The Chief Information Security Officer (CISO) plays a critical role in ensuring the security and protection of a company's sensitive information and systems. With the increasing threat of cyber-attacks and data breaches, having a dedicated and experienced individual to lead the company's cybersecurity efforts is becoming increasingly important. Additionally, a strong IT team that prioritizes cybersecurity and implements the latest technologies and best practices can significantly reduce the risk of a successful cyber attack and ensure that a company's assets and reputation remain secure. Organizations must understand the importance of investing in a strong CISO and IT team to avoid potential security threats.

Angel Redoble, the Group CISO of PLDT Group & Smart Communications, highlights the critical role of CISO in maintaining the security of a company's sensitive information and systems.

Telecommunication companies like PLDT/Smart face a range of cybersecurity threats that can compromise the privacy and security of their customers' data. Some of the common threats the IT team of a telco faces almost daily are the following.

Network intrusions: Telecommunication companies have vast and complex network infrastructure, making them vulnerable to unauthorized access and attacks by hackers.

Malware: Malicious software such as viruses, Trojans, and ransomware can infect telecommunication systems, compromising data and operations.

Phishing scams: Telecommunication companies and their customers can be targeted using fake emails, texts, and websites to trick individuals into revealing sensitive information.

Insider threats: Employee mistakes or malicious actions by insiders can result in data breaches and loss of sensitive information.

IoT device vulnerabilities: With the increasing use of IoT devices in the telecommunications industry, there is a growing risk of attacks that exploit vulnerabilities in these devices.

Distributed Denial of Service: DDoS attacks can overload a telecommunication company's network, disrupting its operations and services.

I reached out to Angel Redoble, First Vice President & Group CISO, PLDT Group & Smart Communications, to shed light on the latest innovation his company has to offer to ensure the security of its network and the safety of its clients. Redoble said that it is crucial for telecommunication companies to stay vigilant against cybersecurity threats and to implement robust security measures to prevent and respond to attacks. "This includes regularly reviewing and updating security protocols, conducting security awareness training for employees, and investing in the latest technologies and solutions to protect against cyber threats," Redoble added.

Here's our conversation:

How did you become the CISO of the country's biggest and most successful telecommunications company?

In 2016, I had a project with ePLDT while running my own consulting firm. After that project, the PLDT Group wanted me to become a cybersecurity consultant. Eventually, they asked me to become the CISO (Chief Information Security Officer) of the ePLDT Group. When I asked why they needed a CISO, they said they needed someone to handle cybersecurity in IT. I told them they didn't need a CISO because the role of a CISO is much bigger than that.

Eventually, we agreed on the scope of work. So, I had a chance to interact with the PLDT IAPA (Information Asset Protection and Assurance) during that time. Then one day in 2018, MVP suddenly summoned me (Manuel V. Pangilinan, Chairman of PLDT). I was asked to present my plan for the PLDT Group. It was a good thing that I was always ready. I believe there would be a significant impact if we could fix and improve the cybersecurity posture of the PLDT Group, including Smart. It would have an immediate impact on the community. It means all our subscribers, individuals, and enterprises will benefit from it. So, without prolonging the discussion, in September 2018, I became the Group CISO of PLDT. Then everything else is history. Maybe, I was able to convince MVP. That was a 15-minute presentation. What will you do with PLDT?

I became the CISO of PLDT. I never thought we could handle the job because we had to go through a non-cybersecurity culture at the time. But with the help of the team we built when I came on board, we also created the CyberSecurity Operations Group with the AO.

And with the support of the Top Management Team and the Chairman, we became very aggressive and persistent. It took us three months to push the agenda to the lowest level. And now, we are partners in building a cybersecurity culture. We're done with police work.

What is it like on the day of a CISO of PLDT/Smart? 

Actually, my day has no beginning and no end. Even at night, as they say, we can't afford to disconnect. I can't disconnect. Every day, for many years, my life has been the same; whether during work hours, night hours, weekends, or holidays, it's all the same. Whether I am with my family, friends, or officemates, it's still the same. There's no letting go. I'm always on the go. And because, as our chairman once said, you shouldn't be sleeping because our enemy doesn't sleep. When it's a night for us, it's morning somewhere else. It's not something heavy to carry because whatever we do, it provides a safer environment for our subscribers and the community. This includes your family, your relatives, and your child who is doing online learning. It's a very satisfying job.

How does PLDT/Smart balance ensure customer data security while providing seamless and innovative services?

So yung cybersecurity kasi, you cannot treat that as a counterproductive measure. That's why it takes the whole organization to plan. Si business, when they have a plan, they involve us. Si IT, when they have a plan, they involve us. Si Network, when they have a plan, they involve us, and all these things are being considered. Because the moment you use cybersecurity to say, "No. You cannot do that. No, you cannot do this," then you're not a part of the team. You're not part of the business as a whole. So, you make sure that your cybersecurity is used to deploy a measure that can sustain the growth of the company. So, we may not be contributing to the revenue generation of the company, but we make sure that cybersecurity is used to ensure that the sustainable growth of the company's revenue is protected. So, when cyberattacks come, we prevent that. So that our financial business and operational capabilities are not impacted, it's not a balance actually. We don't do the balancing act. It has to be the norm. We cannot say na, “You need to do this, even if magkakaroon ka ng problema ng iyong seamless na mga services.” There is a way to do it. 

Can you share your strategy for preventing and mitigating the impact should there be a successful cyberattack on your network and customers?

One of the regular activities we do is "Cyber D-day." It is a cyberwar-related activity in which we identify crisis situations. So, we identify cyberattacks with massive impact. For example, ransomware, DDoS attacks, website attacks, and cyber-attacks that can impact our services, financial, reputational, and operational capabilities. So, every month we do that, and then we go back to the process on how to respond with the mindset of making sure that the company will not suffer service impact scenarios will not suffer financial risk scenarios. With everyone involved, hindi lang kami yun, nandun si I.T., si Network, nandun si Corp Comm, nandun si Regulatory, nandun si Legal, nandul lahat. It’s a whole-of-company approach, wherein, kapag may incident tayo, lahat gagalaw. So kami man yung nasa frontline, we make sure na si Data Privacy is advised. We make sure Corp Comm is advised. We make sure Legal is advised. And then, ako, if the situation's gravity is high, I ensure that the Top Management Team is notified and informed correctly. So, the strategy, in a nutshell, is we assume a "breached" position. Hindi na tayo nagsasabi na kung magkaroon tayo ng cyberattack. On a daily basis, lagi na naming sinasabi… kaya nga every before 12 midnight meron tayong sinasabi na, “Masuwerte tayo ngayon. Pero bukas baka tamaan tayo.” So it keeps everyone on their toes. It keeps everyone sa vigilance at the highest level because we consider that, anytime, if not today, tomorrow, we might be breached. So we are ready to respond. 

That is our resiliency strategy. We assume breach position na para we are ready to respond. 

How does the cybersecurity team of PLDT/Smart stay ahead of the ever-evolving tactics used by cybercriminals targeting the telecommunications industry?

There are parallel efforts. Well, number one, we have what we call our cyber intelligence operations, and we acquire threat information from our partners worldwide. So meron tayong open sources, meron din tayong commercial sources, nagbabayad tayo. And we have our threat-hunting efforts. Ito naman is a 24 by 7 effort na ang ginagawa, on a daily basis, is hunt down etong mga bagong threats. 

And then, internal to us, very important is the upskilling, constant upskilling. So yung mga tao natin, whether free or paid training, we continuously upskill. And most importantly is the constant reminder to everyone that what we are doing is not just protecting our infrastructure and systems, but we are protecting a community. So, if we are going to let go if we are going to relax, then it will not be just us who will become victims, but the whole community and it involves everyone. 

Do you collaborate with law enforcement agencies and government organizations to address cyber threats?

Yes, we have a partnership with the Philippine Air Force cybersecurity group, and we also collaborate with the cyber battalion of the Philippine Army. And we are closely working with the DOJ Office of Cybercrime, the NBI Cybercrime Division, and the PNP Anti-Cybercrime Group. And we are also in constant talks with other private groups. We attended the ASEAN-Japan Information Security Workshop together with DICT. And we have an excellent plan. And the plan is focused on threat information sharing. When that happens, when we can deploy and implement that in an automated manner, we can improve our cybersecurity posture as a country. 

What regulations and standards does your organization adhere to with customer data privacy and security? 

Number one, we are securing our data and our infrastructure. We are following the ISO 27001 standard and have already applied for certification. And for data, we adhere to the Data Privacy Law of the Philippines, GDPR, and other standards like the Protection of Credit Cards. So, all these are part of the compliance requirements. And we are also complying with US SEC Rules and the New York Stock Exchange because we are traded in that area. And also locally with the SEC and PSE. Nevertheless, even without these requirements, we are very strict in implementing security and data privacy in the whole organization. 

Can you share a real-life example of how your team successfully prevented or mitigated a cyberattack?

Last year, we had a very close call because the attacker was able to breach the first layer. And he was already on the second layer, and that was when one of the assets that the attacker could connect to sent a notification to our incident response team. That was 12:45 a.m. And immediately, everyone was into it. It was a tug-of-war. We are trying to prevent the hacker from moving laterally to our critical asset. So, he was in the level wherein almost inside the high-risk areas. It became a tug-of-war because our team was already chasing this hacker. We identified him to be in one asset. Every time he executes a process, our team deletes the process, executes another process, and our team deletes another process. Eventually, we could identify which account was being used by the attacker, and that ended everything. He was removed. He was kicked out, and the investigation started. We identified it, and with our forensics investigation results, we called for assistance from the Anti-Cybercrime Group. It is crucial to note that we have more than five layers going into our system. That was very memorable.

How does PLDT/Smart measure the effectiveness of its cybersecurity measures and continually improve them?

So, there's always a 'before and after' scenario. Before we were created, these were the scenarios – not very good scenarios. After we were created, these scenarios until today, knock on wood, have not been repeated. The measure is always on whether the company was subjected to financial-related issues due to cyber-attacks. Did we have downtime because of cyber-attacks? Have we been penalized by data privacy regulators due to cyber-attacks? Did we have reputational issues due to cyber-attacks? So far, day-to-day, we have not experienced those risks yet. So, to us, that is ultimately our bible because that is why I was hired – to ensure that the company is not subjected to these types of penalties and risks. And we continue to improve, still using our balanced scorecard. Every year, we go back to the strategy, and we assess whether the strategy is still applicable. For those strategies that are no longer applicable, we improve them or change them. And then, we are following our cybersecurity maturity roadmap wherein in some areas we are already 'optimized,' in some areas we are still 'managed,' in some areas we are still 'defined.' It's good to know that we no longer have areas where we are still 'ad hoc'. We are already in the optimization stage. 

Do you have any advice for someone who would like to follow your path in cybersecurity?

You have to give it all. When you join cybersecurity, you cannot be half-hearted. When you join cybersecurity, you cannot be motivated by money. It would be best if your passion, your commitment inspired you. The discipline you must have in you must be on the highest level.

And most importantly, you need to have that integrity beyond question. Because we are doing cybersecurity, you cannot have that questionable integrity. Cybersecurity, it's a very powerful and compelling profession; when you do not have that hundred percent integrity intact, you will have a problem. 

We have three core values in our group. We are loyal – to the company and the country. Number two, we are very committed to doing our jobs. Whatever time, holiday, weekend, madaling-araw… Number three is integrity must be beyond question. So yun ang tatlong core values ng Cyber Security Operations Group.