From San Juan to San Francisco: What RSAC 2025 Means for LATAM’s Cyber Future
Puerto Rico – May 7, 2025.
I just returned from RSA Conference 2025, and I’m still processing the wealth of insights, conversations, and cautionary tales that filled every corner of Moscone Center. As someone working to help organizations across Puerto Rico and Latin America comply with evolving cybersecurity laws, I found this year’s event more relevant than ever.
What Hit Home for Me
Puerto Rico’s Act 40-2024 — the landmark cybersecurity legislation signed into law just last year — was never mentioned by name at RSAC. But its themes were everywhere: incident response, zero trust, education, legal clarity, and public-private cooperation.
Incident reporting, for instance, was a hot topic. One session dissected how organizations are adapting to the SEC’s new cyber disclosure rules — and it made me think of the 48-hour incident notification requirement in our own law. In both contexts, speed is no longer optional. Timely, structured, and transparent reporting is a core pillar of trust, whether you’re talking to shareholders or to a local cyber response office.
Another highlight was the emphasis on zero trust architecture. While this concept has been gaining traction globally, Puerto Rico’s law has made it a concrete mandate. RSAC sessions walked us through real-world implementations, challenges with legacy systems, and how zero trust can shift the cultural mindset from “protect the perimeter” to “never trust, always verify.” It was energizing to see that we in Puerto Rico are not behind the curve — we’re riding right alongside it.
The legal sessions were equally compelling. One in particular dove into the evolving role of the CISO, a topic that resonates strongly with both Puerto Rico’s law and Chile’s new Cybersecurity Framework Law. As LATAM governments create or strengthen national cybersecurity agencies, we need to ensure that the compliance burden on CISOs doesn’t overwhelm them — and that they have the organizational visibility they need to succeed.
Why LATAM Should Be Paying Attention
Across the region, similar laws are taking shape. Chile’s new framework is a bold move, and other countries are watching closely. But laws alone aren’t enough. RSAC drove home that it’s the execution — the investment in education, tooling, internal policies, and cross-border collaboration — that makes or breaks a regulation’s success.
What I appreciated most was the global tone of the conference. Whether you were from São Paulo, San Juan, or San Francisco, everyone shared the same core challenges: ransomware, third-party risk, regulatory pressure, and a skills gap that shows no signs of shrinking. That sense of unity gave me hope.
However, I couldn’t help but notice the continued underrepresentation of voices from the Global South. While the issues we face are often the same, the resources, infrastructure, and geopolitical contexts differ dramatically. Our challenges demand more inclusion at the global cybersecurity table — not just as case studies, but as contributors and innovators. We need more speakers, policies, and funding strategies that reflect the realities of developing nations, especially in LATAM, Africa, and Southeast Asia.
Where Do We Go From Here?
Here’s what I think we need to focus on next — both in Puerto Rico and across LATAM:
Build regional cyber alliances.
We need stronger inter-governmental frameworks to share intelligence and response capabilities, much like what the EU has started doing.
Support compliance with tools and training.
Let’s move beyond checklists. Act 40-2024 and similar laws should come with funding, shared services, and modern platforms that make compliance achievable, not burdensome.
Invest in education.
Annual cybersecurity training is great, but let’s build pathways for students, career switchers, and current IT pros to become full-fledged security professionals.
Translate global best practices into local context.
RSAC is a global hub, but each region needs to tailor its approach. What works in California won’t work out-of-the-box in Cartagena or Caguas — and that’s okay.
Author
Angelo Palma
Architect Consultant