When the circulation of a massive package of personal information attributed to multiple public and private sources is reported, the problem is not whether a specific organization was hacked, but rather that for a relevant part of the citizenry the identity became exploitable. That breaks something much more valuable than a password: it breaks the perception of control. A country can discuss politics every day, but what it cannot normalize is that millions feel that their digital life is a cheap puzzle in other people’s hands. cAs an auditor, I am less interested in the headline show and more in the uncomfortable question that comes after it, the one that asks if I canWe must demonstrate with evidence who accesses the data, for what, under what controls and with what responsibility when something fails.
The discussion about whether official systems were breached or not may be technically true within a narrow perimeter and at the same time irrelevant in reality. Today we face an “architecture of flight” that operates in the blind spots of the State: ehe flow of data that leaves official organizations to feed private work management concentrators.
It is in this intermediate link where the systemic risk lies; the state structure may be intact and its alarms silent, but if the flow is diverted to a third-party repository with the door ajar, the leak occurs and the information ends up on the Dark Web without a single alert being triggered on the public dashboard. An official statement denying an intrusion is not a firewall, and a firewall without auditing this extended ecosystem of concentrators is not control either.
The most profound damage of these crises is not measured in terabytes, it is measured socially, because people do not panic because of what they do not understand, but when they understand enough to feel helpless. We are not facing isolated incidents, but rather a perfectly traceable chronology of state vulnerability that shows a clear and increasing degradation in the last five years. The data is compelling: what began as ransomware incidents focused on the National Directorate of Migration in 2020, passing through the Porteña Legislature in 2022 and the PAMI in 2023, has escalated in 2025 towards critical impacts that compromise infrastructures such as AFIP, ANSES and ARCA. The impact curve is not linear, it is exponential; It tells us that digital insecurity stopped being a manageable technical risk and became a hostile operating condition where modern crime does not improvise, but rather executes on the right individual using information that only a system should have protected.
This scenario occurs under regional pressure that does not admit naivety. In recent measurements, it was indicated that organizations in Latin America face a volume of weekly incidents significantly higher than the global average, with a gap of 39%.
To say that this is serious is not enough; What defines whether we mature is what we do with the diagnosis of an infrastructure that has aged silently. Meanwhile, the world is institutionalizing security with brutal pragmatism: ISO Survey 2024 data reveals a 104.49% year-on-year jump in ISO/IEC 27001 certificates. The planet is not talking about security by virtue, it is setting up verifiable systems at crisis speed because it understood that the only sustainable defense is the ability to demonstrate control in the face of a market that no longer forgives improvisation.
There is a local paradox that we must resolve: the Argentine cybersecurity market projects robust growth—estimated at going from US$1,548 million in 2024 to more than US$3,330 million by 2033—, but market growth does not equate to institutional maturity. You can double your investment and be just as vulnerable if you invest without architecture. A State or an organization that really wants to solve this must assume data as sovereignty and close the most underestimated gap: the risk of third parties and data concentrators, demanding that security be a year-round auditable contractual obligation.
If you have the responsibility of protecting assets, the question is not whether you trust your team, but whether you can answer with evidence where your data is right now, whether you truly control those external “hubs” and whether you are prepared to react when prevention fails. I did not come to fight with anyone, but to put the problem on the table in terms of management, because the cost is already paid by the citizens and will continue to be paid if we insist on discussing “if they entered” instead of demonstrating “how we control.” The State does not have to promise invulnerability, that would be selling an illusion; You have to be able to demonstrate governance, traceability and continuous improvement. Data sovereignty is not declaimed; is audited.
*Fernando Arrieta is Regional Director of G-CERTI Global Certification
You may also be interested
by Fernando Arrieta
