Some people establish organizations because they want to build something big, or want recognition. But in 2013 when I established the Philippine Institute of Cybersecurity Professionals, I was coming from a different place: Disappointment and anger.
At that time I had just come back home from a security consulting stint in Spain. When I got back to Manila, I saw that those who were supposed to be sharing knowledge to those who want to be security professionals were instead selling it – and at steep prices. Trainings were expensive. We needed warriors, evangelists to spread the word on how important cybersecurity is to the way we do business, and the way we live. But how could we entice more people to the industry when there was the huge barrier of high costs at the outset?
We formed Picspro, registered it with the Securities and Exchange Commission, and started our activities in earnest. We went to different schools and organized events at very low costs. We found sponsorships and grants for interested individuals to get basic knowledge. Over the years we have seen chapters being formed in various parts of the country. These are composed of individuals who want to learn about security and interact with like-minded peers in earnest.
The membership also provides me with a steady pool of resources I can tap for the needs of the telecom conglomerate where I am CISO.
The global human capital shortage in cybersecurity is all too real. Specifically, in the Philippines, there is a dearth of cybersecurity professionals in terms of end-to-end skills. We don’t have a lot of places to look if we want to find talent. So the obvious solution is to create it.
Because I am in a position to create a talent pool, I employ a criteria that looks at something beyond background, certifications and prior experience in security. I look for attitude.
It’s all right if you took up an unrelated course. It’s ok not to be armed with certifications. But if you have the attitude that it takes to learn new things and cope with the demands of this job, if I see that you have the interest to keep yourself informed of what is going on in the industry, then there is likely a match here. The rest will be manageable.
I am also partial to those who have had to surmount challenges in their personal circumstances, such as poverty, or a string of rejections because of lack of experience. These are the people who have a lot of character, and extraordinary drive. In cybersecurity, these are what you need to survive, because cybersecurity is not just another 8-5 job. You think about it constantly, and it has the potential to consume you.
It’s just like what the Bible says: “Many are called, but few are chosen.
In 2016, just before we launched our Security Operations Center, I hired fresh graduates. And look at them now. They have evolved into skilled, confident, promising young security professionals.
In building a security program, you have to have a concept in mind. You cannot do it using a technology-centric or vendor-based approach.
Like everything, it starts with a dream. How do you envision yourself, say, 10 years from now? To be able to do this, begin with a problem, a pain point that you now have. For instance, you can say that the problem is that for many years technology has become more intelligent and more expensive. Industries have consistently upgraded their standards and hired more and more certified professionals. Despite this, financial losses have been growing. Personal information is stolen by the gigas and teras.
So you have the certifications, you have the technology, you have the process, and there are still breaches going on. What is the problem? What do you need?
The answer is intelligence.
Intelligence gives you the ability to identify threats before they reach your environment, so that you can do something before the threat gets to your front door. A security intelligence database is formed by continuously gathering threat information from numerous fronts. We look for threats constantly, and when a threat correlates with a log, then that is immediately a red flag.
At the end of the day, it is people who will scour the environment for threats, process the intelligence, transform it into meaningful, actionable information, and communicate it to all the other members of your organization. How you do here will depend on the quality of talent you create.
The global shortage in cybersecurity is all too real. So is the fact of growing threats and their ability to seep into out daily lives. Let us not wait for the talent market to improve itself to close the gap. We as cybersecurity professionals have a part to play in enabling that market to grow and be up to speed.
This is what I try to do both at my telecom job and in the organization that doubles as my advocacy work. When you do your part in providing solutions, you will never have time to be angry or disappointed. You only feel challenged to do your best, and to do more.
Angel Redoble is Group CISO of ePLDT Group, PLDT Group & Smart Communications