Closed Captioning Closed captioning available on our YouTube channel

CSO Executive Sessions / ASEAN: Mark Frogoso on the financial services industry

CSO Online | Apr 6, 2022

Mark Frogoso – Group Chief Information Security Officer at Mynt and its subsidiaries – joins Xiou Ann Lim for this CSO Executive Sessions interview. They will review lessons from cyber-attacks, discuss the efficacy of older methods of protection, and more.

Copyright © 2022 IDG Communications, Inc.

Hello and welcome to CSO Executive Sessions. I'm your host Ann, and every week I speak to cybersecurity leaders across Southeast Asia and Hong Kong about leadership, technology and the latest trends in the industry. My guest today is Mark Frogoso from the Philippines. Mark is the Group Chief Information Security Officer at Mynt and its subsidiaries GCash and Fuse Lending. Thanks for making time to join me on the show, Mark.

Thanks. Thanks for having me.

To kick things off, can you tell us a bit about Mynt?

Sure. So um, Mynt is the largest FinTech in the Philippines. It's the operator of the number one e wallet, GCash and more. One of the key stakeholders holders of Mynt is one of the biggest, the biggest telco in the country Globe Telecom, Ayala Corporation, which is one of the biggest conglomerates and Ant Financial or Group, which is the FinTech arm of Alibaba company.

What are some advantages in terms of cybersecurity of using Mynt compared to other mobile payment platforms?

I think there's definitely some advantages or good things of you know, each of the payment platforms out there. But one of the things that I see would be the technology platform. Since we're like, you know, we're like partnered with Alibaba, they have this platform called, we call it A Plus, which is hosted in the Alibaba cloud. It's a tried and tested platform. It's pretty much being leveraged by Alipay. And Alipay, as you guys know, have onboarded over a billion of customer base already. So it's a it's a tried and tested platform. On top of that, we also have a back end risk engine. So basically, just to make sure that you know, all transactions, we ensure that the transaction that's happening is actually legitimate. So yeah, I think those two things would would definitely be some of the advantages that I see.

Now, we often talk about improving an organization's internal cyber risk culture. But I'm curious about creating cyber risk awareness among clients and users of the platform as well. How are you doing it at Mynt? Do you have any pointers to share with other CISOs?

For us, we constantly and regularly push those information campaigns, because it's never going to be enough, right? Also, we kind of like [a] customized approach to the audience that we have. We publish awareness, as we also understand, as we get to understand the current modus operandi ofthe current threat landscape. We, you know, we publish immediately, those information campaigns, so that our clients and customers are up to date with these new things with this use with these new risks, right. For organizations, I think my advice for CISOs out there is to really assess the current state of awareness of their employees. And see if the, you know, the awareness programs still work or not. Um, I firmly believe that there's a need for personal touch, not just with the usual infographics and emails, because these emails tend to be ignored. The moment you get you got it on this, this email again, just deleted, archive it, what have you, but I firmly believe that there's a need for a personal touch, meaning that you know, what is it what kind of email that will that will have a high rate that the end user will actually read it. And those are not infographic campaigns. There should be a personal touch. I think there's a need for you know, for for that as well. You know, just coming up with new things, effective things in terms of really making sure that your your employees are aware, and also your customers are aware.

To get as creative as threat actors, when it comes to social engineering?


You've worked with some major multinational banks before Mynt. What are some of the advantages and disadvantages in your experience of managing cybersecurity for a FinTech versus larger financial institutions?

Oh, yeah, I think I can think about two things. Number one is really the technology. So for technology, I think the the FinTech organization, or any new tech organizations out there, they're kind of like, quick in terms of adopting technology, and then leveraging that to, you know, to make use of that and to deliver the products and services that they have. The other thing is about the the organizations, the FinTech organizations, are quite agile. I mean, the business is very quick, the time to market is really quick. And it's an agile organization, just to make sure that we can cater all of these products and services, we can quickly, you know, create products and services on the fly. But I guess on the on the flip side on the larger financial organization, I think they're not kind of, you know, they have their say, they're the inverse of that. So, they're not really that... They're modest in approaching these things. And I think it's somehow good, the way I see it, because there's rigorous due diligence, that the larger financial organization are putting into that process. And so some of the disadvantages and advantages from a cybersecurity perspective... Because, you know, if you're kind of quick into adopting new technologies without really putting security and oversight and governance, I think you'll you'll, you'll definitely not be in a position of, you know, an ideal position from a cybersecurity perspective.

That's a good point. What would you say are the top three cybersecurity threats to the financial services industry in Southeast Asia today?

Well, I think Asia as a whole, um, the way I look at it is there's been tremendous progress when it comes to it, right. Digital transformation, digital adoption... When we zoom into Southeast Asia, I think we need to step back and say and assess what happened in Southeast Asia in the recent years, right, in the last five years. So I think, number one, technology. I mean, it's been it's been known that, you know, I think it's very recent with with this particular study did by Okta that, you know, there's a huge investment from from Southeast Asia code organizations on technology, and specifically, the cybersecurity. I mean, they're now really investing into that, which is good, that's a good sign. The other one is because of because of probably the pandemic, but I think, in terms of the technology is already there. The online behavior or online activity of users in Asia? I think if you look at the most online countries, I think 3, 4 or 5 countries in Asia are on the top list. Right? So with that, you will then see that there's, you know, there's, you know, there's definitely a threat of cyber, there's there's definitely there because you know, the users are now going online. And the third would be that your threat actors or your threat actors within Southeast Asia. It can be local on the country. But there are I think there are threat actors. Also in geopolitical situations, right, I mean, mean, you know, one thing of a new one, one bad news out there will mean a cyber attack. Right. So um, when I when I look into these things, definitely these are these are worrisome, the cybersecurity threats in Southeast Asia, right, then, like the technology threats, basically, because we're kind of like adopting new technologies, our users are more online. So I mean, these users will then be at risk of fraud or scams, right, if they're not really that aware of the threat. Let's be mindful of also the threat actors. Because definitely some of the motivation there can be, you know, not just money, but also geopolitical situation or even military, right. So we need to be mindful of that.

And on a related note, what are some areas of opportunity that you think we can tap on to strengthen cybersecurity in the industry?

So I think, number one, for me would be would be people, I think we need to upskill the current cybersecurity professionals. Really not just on the things that they do on not just technical, but also how to deal and work with people. And specifically going up to the management chain. I think I think there is a need for us to really not just be the technology guy out there, but also speak the language of the business. The other thing is really make more of us. I think I've mentioned this awhile ago, right? I mean, when when we're doing the short discussion there, but I mean, let's all contribute, because we already know it's a global problem, right? I mean, and so we probably want to just, you know, support, you know, where we can, in making more of us, just simple as you being a mentor of one or two people is already a big, big thing, big contribution. Moreso if like, you know, moreso, you can be an educator yourself, you know, part of a school, for example. So yeah, the other thing is technology. I mean, we are always going to leverage the power of technology going forward into the future, right? So I think in the financial services industry, we need to find more ways to automate things. I mean, we can put more people in a specific problem and just find way to automate, because the more you automate with human oversight, the more you automate this, you're reducing the risk of human error. The other one is... Really quickly move to cloud. It is one of the things that I can, I can say, because the way I look at it is, cloud is more secure than your legacy on prem technology and infrastructure. So quickly move to cloud. But not quick enough that you don't, you know, put in the right foundations and pillars to that you need to have the right designs, you need to have the right value, why are you even going there, you need to make sure that, you know, you have enough oversight and governance. I think that's that's one challenge now in the cloud space. And then, for the big financial organizations out there, I think they need to look into their legacy systems, I think that is in itself is already a problem now, from a cyber and security perspective. So you probably want to look into that and say, "Hey, I don't know, are we going to have this in the next 5-10 years?" Or do we need to probably look at it and say, "We need to refresh all of these things."

That's a great observation, especially around legacy systems in the FSI industry. Now, can you share a story from your experience where you helped prevent an attack or helped an organization recover from one? What are some key takeaways there?

[Laughs] That's a very interesting question, Ann. I mean, it's very, there's some sort of like, there's, there's sensitivity with it, but I can definitely tell that there's a lot of them. Of course, I'm not gonna say which company. But there was a time that the whole internet that when you, when you look at threat status of the whole internet, I was fortunate enough to witness it on yellow, and even Red Alert. During that time, I'm not sure what year but there's, there was that time... And during that time, when I was with the company, most of the most of the most of the enterprise companies that I support, are getting, getting viruses and malware spreading across the network, crippling their systems. Right? So I mean, during those times, all of us were like, you know, "What's going on? How do I help? How do we help them?" Of course, it's really about knowing what you know, knowing what to do in those situations, right? So escalating to the to our product teams or R&D folks, just to make sure that we have the right solutions to address all of those, you know, the malware to contain them and to fully eradicate them. There are also at times, right, and I'm thinking of a time to actually see the actual attack, we're actually being attacked. I think it was if I'm not mistaken, it was a Conficker malware during that time. So I would say, you know, pretty much the containment basis, just to make sure that you know, the all the ingress points are closed, making sure that within your, within the, within the organization, you have the right solutions, and to a point where I go to each individual machine to actually just clean it up from not really formatting the machine, but also just you know, finding or reverse engineering, the malware, finding where it goes to the system, to the registry, to the files to the DLS everything, even the processes. So and there are also situations where even users are misbehaving, right? I mean, doing that doing those things that are not supposed to do, you know, that that really has implications to cybersecurity, I mean, to a point where in we now are invoking legal, we're now invoking HR, "What can we do?" There, it's really, there's a lot of different sorts of things. It's very unique, even if we're talking about malware, but you know, probably unique malware. If we talk about, you know, other types of threats. It's really unique. It's really good. I think the, the lessons there, um, I think number one: time. I mean, be mindful of time, I think when we're talking about incidents, time is very... it's of the essence right? Timely reporting, and even information dissemination across all relevant stakeholders within your organization or even outside your organization. Right? So, time. The other one is really knowing what you what what you need to do in those situations, right? I mean, all of those processes, procedures, your playbooks or run books, right? I mean, those need to be well-tested so that it's really that effective. And then not just that, but really doing parallel activities, right. So your containment, eradication, but also now dealing with your customer base, because sometimes your customer base are now going to inquire. Even the regulator will have to be notified. So there are parallel things you need to do. And the key here is knowing what to do. And knowing what you're doing. Right. So I think you need to also do practice. Practice all of your all of those security incident response plans that you have, making sure that you know, it's working actually, if you encounter an incident.

And speaking of cyber attacks, sometimes when financial institutions face a cyber attack, they hesitate making a full shifts to the digitalization, they might revert to physical tokens or in-person authorization. Do you think these older methods of verification are truly safer?

Not that it's truly safer, to be honest. I think, I think really as a security person, you really need to really just go back to basics. I mean, what are three factors of authentication, right? So knowing you know, something that you have, but you know what you are, right. So it's really going back to basics, and the more factors you use, I think the harder it is to be bypassed. Revert back to those particular basics. And I think, with these, you know, it's not just about how you do it, it's just really that those principles, and it's going to be really that effective.

Are there any proprietary cybersecurity technologies at your organization that you can tell us about?

Yeah, I think we have in the past. Because, you know, as I mentioned earlier, we've leveraged Alibaba, or that financial infrastructure. But when we reassess all of these proprietary technologies, I said, you know, I mean, even the people that actually made them run are no longer part of the organization. So I think it's more risky for us to just stay with these technologies. And so right now, I think we're now leveraging industry grade and industry standard when it comes to cybersecurity technologies.

And what are your key focus areas for this year?

Yeah, I think I was able to give a bit of an insight of what that looks like, in our short discussion earlier. I think, for me, two things. Number one, upskilling, my people, right?Making sure that they're effective and efficient at what they do, right? Getting all of those trainings and certifications, definitely. And the second thing is about the organization now, right? It's really about improving the security state, or security posture of the organization. Because you know, with all of these new capabilities that we've built, or we're still building, we can now see all of these issues rising, right? We can now detect and identify all of these issues. It's now up to us to actually just fix all of those issues and improve the security state of the organization.

And do you have any last words of advice for CISOs in your industry?

Let's be the InfoSec of the future. I mean, with your experiences on your day to day, your challenges, all of the issues that you're encountering, right? What should InfoSec look like in the future? I think I just I just want to leave it there and say, "What have been the things that... What are the learnings that we can gather from all of these experiences? What should InfoSec look looks like in the next decade or so?" That is where I my advice would be because I don't want the CISOs just stay with where they are. "I have employed that the say, the Ferrari of the tools, I'm good?" No, not really. You need to look at things more in the future. Because with all of these new technologies now, it will further propel us to the future ahead. And so I think, be that InfoSec of the future. What that looks like, I'm still not sure. But I guess it's time to think about it now.

That's a very good point. Well, thanks once again, Mark, for speaking with me today. It's been great hearing your thoughts about what we can do for the industry. And to our viewers, if you have any suggestions or feedback on the show... questions you'd like me to ask our guests, you can drop me a message on LinkedIn. Thanks for watching and see you again.
Featured videos from