Created by: AJ Eserjose
Posted: Jan. 16, 2019
Category: Cyber Security; CISO Elite Asia 2018
"Policy is very important. This includes defining the levels of control vs. the degree of confidentiality for the data."
Interview with FRANCISCO CASTILLO, Chief Information Officer at MAYNILAD
How would you describe cyber security in South East Asia?
It is hard to say as it differs from country to country and company to company; but if we take the mean, it is probably below the global average, and hence, needs to be worked on.
In today's current cyber environment, cyber security is now considered as a business issue. What are the commonly overlooked business risks that affect an organization's cyber security program?
There is poor understanding at the C-level of how a possible breach will affect the company in terms of disruption, as well as reputational loss. On the other hand, there is really a general lack of understanding that the policy is just as important as technology, both in prevention, as well as in prompt remediation. Policy sounds abstract to many, whereas it may be simply described as the rules, regulations and implementation guidelines by which users should abide to, as well as the different security technologies must follow.
What are the key risk management controls that organizations should actively address to protect sensitive business data? What are the best practices/ strategies that they should take to control/ mitigate these risks?
Again, policy is very important. This includes defining the levels of control vs. the degree of confidentiality for the data.
Awareness by the users, guiding and training them for them to understand the sensitivity of this data and how it should be treated is a recurring best practice. Again, this is aside from the different technologies available (and ever changing) for data protection.
What do you think is the best way to source the skills that an organization needs, while at the same time maintain its security? How can CIOs help foster an organizational culture of security?
Cybersecurity skills are in shortage worldwide. Thus, the organization has to gauge how much risk it is willing to take vs. how much it wants to pay for such professionals.
If it deems it high priority (as it would be with financial institutions or big medical organizations), then it should be realistic on how much it would have to pay for such skills. At the same time, it should not depend solely one on person, but train and ready a next batch of security professionals.
Dr. Francisco Castillo is currently Senior Vice President and Chief Information Officer of Maynilad Water Services, inc., the water concessionaire for the West area of Manila’s greater metropolitan area.
He was previously connected to a major multinational IT consulting firm as Managing Consultant for Asia-Pacific, where he worked over 12 years in various capacities. This 2013 he was named “Outstanding ASEAN CIO” by the IDG group, and also voted Best ASEAN CIO 2016 during the ASEAN IT Strategy Forum in Singapore.
He holds a Ph.D. in Electronics and Telecommunications Engineering from the Universidad Politecnica de Cataluña (Barcelona, Spain), where he was also Associate Director for the Technical Engineering College, and Associate Professor, as well as a B.S.Electronics & Communications Eng from the De La Salle University (Manila).
He has over 50 published papers in international journals and conferences, and has presented in over 20 international seminars. He is also the author of the book entitled “Managing Information Technology” published by Springer (Germany) this 2016.