In a job interview just out of college in 1995, Angel Redoble was asked if he had any experience with computers. An engineer by training, Angel said he had none.
Fortunately, the boss was a friend of his sister. She hired him as an allowance-based trainee at one of the first Internet service providers in the Philippines. He took a two-week crash course and absorbed everything he could. He became a regular employee after a few months.
One day, one of the company’s servers was hacked. “That was the start of my curiosity,” Redoble says. “How was it done? How could one possibly get into a system without proper authorization?”
These questions nagged him during the day and kept him up at night, especially when he was manning the graveyard shift.
Narrowing the field
His interest piqued, Redoble observed that security was becoming an increasingly serious matter. “I started to see businesses being affected by breaches.” He moved on to other companies, each stint more focused and senior than the one before. And then he lived in Spain for five years to help develop Indra Spain’s cybersecurity practices and services. At the same time, he took his masters in information security. He then went back to the Philippines to work in consultancies, before he was asked by ePLDT, a subsidiary of the telco giant PLDT, to come on board.
Through these series of engagements he became steeped in the language of threats.
Some threats, he says, are broad in nature. They are released with no specific targets. For example, when malware is released, “you get hit and it’s bad for you.”
But there are also threats that are specific to your environment, your business, your person. “The number-one threat is to the information that you hold. Personal information nowadays is like the new goldmine.”
Strategy and paranoia
When his current company first asked if he wanted to be its CISO, he asked: Why do you need a CISO? Are you sure you don’t just need an IT security officer?
Redoble is particular about where the CISO is in the organization’s structure. “In most companies here, the CISO is under the CIO, which should not be the case….the CISO needs to be right under the one with the highest position. The CISO’s job is to advise the top person on the current status; what the risks are, what needs to be done. It’s strategic. Not everyone can be a CISO.”
Who, then, would make a good CISO? You need someone who can elevate the smallest detail, the lowest security incident to a business perspective. Someone who can discuss the repercussions of a successful attack on the business itself.
And if paranoia were a requirement anywhere, cybersecurity would be that field.
“A CISO is not friendly. If you have a group doing critical jobs and this group starts to question the policies of the company, get them out of their environment right away. What if this group sabotages the entire operation of this company?”
Since specializing in information security, Redoble has adopted the mindset that something is wrong if no malicious activities are seen. “Always question the status quo…it’s a lonely job.”
Fighting threats actively
Redoble harbors no illusions. No one is ever really secure. “Security devices have become more and more intelligent, but if they are effective, how come we are still losing a lot of money? Financial loss due to cyberattacks was $2.1 trillion and in 2021 it will be $6 trillion.”
“Is it really the bad guys becoming sophisticated or the good guys not getting better?” he asks.
For the longest time, people have always been reactive to threats. But it is possible to be proactive, through threat intelligence and threat hunting. He points to subscription services that provide predictive intelligence that feeds organizations’ threat database. People are told: “There is a new threat, your network can be affected, this is what you can do to prevent that.”
Then again, everything boils down to budget. Organizations may claim they are supportive of cybersecurity initiatives, but it is the money that actually speaks of the commitment. “I may be very good as a CISO, but without budget, I am nothing.”
Redoble is also a lecturer on cybersecurity at the National Defense College of the Philippines, and a member of the advisory council of the Philippine National Police. Five years ago, even before joining ePLDT, Redoble organized the Philippine Institute of Cybersecurity Professionals.
“I did it out of frustration,” he said. All the training and certification in cybersecurity were expensive, and often ineffective. They reach out to professionals across the country, as well as to students, whom they encourage to go into cybersecurity. “Every industry is automating, deploying technology, connecting, integrating…we need more people. In 2015 there was a shortage of 6 million cybersecurity professionals globally.”
He also wishes to see a comprehensive cybersecurity policy for the Philippines, a law ensuring a budget for it, and a school offering a cybersecurity degree instead of just courses.
The weekend farmer
Redoble’s humble beginnings in his home province of Zamboanga Sibugay exposed him early to farming.
Even now, when he is not away on a business trip, he comes to his farm. It’s not even to deal with the stress from the job. “It’s really just something that I like doing.”
He is also into breeding — not gambling, he emphasizes – chickens. Cockfighting is a popular pastime in the Philippines. “I like the scientific approach to producing the most competitive one.”
Finally, he likes reading up on what is going on in his field. “I am not an expert. I consider myself still a student of cybersecurity.” It’s a fast-paced profession where he says no one can claim to mastering the trade.
“Today you may be secure. But what about tomorrow?”