Peter Fizelle spent many years working in cybersecurity, starting in an intelligence agency, onto managed service providers, consulting and then various commercial banks, first in Australia, then Singapore and most recently in Hong Kong. “It was the financial services sector that had the money and the mindset to be early adopters of internet security,” he says.
Nine months ago, he started a new job as CISO of the Asian Development Bank, with its headquarters in Manila.
“It’s an unusual hybrid,” he says of his new office. “It’s a bank, but it’s not a bank. Its aim is to alleviate poverty and promote prosperity in the Asia Pacific region through knowledge and investment. We do a lot of development work. But at the same time, we’re also doing large international payments.”
Fizelle says these twin functions of the ADB give way to different mindsets at both ends of the security spectrum. “It’s an interesting mix.”
On a wave of change
Established in the 1960s, ADB now has 67 member countries – 48 from the Asia Pacific and 19 from outside.
The bank is in the process of digitizing and adopting modern technology. “At the moment ADB technology is undergoing a huge uplift,” Fizelle says. This includes challenging old ways of thinking, introducing new ones, and making sure people understand the risks and rewards.
In terms of security, for instance, some may believe all information should be made public. Some are wary of the cloud, while some are anxious that using technology will impact the way they do their jobs.
Conditions are also unique for a bank that operates in dozens of countries of diverse technological sophistication. “Decentralizing is about ensuring that the controls are adequate and similar across the sites. We work in some parts of the world where infrastructure is a challenge. So it’s about being able to ensure we can secure operations in very different environments,” he says.
There’s been some really good changes, but more work needs to be done.
A security mindset
“As a bank, we are very mindful of our payment systems, information assets and reputation,” Fizelle says. “We wouldn’t want to suffer inappropriate web branding or negative media attention.”
Threats come from a broad spectrum of sources. “Different people aim to disrupt ADB in different ways. There are criminals who would like to redirect some of the payments.”
Aside from criminals, there can be activists or minority interests who seek to change the ADB’s approach to projects. “We also conduct commercial projects whose information may be valuable to interested parties.”
Diverse language skills also pose security risk. “Security and technology tools are focused on the English language,” Fizelle says. “We have staff from 66 nations in ADB.”
Fizelle has kept in contact with his peers in cybersecurity. They share various concerns, incidents and pain points and what they are doing to address them. Malware and phishing are constant nuances and their “carbon-based technology” – humans – are often the weakest link in the technology process.
“Essentially we introduce uplifts, monitor them and look for more improvements” he says. “It’s always about education, awareness and controls.” They also talk about how best to make their organizations relevant, streamlined and efficient, and how best to provide clear and meaningful information for management awareness.
Vetting the people you work with
“We work with lots of great people, including specialized consultants with leading expertise on specific development work,” Fizelle says. The bank needs to ensure they get their hands on data they need to do the job well, but also how it can have better control on the critical data.
Ultimately, he concedes, you can only do so much.
“There’s unlimited controls you can introduce. I can remove printers, monitor email, block websites or email, I can even search their bags for materials on the way out,” he says. “But I find human ingenuity can bypass even some of the best designed security controls.”
“I can’t (and don’t want to) look at the photos on their phone every day. I can’t stop people with photographic memories or portable scanning devices. So, there is a line where you need to actually say, all right we vetted our personnel, we have an appropriate level of controls, now we trust them and hope they are aligned with our vision.”
“At the end of the day, there is going to be potential for loss. It’s just how prepared for it and how you react if and when it happens.”
The good CISO
Fizelle lists two qualities that make one a good CISO.
First, articulating technology in business terms. You have to be able to “take a complex technology situation or incident and explain it in business terms that will allow the business people, who are typically very good at business but just may not understand technology, to actually grasp the risk and why you are asking them to make the decisions you are asking them to make.”
Second is the ability to take criticism and turn it around. CISOs can be told many things: That they slow things down, that they are the hand brake on the business. “I always try and discourage those analogies. I say wait…we’re not the hand brake, we’re the guard rails. We are not the police. We’re partners.”
Seeing the world
Fizelle cannot stop smiling when he talks about his “mischievous” three-and-a-half year-old son Archer. “He and I go exploring. We’ve been to Puerto Galera, Batangas and Subic so far. We see lots of things, experience lots of adventure, although playing in the sand still seems to be his favorite.” This year, he is looking forward to taking his boy skiing for the first time.
Fizelle also does boxing, martial arts, skydiving and motorcycling – although the last few have dropped off since his son was born.
“I love seeing the world,” he says. He jokes that his career for the last 10 years has been about finding people to pay him to live in different spots around the globe.
This sense of transience tells Fizelle that there is a definite period for one to make a difference and introduce meaningful change.
“You come on board. In three years, you bring huge change. In five, you’ve completed most of those projects and started on the second or even third round of change. Once the role is business as usual, it’s less my passion. And then it’s possibly time to move on to the next opportunity,” he says.