Everybody has one or two of these going around. But now the fiber optics coverage is getting better. That's good. So people, you know, broadly.
Unknown Speaker 30:00
It was at the beginning, only through mobile now is getting fixed LAN networks as well. Cool, yeah. Well, I guess Paul to end like, what advice would you give other business leaders that are trying to stay ahead of cybersecurity within your region? Like, is there anything that you've learned that you feel like can pass on to other people? Yes, you know, I think I mentioned it at the beginning. Building trust is the most successful factor to establish a long term relationship with your customers. So build that trust help your customers, even if that implies, you know, giving them a free license for 30 days and spending time just show them the value and the peace of mind they can achieve with your service.
Unknown Speaker 30:48
And then they'll look for you for more services down the road, but build that trust first, because that would be my best advice from experience, which has helped us sustain many years of relationships with customers? Awesome. Yeah, I think that's good advice for everyone in any region, for sure, especially in our ecosystem now, where we are putting a lot of trust in the people we partner with, the vendors we work with, and yeah, lead with the relationship and the quality of service, not with the technology necessarily the technology is there. I mean, we prefer to do it with Watchguard, but if we don't, somebody else will fill that gap. Trust isn't just about the service and product you can bring. Trust is about being there to support that person long term. And if you think about it, before even Cypress, everything about security is trust. Even old school, you let people trust inside your castle. You So trust is the essential thing when people work together. Yeah, and it's interesting
Unknown Speaker 31:50
all the tools that you're giving us as MSPs to make our life easier and save time and try to monitor more customers with you know less number of people, and the less overhead possible, that helps us be more efficient and try to be more cost effective. And so as long as we keep that improving, even if we have to deal with exchange rates and tariffs, and so it'll compensate. Yeah,
Marc Laliberte 32:17
awesome,
Corey Nachreiner 32:18
hopefully we'll change the tariffs one day.
Paul Harris 32:20
Yes, let's get a movement going on, and it exists in some places. It just hasn't won yet.
Marc Laliberte 32:28
Well, Paul, thank you so much. This has been really insightful. Thanks for coming on. We appreciate you taking the time, especially instead of being outside on the beach here in Tulum,
Corey Nachreiner 32:37
I feel bad now.
Marc Laliberte 32:41
Enjoy. We'll make sure to send a margarita over to your table after this.
Paul Harris 32:45
Sounds great. Thanks.
Marc Laliberte 32:46
Hey everyone, thanks again for listening. As always, if you enjoyed today's episode, don't forget to rate, review and subscribe. Can't do your stupid little emoji things on your MacBook. That's good. If you have any questions on today's topics or suggestions for future episode topics you can reach out to us on blue sky. I'm at it's mark.me. Corey is at second depth, or both on Instagram at Watchguard, underscore technologies that will never stop being weird. Thanks again for listening, and you will hear from us next week.
Corey Nachreiner 33:17
Did you post your burrito on our WatchGuard Instagram yet?
Marc Laliberte 33:20
No, I do not
Paul Harris 33:22
great. Thank you. Cool.
