AIBP ASEAN B2B Growth
AIBP ASEAN B2B Growth
Globe Group: Securing the Digital Future
In this episode, Mr. Anton Reynaldo Bonifacio, Chief Information Security Officer and newly minted Chief AI Officer at Globe Group, discusses the Group's strategy for organising cybersecurity functions and vertically consolidating solutions using a best-of-breed approach. He also emphasises the importance of tackling challenges by assessing requirements, as each portfolio company faces its own unique challenges.
Globe is a leading full-service telecommunications company in the Philippines and is publicly listed in the Philippine Stock Exchange (PSE). Beyond traditional telecom services, it has major interests in financial technology, digital marketing solutions, venture capital funding for startups, and virtual healthcare.
The AIBP ASEAN B2B growth podcast is a series of fireside chats with business leaders in Southeast Asia focused on growth in the region. Topics discussed include business strategy, sales and marketing, enterprise technology and innovation.
Vanessa Kwan:Hello and welcome to the ASEAN B2B growth podcast, where we sit down with individuals responsible for driving growth within their organizations here in Southeast Asia. My name is Vanessa, and I'll be your host for today. Globe is a leading full service telecommunication company in the Philippines and publicly listed in the Philippine stock exchange. In addition to being a telecommunications company, it has major interests in financial technology, digital marketing solutions, venture capital funding for startups, and also virtual healthcare. In this episode, we have a very special guest joining us, Mr. Anton Reynaldo Bonifacio, currently working for globe as its chief information security officer covering cybersecurity, network security and data privacy. I hear also you have a new portfolio, Anton, thank you for joining us today. May I invite you to give us a brief introduction of yourself, give us an idea of your background and perhaps a little into globe for our audience who may not be familiar with globe.
Anton Globe:Yes, hi everyone. My name is Anton Bonifacio. I'm the Chief Information Security Officer for Globe Telecom. Actually, just as of today, I'm also concurrently serving as the chief AI officer for the company Globe Telecom. We're one of the largest telecommunications companies in the Philippines. Our base is largely postpaid, but of course, in a huge part of our market is prepaid. We've dabbled really into evolving from a telco to a tech co over the past few years. One of our largest portfolio companies that found success during the pandemic is actually G cash with probably a valuation of actually now in the $5 billion range, with roughly 87 to 88 million customers, actually larger than the telco now in terms of customer base, especially post SIM card registration. We actually also have a lot of other portfolio companies that we've been spinning off that we have a health tech business and consult MD. We have an ad tech business and a brave collective. We have a manpower company, so on and so forth. So all of these different portfolio companies are serving different industries with the main goal, really, of being able to uplift the lives of Filipinos every day to a lot of digital solutions. So my function as to so in the cybersecurity space is to be able to ensure that we can maintain trust of our customers across all of our digital services, so even outside of the telco, that's why we serve as the kind of like Central Center of Excellence for the group, as well as the central security operations center, looking after roughly maybe 38 to 39,000 workloads now where 35% of that is actually non telco.
Vanessa Kwan:Awesome. Thank you very much, Anton for the quick overview. Since today's session is diving a little bit more into cyber security, I'm guessing we have to catch up separately on your new hat as the chief AI officer. But back to cyber security for today. Can you share a little bit more about how the security function is being structured at a group earlier, I understand that you report directly to mister Ernest with the CEO of the group, can you kindly share a little bit more about if there's any reasoning behind that kind of reporting line? Are there any dotted reporting line? And also, if any, you said a little bit about the portfolio companies that go path, do the details? Have a get together, sharing best practices? Can we share a little bit more?
Anton Globe:Sure? So structurally, we've always when we started about 2014 the information security and data privacy function is always set outside of both it and network. That's, I think, that that converged space, it's fairly unique to us as far as early adopters, I guess, of that model. The reasoning for that is, at the end of the day, I think a lot of telcos would have a separate security team for it and a separate security team for network. We've always found that a converged operations, even early enough, was what was going to be optimal to ensure that there's standardization and really more efficiency as far as being able to look after both ends of the spectrum. I think a lot of the, you know, operators are starting to look at that model too now, especially with 5G, where a lot of the technologies are actually starting to overlap, whether that's with NFV and cloud based infrastructure. But for us, we've always cross pollinated, I guess, the talents. So even from a SOC perspective, aside from the IT security space, we've always covered also the signaling security space. So messaging, security s7, diameter operations were always all with us, so I think that's allowed us to have a head start. As far as having common tooling, both for it and network, we're one of the very few operators also globally, that have been able to successfully deploy it based security tools into the network. Infrastructure, whether that's our EDRs or sim agents and whatnot. As far as the portfolio companies are concerned, of course, not all of the port codes have their own dedicated CISOs. So our group is one is the only, actually technology function that was moved up to the group level. So we're like a captive MSSP in that sense, where we, you know, help support all of the different portfolio companies as far as their security capability builds are concerned. And at the same time, not just acre security capability builds, but like I mentioned earlier, who are also the central stock for the group. And the portfolio companies that are big enough, of course, in have their own CISOs, which really, particularly in this case, is G cash, both from a size and operational complexity, but at the same time from a regulatory perspective. So definitely, there's a lot of work that we do with them. We do have information security and data privacy councils that are stood up under my team that tries to make sure that all of the best practices that we've discovered, both in the telco and in the FinTech company, are cascaded properly and utilized across the different portfolio companies, functioning like a COE in a sense.
Vanessa Kwan:I understand, I think it's very interesting that you mentioned that when we look at some of the cyber security solution preferences that different organizations have, many organizations say there's no one size fits all approach. There's also some who say we prefer the best approach, where different stacks, you just get the best in every single thing. There are also others where you want to conveniently get, like one platform, and then you get them to do everything for you, for yourself, a globe for the group. Is there preference? Is there a particular take on this particular question?
Anton Globe:It's a mix. It's a mix of some degree of consolidation and rationalization, but at the same time, best of breed. The way that we look at it is more around what we call a sort of vertical consolidation where, let's say, for example, for a particular security stack or technology, let's say either we are a crowd strike shop. We actually have crowd strike across the entire group, so we're vertically consolidating there. When it comes to network security, perimeter security, we are a palo alto shop, so most of our network firewalls, both hardware and cloud based, are with them. So there's, you know, vertical consolidation there, but then we still have several best of breed products across different verticals where we specialize on so it's not pure horizontal platformization. Like a lot of the other brands that we work with also aspire to be but a lot of it is vertical in that sense. However, we are certainly consolidating a lot a lot of our previously agent based tools that we used to have, a lot of are now really getting consolidated more singularly into one particular agent and EDR. So we are subscribing to a lot of the different functions that CrowdStrike has started to adopt. So aside from just EDR, whether it's DLP, vulnerability management, most of the agent based stuff are now single agent in kind of the same way with, you know, network and cloud security, a lot of our cloud based capabilities, from a network perspective, are all starting to consolidate. With Palo Alto, I understand,
Vanessa Kwan:and when it comes to, like the different unit under group earlier, you mentioned there's also some sort of, like sharing best practices. You know, you mentioned about the group being a central SOC, in terms of like solutioning for this subsidiary, do they also have to follow so to say what you guys are choosing, or do they get to decide what for them best? Because, for example, GCash, I'm guessing, they would have their own regulatory consolidation effort that they need to take into account about So would that be different in certain instance?
Anton Globe:So two things. So number one, definitely with GCash, given their size and complexity and at the same time, uniqueness, I think the relationship between the telco and GCash is more, not so much one leading the other, but more both collaborating together. We've rolled out, for example, let's say, if we found success in a technology in the telco that is applicable to G cash, we'd also roll it out there. One example of that is our API security platform traceable. But at the same time, we also look at, let's say, products or technologies that we've rolled out in the FinTech company or in G cash, and adopt that in the telco so that, I think is more of a even relationship in that sense. Now for the other portfolio companies, of course, as much as we want to be able to standardize, we do try to a degree subsidize them, as far as commercials are concerned, to be able to ensure that we still have efficiency within our central functions. Of course, we can't always force that, so that's why I don't say that they have to use the same stuff that the telco or the FinTech company users, but as much as possible, we do want to standardize. But if we can't, we're certainly open to be able to stand up different type of technologies or products, which actually also allows us to do a little bit of R&D and experimentation so that we can see other products that are out there and learn and you know, hopefully that's something that we can also see if it's going to scale better or scale well, that we can use in some of the other portfolio companies, I
Vanessa Kwan:understand. And when it comes to all of these portfolio companies, and together with the telecommunication company in itself, I'm guessing that you would also have. To work with different mobile applications, different mobile channels. Can you share with us, also, specifically in the mobile applications and mobile channel thing? Are there specific challenges that you're facing? Are there certain areas that you know are causing greater concern for the team? I think one of the areas that I've heard a lot is around data privacy, especially, you know, within the telco, within the FinTech, there's a lot of customer data that you guys are collecting, so it's an area of more concern that concern, or are there other areas that you are looking for?
Anton Globe:I mean, all of our businesses are largely digital, right? Like all the portfolio companies are largely serving their solutions and capabilities and serving customers through digital applications, and we are certainly almost 100% mobile in that sense. So definitely, and it's not whether this data privacy, PII customer information or really just, you know, brand reputation, that's precisely the reason why we've set up this group level type of servicing and effort to make sure that all of our lines of businesses in the digital space are protected and are able to meet certain standards or requirements. As far as cyber security posture is concerned.
Vanessa Kwan:I understand, understand, and then when it comes to some of the challenges that you're facing as a whole other certain areas is a greater challenge than others. We put a lot around previously. EDR, XDR, securing and point, are there specific areas that is a greater challenge than others? For you
Anton Globe:wouldn't say on a technology perspective, but just more look, each individual industry and company have their own unique set of challenges. So I think the broader challenge is just being able to ensure that we can solve for those right look, of course, like the FinTech company, would be more focused on fraud, for example, as a threat factor, account takeovers, fraudulent transactions, so on and so forth. As far as their mobile app is concerned, on the telco, a lot of it is nation state espionage, just because of the data that we have than with some of the other portfolio companies. It's given their size that they're largely smaller. It's really just, I guess, general attacks trying to avoid drive by ransomware, so on and so forth. Our health tech company, for example, would be an entirely different regulation, although we're not required to follow HIPAA at the end of the day. It is health data, so I would say it would be almost like a mix of the telco and the FinTech company in terms of protecting PII. So I think the challenge for us is less about, hey, you know, what is there a challenge with a specific technology to implement, but it's really more of ensuring that we're able to meet the unique needs and the unique security posture requirements of each portfolio company with the right approach and the right technologies,
Vanessa Kwan:and it goes that you have lined up plan for cyber security specifically, are there, like certain awareness program? I've heard awareness being a key issue for many people in this part of the world. We've also heard a lot around with compliance management, resource allocation, to a certain extent as well. Are there focusing on in the coming years?
Anton Globe:I think we've always been very lucky that the culture within globe has not really been challenging in that sense, for cybersecurity and data privacy, whether up and down the line, our board, for example, has always been supportive and has always embraced our efforts. I always boast, or at least I'm always prideful, that, for example, ROI has never really been a metric that was required out of us. We were never required to report, oh, what's the security ROI? Like, they always knew that the value proposition of security is really being able to ensure that the mission and the vision of the company is something that we're able to deliver successfully. And again, that really goes back to the heart of what we want to do, which is to be able to uplift the lives of Filipinos every day. So it's almost like it has to be done. We gotta be able to protect our customers. So from an awareness perspective, like I said, the good thing is that we started our maturity journey early. So of course, I'm not going to say that it was always roses and flowery environments when we started, but I think, like I said, it's more of the reception of the company as a whole. Because of the culture that we have, it was not difficult to tie it in, into mission and vision and purpose. And I think we when we were able to communicate it that way and really link it back to the purpose driven culture of the company, it was actually easy to evangelize as far as the work that was needed to be done.
Vanessa Kwan:understand. And the final question I have for you is looking ahead. What are some areas within cyber security that excites you the most? Are there certain things that keep you up, awake at night and hoping not to met
Anton Globe:Well I mean, I think what always still keeps me at night is, really, I've always been telling like, even the board, I think in the past two, three years, really, I think the difficulty and the complexity of the industry has really skyrocketed. Cybersecurity was easier 10 years ago, and I would say it was what much, much easier 20 years ago. It's just so complex now, because of the threat landscape, the attack surface, and all of the things that we're doing, like zero day attacks are being being more difficult. You got supply chain issues. So I think it's just harder for defenders nowadays. But then I guess, related to that, which is the new hat that I'm wearing. I think the rapid pace that AI development is increasing makes, I guess, the industry both exciting and daunting. At the same time, I think it's exciting for defenders, as far as all of the cool new things that we can do to be able to defend our infrastructure and, I guess, environment a little bit more better. But at the same time, it's a double edged sword, right? That can also it's starting to be used by attackers, whether that's deep fake attacks, so on and so forth, for social engineering. So I think it's just reaching a very, I would say, exciting point, as far as the current cyber is concerned, that you certainly have to sleep with one eye open. But at the same time, where you when you're awake, you're in the zone, because there's so many exciting things that are actually in front of us that we can take advantage of.
Vanessa Kwan:That's awesome. Thank you very much, Anton for sharing your perspective.
Anton Globe:No worries. Thanks for having me.
AIBP Intro:We hope you've enjoyed the episode. For more information about business growth in the ASEAN region, please visit our website, ww.IoT business-platform.com.