JORGE GARIBAY’S SUCCESS STORY
I started working back in 1985, at the time when I was a student of Information Technology, in one of the largest technological universities in Mexico (Instituto Politecnico Nacional). After three years as a systems programmer, I entered the network and connectivity world and was promoted to be Network and Communications Manager at Ministry of Health.
I worked for almost six years within the Mexican government and since then I started to work with some organizations and providers from different countries. As a Mexican public servant I got in touch with some central American governments offering them consultancy and helping them to design and install regional networking solutions within the health sector.
Finally, I left the public sector in 1991 and moved to work with a former provider of mine. They offered me to partner with this company called SAIT. The company was one of the first dedicated to install fiber optics networks in Mexico. For that, we made a partnership with a company based in San Diego, California, to offer their solutions to Mexican and LATAM customers, bringing state-of-the-art technology at that time.
Initial Steps in Information Security
By 1994, we started to offer information security solutions to Mexico and LATAM countries. We represented companies like Checkpoint, Websense, Storage Tech, and Security Dynamics (Today RSA), etc. It was a very challenging time because in December 1994 we suffered one of the most important devaluations in Mexico’s history. Our Mexican peso was devalued from 3.5 Mexican pesos for one dollar, to 7.5 pesos for one US dollar. United States president, Bill Clinton, had to lend Mexico government 20 billion USD to cover our financial commitments!
Those were very complicated years for our company, but as oriental people used to say: “difficult times are also opportunity times.” The investment contracted spectacularly in the country, the exchange rate gave us a bitter lesson, which I will never forget, where we lost a lot of money and that caused, among other things, the closure of our office in Monterrey and the cut of some jobs in Mexico City.
Fortunately, in 1996, we won a bid to start building fiber optic networks in some cities within Mexico. Our country opened the telecommunications market and we created a new company called Metronet which was dedicated to design, build, and operate last mile connections to carriers and private and public organizations.
Thanks to the hard work and a strict financial discipline, competing in a dynamic sector, we managed to increase our business on a very large scale and by year 2000, we hired a report from Gartner Group. They recommended we build information data centers. Since we have fiber optic links in more than 2,500 different buildings around the three largest cities in Mexico, (Mexico City, Monterrey, and Guadalajara) it made sense to offer these customers hosting and managed services.
At the same time, I was designated as Professional Services Director and started offering consultancy services to our customers. In 2001, we created another company called Xertix, specially dedicated to managed services and consultancy. After that year, I took some courses and obtained my CISSP, CISA, and CRISC certifications, and by 2005 we were offering Information Security, Business Continuity, and Information Risk solutions.
From being a company of 75 people with presence in Mexico City and Monterrey, we grew up to be a 350-people company and started to offer our services to some countries within the LATAM region. At that time, ISO standards, like ISO 27001:2005, became popular in Mexico and some companies were interested in getting certified. So, we developed a consultancy service to offer guidance to companies that wanted to get certified.
First Company Certification and International Experiences
In 2008, we decided to get our company certified against ISO 27001:2005 and ISO 20000:2005. At that time there were some companies already certified against ISO 27001:2005 in Mexico, but there was none certified against ISO 20000:2005.
After 14 months of hard work, in May 2009, and at four different locations, we were the first Mexican company to get ISO 20000:2005 certified and the second in Latin America, and the first company around the globe to obtain both certifications at the same time. In fact, Gartner Group, and some national newspapers wrote an article about this.
We certified 23 processes, 10 for ISO 20000, 10 for ISO 27001, and three for both standards. This achievement granted us a lot of confidence from our customers and helped us to win two large bids, one with a large financial institution called Grupo MONEX and one with the Ministry of the Interior.
During those years, I learned a lot and started to work closely with ISO and ISACA organizations. I was invited to be part of an international effort to work within one ISACA Board, called Governmental and Regulatory Agencies Board (GRAB). I was chair for LATAM countries within this Board and we worked with some countries in different initiatives related to information security, auditing, and use of ISACA frameworks like Cobit and Risk IT, and ISACA certifications like CISA, CISM, CGEIT, or CRISC.
At the end of 2008, with the financial crisis in the US due to the subprime mortgages, some companies had to leave part of their business, so we took that opportunity and bought another data center in Mexico which was part of a US company with investments in Mexico, Brazil, Colombia, and Argentina. By 2009, we had three different companies (Metronet, Xertix, and Diveo), and we wanted to enter the US market.
Again, we hired Gartner Group to conduct a study of data centers in California and due to their financial situation, we acquired a company called Castle Access. Finally, we had presence in the US market with two more data centers!
At the initial stages of this adventure, we discovered one big difference with the market in LATAM and that in the US. It was obvious for us that the maturity level was very different in end clients from the US compared to LATAM customers. We had at that time a 3-4 years gap talking about technological adoption.
In 2010, we decided to change the name of the company to RedIT and started a new marketing campaign to introduce this new brand consolidating operations for the four companies in this new organization.
Getting in Touch with PECB
2012 was my first approach with PECB. At the beginning of that year, I presented a request to represent Mexico at the ISO/IEC SC 27 forming a Mexican national Subcommittee. In addition, in 2012, Bernard Boily, a good friend of mine and former provider when I was CIO of RedIT, introduced PECB to me.
In October 2012, ISO published ISO 22301:2012, which was the best sold standard in the history of ISO, with more than 20,000 downloads on the first day of publication. By that time, I started to offer PECB training courses to my customers here in Mexico.
At the beginning of 2013, we sold our first ISO 22301 Lead Implementer training course in Mexico and since then we have been selling ISO/IEC 27001, ISO/IEC 38500, ISO/IEC 20000, ISO 22301, ISO/IEC 27032 and recently ISO 37001, all of them in all possible schemes (Foundation, Implementer, Auditor, Manager, etc.).
In 2015, I partnered with Pink Elephant, a consultancy and training company based in Canada and one of the most recognized worldwide organizations in the development of ITIL framework. I brought all the PECB training courses to the Pink Elephant Mexico portfolio and we started to offer the first information security services as well as business continuity solutions to Mexico’s market and LATAM.
In May 2015, I also applied to represent Mexico at the ISO 292 TC (Formerly ISO TC 223) and received the responsibility to coordinate that task force. Again, at Pink Elephant, we decided to push our business continuity training and consultancy services around Mexico and LATAM.
We have been providing these courses not just to companies based in Mexico, but also to Mexican enterprises based in different countries or actual foreign Pink Elephant customers that ask specifically for our services. We do have offices in Chile, Panama, Spain, and Dominican Republic and a large partner network in different countries. We support and deliver IT projects, as well as training courses from Mexico, and locally in a large number in LATAM countries before the pandemic.
One of the things that we happily discovered recently, is that the 3-4 year gap we had 12 years ago, is no longer valid. Currently, due to globalization and partnerships like the one we have with PECB, we are in a very strong position to compete with global or US-based companies.
In 2019, Kellogg’s company hired us to develop the Business Continuity Plan and Disaster Recovery Plan for their production and distribution plant based in Queretaro, Mexico. We offered our consultancy services based on ISO 22301:2012 and the Disaster Recovery Institute International (DRII) framework. In addition, we offered to their personnel the PECB ISO 22301 Foundation and Lead Implementer training courses.
While we were working with them, we suggested to use ISO 22316 to develop the Business Impact Analysis (BIA) and Application Impact Analysis (AIA). Some consultants of my team at Pink Elephant, used to work with me 10 years ago at Xertix Data Center doing recovery strategies and implementing BCP and DRP solutions to many companies. Also, some used to work with me for the same solution (BCP and DRP) to the Mexican Stock Exchange during the 2017-2018 period.
At the beginning of the project, Kellogg’s corporation suggested Kellogg’s Mexico to use their US provider to replicate BIA exercise, not just in Mexico but also in five different subsidiaries in LATAM (Colombia, Panamá, Puerto Rico, Guatemala, and Ecuador). We presented our methodology and a robust solution for the BIA, AIA, and Business Continuity Governance that convinced Kellogg’s Mexico that we can deliver the complete solution instead of their usual US provider.
During the prior project with the Mexican Stock Exchange, we developed not just the typical BCP/DRP solution but also Cybersecurity and Pandemics strategies to recover their business in case of interruptions. On this project, we presented our methodology with the Mexican regulators (Comisión Nacional Bancaria y de Valores – CNBV) which is analogue to the SEC at the United States and the Central Bank (Banco de México). In this project, we also delivered ISO 22301, ISO/IEC 27001 Foundation, Lead Implementer, and Lead Auditor as well as ISO/IEC 27032 Lead Cybersecurity Manager training courses.
It is fair to say that in both projects we presented Pink Elephant as a PECB regional partner for delivering world-class training courses and that having this partnership helped us to raise our brand recognition and have our customers’ confidence to be part of their main projects.
From our perspective, we think that in LATAM we have talent, competitive people, and experience to deliver strategic IT consulting services and educational paths in all ISO standards and some other IT frameworks.