“I get the psyche of the opponent,” says Jonathan John “Jon” Paz, information security officer of the third-largest bank in the Philippines. “I understand the thrill that hackers feel.”
He recalls his university days as a chemistry/computer engineering major, when he pulled a prank on his friends.
“I came up with a program that would be classified as malware now, but back then was just recreational. I was able to get everybody’s logging credentials and I changed the greetings at initialization to simulate something bad happening to the system,” he says. “I called it the Apocalypse Virus.”
The user was presented with a rapidly deteriorating sequence of events, telling him or her that memory was being wiped out, that it was attempting system repair, and then failing.
“Just my luck,” Paz remembers, “one of the ‘victims’ was the computer lab administrator who was a few batches ahead of me. He did not take too kindly to my deed, called for a witch hunt, and banned me for two full months from the computer laboratory.”
As a boy Paz wanted to be a scientist. “First, I dreamed of becoming an astronomer, and then a chemist. I remember enjoying and excelling in chemistry as a high school student. That my sister was a chemist probably gave that nudge that sealed the deal for me.”
In high school, an uncle gave him a computer and Paz discovered to his delight that he could make the computer do things. “It was not a structured study, but I spent my free time learning how it worked.”
He pursued a hybrid degree – chemistry and computer engineering – at university, grateful to have found a track that combined his two interests. Before long, however, he realized that, while he liked chemistry, it did not seem to like him back.
“I was lousy at lab work. I kept breaking things. Some of the things I set up exploded. I left marks in the lab – on the ceiling, on the tables. Talk about leaving an indelible mark.”
Wide and deep
Over a 19-year career with the Bank of the Philippine Islands, Paz has had various assignments in risk management and product development. In 2013 he was tapped to shift to systems’ quality assurance. “A big part of that was looking at access rights, how people actually use the systems. Access rights is an important domain of information security,” he says.
Now as EISO – essentially a CISO equivalent, but one that acts for the entire banking group, including BPI subsidiaries – Paz shares the knowledge he gained from years working in different areas of the bank.
As CISO for the banking group, Paz believes several trends will dominate information security concerns in the next few years.
“Data privacy is today’s biggest buzzword,” he says. “With the GDPR kicking in, people are scrambling and there is a focus on protecting personal information as part of a broader obligation by organizations of recognizing the privacy rights of individuals.”
An area he believes is often overlooked is vendor management. Paz cites what happened to retail giant Target, whose CEO stepped down because of a breach. The attack was not directly done at Target but was carried against a vendor that provided ventilation systems services for it.
He himself does a considerable amount of vendor intelligence: “I think I am appropriately paranoid enough.”
He also sees a rise in persistent, advanced threats, particularly in the banking industry. Paz cites a number of recent, high-profile attacks against financial institutions and payment systems world-wide. These reveal not only the increasing sophistication of attacks but the fact that banks and payment systems remain to be prime targets of cybercrime.
Paz is proud about his bank’s defenses – the first local bank to have an advanced security operations center. “This is the lynchpin of our defense as we harmonize controls,” he says.
Still, regardless of the sophisticated controls in place, “these will only be expensive toys if people still neglect their own role in ensuring the security of the customers’ and company’s information and systems – namely by adopting and practicing good security hygiene such as using good passwords, recognizing and reporting harmful emails, properly storing sensitive documents, etc.
When he assumed the EISO position, one of his priorities was to build a culture of security awareness. It’s a multi-front approach. “We do bulletins, posters, email. We have an e-learning platform that people have to take yearly. Every October we join the international community in observing cybersecurity month, where we get leading international names to talk about their expertise through demonstrations, seminars, lectures. Some demonstrations would feature real-time, on-site actual hacking of phones and computers to bring home the fact that cyber attacks are not fiction but rather everyday occurrence that could happen to anyone with devastating consequences..
It’s an opportunity Paz relishes,because he is also aware he is often seen as the “kill joy” that at times deny people some ways — unfettered internet access, for instance — that make life “easier” at work.
To counter this perception, he talks to people and shows them what can happen and what the dangers are. A CISO has to have patience and fortitude to explain how certain things and situations apply to users so that they understand.
“This takes up a lot of my time, but I don’t mind, because I think it is important.”
Indeed, for Paz, communication skills are most important for a CISO. “It’s salesmanship. You need to be able to explain things as they are. You need to get buy-in and it’s not easy. And when I say buy-in, I mean from the top down to the rest of the organization.”
A hands-on, bite-sized approach
“I’m a dad,” Paz says when asked about his preoccupations outside the office. He has two boys, 18 and nine. He likes helping out with housework, doing repairs, watching shows on Netflix with his wife, and helping his younger son with schoolwork. He also has a new hobby — drone flying.
It’s a fitting downtime for someone who is in charge of the crucial security of the Philippines’ third largest bank. Jon believes he is fortunate because, as an analytical person, he can deal with complex issues simultaneously.
He acknowledges that “in cybersecurity, there are many complex things for which we could not even pose correct questions, much less answers. It’s all too open-ended. So, in order to not be overwhelmed, we can break it up into bite-sized issues that are manageable and actionable