top of page

Zero Trust, Ransomware, and New Rules: The US Cyber Landscape with Carlos Bustos

  • Writer: Juan Allan
    Juan Allan
  • Sep 5
  • 4 min read

Carlos Bustos on US cybersecurity evolution: Zero Trust, ransomware, and new SEC rules are reshaping defense. Insights on critical challenges and growth opportunities


ree

The last decade in cybersecurity has been a story of reactive defense, where the industry's evolution has been fundamentally driven by the escalating costs of failure rather than the proactive pursuit of innovation.


If this is true, then few are better positioned to chart this complex journey than Carlos Bustos, Country Manager at INSSIDE Ciberseguridad. As a leader navigating the intersection of policy, technology, and threat intelligence, his insights reveal how monumental shifts, from the rise of Zero Trust and cloud migration to the boardroom impact of new SEC rules, have reshaped the entire digital battlefield.


Interview with Carlos Bustos


How has the cybersecurity industry in the USA evolved over the past decade, and what major shifts have shaped its current landscape?


The cybersecurity market has faced radical shifts in the last ten years. We have gone from focusing on the perimeter to Zero Trust & identity-first security. This shift has been supported by Federal policies (e.g., OMB’s Zero Trust memo M-22-09; DoD Zero Trust strategy) but nevertheless it has been important due to changing infrastructure combination (journey to the cloud and remote work.


Also there has been a focus on Supply-chain and “secure-by-design.” Major software supply-chain events (e.g., MOVEit;Solarwinds) pushed broader adoption of NIST CSF 2.0 (but nevertheless it has been important due to changing infrastructure combination that now incorporates a new “Govern” function and supply-chain emphasis) and CISA’s Secure-by-Design pledge for software makers.


Regulation has been catching up with the European counterparts and has been accelerating. New rules moved risk into the boardroom and onto the 8-K: SEC incident disclosure & cyber governance (effective Dec 2023), plus sector rules (NYDFS Part 500 amendments; FTC GLBA Safeguards updates).


The interconnection of OT networks to the internet/it networks has obliged to do Critical-infrastructure hardening. Post the Colonial Pipeline event, TSA issued and updated mandatory cyber directives for pipelines, rail and transit; formal rulemaking is underway which will accelerate change.


During the pandemic more criminals moved to the internet. Ransomware industrialization became notorious. FBI/IC3 reports show record losses year after year; plus DBIR tracks persistent ransomware/social-engineering patterns. MOVEit showed scale of third-party exposure.


What are the biggest cybersecurity challenges that U.S. companies and institutions face today?


Number 1 would be Ransomware & extortion at scale (targets across critical infrastructure; record reported cyber losses).


Also Third-party/supply-chain risk is increasing heavily(MOVEit SQLi exploitation hit thousands of orgs across sectors).


The journey to the cloud has changed the nature of the way cybersecurity has to be seen. Cloud & identity exposure (misconfigurations, token theft, MFA fatigue; Zero Trust are still maturing alongside this journey).


Talent gap (3.5 millions short is the global estimate; U.S. market feels the squeeze with 0.5 to 0.6 million shortage).


Which sectors (finance, healthcare, government, etc.) are driving the most growth in the American cybersecurity market?


  • Number 1 the Financial services — stricter state/federal rules (NYDFS 23 NYCRR 500 amendments; FTC Safeguards breach-notification in effect) and subject to major attacks.

  • Also Healthcare — besides the HIPAA obligations, HHS hospital cyber strategy & performance goals are increasing, plus rising ransomware pressure.

  • Government & defense — federal Zero Trust mandates; NIST CSF 2.0 adoption.

  • Critical infrastructure/OT — TSA directives and proposed rules for pipelines/rail/OT push spending.


How is the U.S. government influencing the industry through regulations, frameworks, and national security initiatives?


  1. Strategic direction: National Cybersecurity Strategy (2023) with pillars on critical infrastructure, disrupting actors, shaping market forces, and secure-by-design software.

  2. Frameworks & guidance: NIST CSF 2.0 (adds Govern; supply-chain focus) and CISA Zero Trust Maturity Model.

  3. Regulation & enforcement: SEC cyber disclosure/governance; NYDFS updates; FTC GLBA Safeguards amendments (breach reporting); DoD CMMC rulemaking; CIRCIA incident-reporting rulemaking progressing.

  4. Critical infrastructure mandates: TSA cyber Security Directives for pipelines and rail/transit (with formal rules proposed).

  5. Software safety: White House/ONCD push for memory-safe languages; CISA/NSA guidance.


What role does funding and venture capital play in supporting cybersecurity startups and innovation in the U.S.?


Capital is active again: PitchBook reports $3.3B across 182 deals in Q1’25; Crunchbase shows $9.4B in H1’25 globally; consolidation/M&A is brisk (e.g., Google’s proposed $32B Wiz deal).


Implication: Late-stage “platform” players are crowding categories; AI costs are pushing smaller vendors to sell or specialize.


Looking ahead, where do you see the greatest opportunities for growth and investment in the U.S. cybersecurity industry?


I see seven drivers for growth in the regulatory, infrastructure and software development areas:


  • From a government perspective, unify regulations across the country and establish clear penalties and consequences to non-compliance.

  • Cloud-native & AI-era security — CNAPP/DSPM, identity-centric controls, and securing AI/LLM supply chains.

  • Identity security — driven by Zero Trust and disclosure/regulatory pressure.

  • OT/critical-infrastructure protection — compliance + real-world risk keeps spend elevated.

  • Healthcare resilience — HHS initiatives + threat environment create sustained demand.

  • Post-quantum cryptography — NIST’s finalized PQC standards kick off a multi-year migration.

  • Secure-by-design software — memory-safe adoption and vendor accountability (CISA pledge) favor builders and tools that reduce classes of bugs by default.

Comments

bottom of page