I developed a mind-set that I should not stop from learning, from getting better as the technology, process, and people keep on evolving. One must be agile and sharp to keep with the challenges
This is an exclusive interview conducted by CIO News with Maria Carmela T. Migriño, Vice President and Group Chief Information Security Officer (CISO) of MERALCO, about her Professional Journey
When asked about her plans in her career path to be a successful Vice President and Group CISO, Maria Carmela T. Migriño, Vice President and Group Chief Information Security Officer (CISO) of MERALCO, in an exclusive interview with CIO News, said, the skills needed to be a successful CISO require a mixture of talents. They range from incident response, IT Security Operations, business resilience, intuitive thinking, motivating people, serving as the trusted advisor, and being the voice of reason and assurance. That mixed bag of skills makes it a hard job to fill and succeed at. Thus, in my case, I learned it the hard way; the experiences in both technical implementation and management made me a tougher and better CISO. I developed a mind-set that I should not stop from learning, from getting better as the technology, process, and people keep on evolving. One must be agile and sharp to keep with the challenges.
When asked about the challenges she faced in her career path and how did she overcome them, she said, as professionals, we are faced with decisions continuously and a lot of times the dilemma of going with the flow or against it. At a certain point in my career, I risked losing a job in the executive suite by doing the right thing, when it could hurt powerful people and potentially lose the trust of the CEO and the Board. Fortunately, my action was recognized to be in the best interest of the company and my loyalty and competence have been proven from thereon.
When asked how her organisation geared up in terms of technology in the COVID times, she said, we have accelerated the deployment of various cyber security platforms from endpoint protection, application, and API security, workload protection, authentication following the Zero Trust security model. The objective is really to protect the computing at the edge to ensure that being processed or stored is adequately protected.
We have leveraged our SOCs for monitoring and visibility on a 24×7 capacity and leveraging SOAR capabilities to immediate response. Also, they have invested in safeguarding their external facing assets on WAF, and workload protection.
When asked about technology solutions and innovations she plans to implement in the post COVID era, she said, we are planning to pull in efforts to further strengthen the security in an emerging IT/OT Converged infrastructure.
When asked about the challenges faced by CISOs today in a similar industry while implementing digital technologies, she said, as businesses begin the transition to a post-pandemic era of work, cyber-security must be at the core of the company’s digital infrastructure. The models that companies put in place for remote work and technology will likely be with us for decades, so putting cyber-security at the forefront is a proactive way to combat issues.
Threats will evolve and hackers will become more sophisticated. Some of the threats are on:
- Phishing threats are only continuing to become more sophisticated and harder to detect. Hackers will continue to use things like COVID-19 related headers and vaccination updates as clickbait, hoping to trick just one unsuspecting employee.
- Supply chain attacks target the third-party software developers that a company uses and seek to infiltrate networks and servers with flaws or unpatched security holes. Attackers plant malicious code into legitimate apps and software, and when an employee goes to update the software it infects their computer and network.
- Home network attacks will also likely target employees where they live, instead of where they work. Home networks are far easier to access and have the potential to gain the same reward.
- Distributed denial of service (DDoS) attacks use botnets to synchronously access a company’s web server, overwhelming standard capacity
- IoT attacks are another next-generation threat that will only become more prominent as companies continue to automate everything from on-site security to manufacturing plants.
It has never been more critical that they invest in cyber-security to ensure that they can do so safely.
When asked how CISOs can overcome the challenges faced, she said, the next normal is a hybrid workforce and environment with a network perimeter that will continue to expand as it connects to more and more networks of devices. To me, it all boils down to establishing a risk-aware culture. An organization’s security culture is not something that grows positively organically. When a security culture is sustainable, it transforms security into a lifecycle that generates returns.
Sustainable security culture has four defining features.
- First, strong support from the Leadership as changes could be deliberate and disruptive enough as additional activities will be part of the BAU.
- Second, it is engaging and fun. Involved all levels in security cascades and implementation. People want to participate in a security culture that is enjoyable yet challenging.
- Third, it is rewarding. For people to invest their time and effort they need to understand what they will get in return – it is about recognition and impact to their bottom-line.
- Fourth, it provides a return on investment. The reason anyone does security is to improve its services and its brand and lower vulnerabilities; make security an organization’s credentials.
When asked about best practices/industry trends/advice she would like to suggest to fellow CISOs for their successful professional journey, she said, be passionate in delivering value, and keep the interest of the company to heart. Success will follow. You can do it.
She continued to say that the new normal has brought cultural shifts and challenges, whole new threats, and vulnerabilities that could disrupt and makes the work for cyber-security a challenge. Thus, security leaders should ensure that there is adequate education and training for your personnel, understanding the new risks, protecting your core assets that impact your bottom line, managing your attack, and ultimately building and executing a resilient workforce and architecture.
CIO News, a proprietary of Mercadeo, produces award-winning content and resources for IT leaders across any industry through print articles and recorded video interviews on topics in the technology sector such as Digital Transformation, Artificial Intelligence (AI), Machine Learning (ML), Cloud, Robotics, Cyber-security, Data, Analytics, SOC, SASE, among other technology topics.