The “Cybersecurity for Companies” program, run by CATÓLICA-LISBON | Executive Education in partnership with Técnico+, prepares decision-makers and managers to deal with digital threats.
In a context where cyberattacks are multiplying and threatening companies in all sectors, cybersecurity is no longer just a technical issue but has become a strategic management challenge. Paulo Amaral, professor at CATÓLICA-LISBON and coordinator of the “Cybersecurity for Companies” program, developed in partnership with Técnico+, spoke to Marketeer about the weaknesses of Portuguese organizations, the importance of the human factor in data protection, and the trends that will shape the future of digital security.
How do you assess the preparedness of Portuguese companies in terms of cybersecurity?
It is always difficult to talk about the inner workings of companies, not least for security reasons. We can only analyze based on public information and the perceptions that the companies themselves declare—and that is already a problem, because those who manage may not have an accurate understanding of what is going on. The attacks that have come to light show that there is still a lot of work to be done. The National Security Office has done an excellent job, but attack approaches are constantly evolving and preparation must be ongoing. Even if we are ready today, new methods will emerge tomorrow. The speed of technological innovation requires constant vigilance.
Many managers are unaware of basic weaknesses. All it takes is a small device connected to a line or access point to obtain data. There are physical vulnerabilities: cleaning, reception areas, visitors, forgotten computers. Once inside the network, everything becomes complicated. And with teleworking and IoT devices, entry points multiply exponentially. There are layers upon layers—just one failure is enough to compromise the system. These examples show that prevention is not just technological, but involves procedures and attention to the simplest details of physical security.
The human factor remains the easiest gateway. How can this risk be mitigated?
Security must be an integrated skill in people's roles. Just as we have learned to use social media, we must also apply basic cybersecurity practices. This is done through training, awareness, and repetition of procedures. It is not enough to train once: continuous policies must be maintained to make behaviors automatic. Only then can errors be reduced and the company protected from internal threats.
The “Cybersecurity for Companies” program at CATÓLICA-LISBON | Executive Education, in partnership with Técnico+, addresses technical and human vulnerabilities. How is this approach conveyed to trainees?
The 21-hour course brings together experts from various fields and aims to understand where problems come from and how to prepare responses. Management involves technical and human components: technology provides support, but change is driven by people. Therefore, the course combines technical content with leadership methodologies, helping to identify risks and guide specific training for teams in the field. The goal is for trainees to understand the interdependence between technology and people and know how to apply prevention and response policies in a practical way.
What is the profile of the trainees?
The audience ranges from top to middle management and includes those involved in implementation and management. All decision-makers should have this training—it is short but sufficient to understand what it is about, the critical areas, and what to ask of the technical teams. They then identify specific needs and activate training for operational staff. In other words, the initial training provides tools for strategic assessment, and the operational training focuses on practical application in the field. Often, training also helps to raise awareness among teams about correct day-to-day behavior.
Is cybersecurity a management issue?
Without a doubt. Technology is a support, not a driver. Change must be led where it happens. When it is cross-functional, it must come from the top: it is a strategic issue. Investing in leadership and security culture is as important as, if not more important than, investing in technology. Leaders must be involved and committed; they cannot completely delegate these responsibilities to technical teams. Cybersecurity must be part of the board of directors' agenda.
Among the modules—such as the cybersecurity plan or crisis management—which are the most relevant for those facing real attacks?
Both. It's like health: we focus on prevention, but we have to know how to treat the disease when it appears. Prevention increases resilience, but attacks will happen, and it is vital to know how to manage the crisis. If we are not prepared, the decision-making time may be incompatible with the company's survival. We need to decide quickly: talk to authorities, regulators, customers, employees, and activate continuity plans. Without training, teams become paralyzed. It is essential to have clear and tested procedures.
Simulations are essential. By placing trainees in attack scenarios that evolve in phases, we test reactions under pressure. As with fires, training creates automatic reflexes. Crisis management is leadership and practical preparation, not just a plan on paper. Exercises allow us to understand operational and reputational impacts, helping to balance quick decisions with business protection.
In the course exercises, do trainees make decisions in real time?
Yes—and they react well. The three-phase exercises reveal how each person reacts under pressure and force them to make compromises. It is essential to measure all impacts: stopping operations has costs, but data loss also has a reputational and operational price. Without preparation, the risk of wrong decisions is high. The exercises help to create reflexes and skills that do not come from theory alone. Practical experience is irreplaceable in training leaders to manage real crises.
How can you justify investing in cybersecurity when prevention is invisible?
It is difficult to sell security because it is only noticed when it fails. The solution is to calculate risks: assess reputational and business impact, cross-reference with the probability of attack, and decide on the appropriate investment. Not all companies can be the Pentagon; the essential thing is to ensure a minimum level of resilience.
Business continuity is critical: backups must be protected and, preferably, offline. There have been cases where attackers have accessed online backups. If you have secure copies and a continuity plan, recovery is possible; otherwise, the impact can be devastating. Investment is therefore a way of managing risk and protecting the sustainability of the company. This approach helps managers justify costs to the administration and demonstrate strategic value.
How do you create a culture of cybersecurity within the company?
Culture is part of the change process. We are creatures of habit: changing behaviors requires effort and leadership. In the course, we define which habits to change and create conditions for new ones to take root. Without this, knowing the theory is not enough. Cultural change takes time and must be driven from the top down. The consistency and example of leaders are crucial for new behaviors to become automatic. Practical training reinforces these behaviors on a daily basis. It takes persistence and not giving up at the first hurdle. A culture of security is built with small, consistent steps over time.
What security trends should we be watching in the coming years, especially with AI?
Artificial intelligence is accelerating the spread of attacks. Before, you needed a specialist; today, there are tools that allow anyone to act as one, increasing the capacity and innovation of attackers. The barrier to entry has dropped dramatically. Then, there are more and more connected devices, which exponentially widens the risk perimeter. We must assume that any device can be hostile and design internal defenses—firewalls, dynamic checks, temporary certificates. Security architecture must be rethought for this new paradigm.
The evolution of cryptography and the arrival of quantum computing have changed the way we protect data. Quantum-resistant systems and Web3-based mechanisms are emerging. The adoption of cryptographic wallets will grow, requiring new forms of communication and authentication. All of this implies profound methodological and cultural changes. Cryptographic cybersecurity will be more effective if we know how to use it well—and companies are still taking their first steps. In the coming years, we will see significant transformations in the way we communicate and manage digital identities. Preparation must begin now.
Interview with Professor Paulo Cardoso do Amaral, Program Director at CATÓLICA-LISBON | Executive Education