CSO of the Week, Rosauro Angelo J. Rodriguez, Global Security and Operational Risk Management Executive, Philippines
“A highly-engaged Servant-Leader & Security Evangelist who makes things happen & leads others by example”
Roel is a Global Security and Operational Risk Management Executive with over eighteen years of excellence managing the protection of people, assets, revenue, systems, and processes to ensure business profitability and sustainability anchored on sound principles and highest ethical standards in collaboration with all the stakeholders.
His professional portfolio covers a wide spectrum of experience:
● Industry: FinTech, Financial services, Technology & Manufacturing, BPO, Supply Chain, Commercial, Retail, Education, and Aviation – Air Express Cargo.
● Geography: Philippines, Australia, Japan, and multiple countries within the Asia Pacific Region.
● Institution/ Enterprise: FedEx Express, DHL Express, Asurion, PriceSmart Membership Shopping, Home Credit, and other Government & private institutions.
Areas of Specialization
- Security, Fraud & Operational Risk, Facilities, EHS, and General Services management
- Asset protection and Regulatory compliance
- Loss prevention, control, and investigation (theft, pilferage, fraud, FCPA, WPV, etc.)
- Strategy, metrics, policy & process flow formulation, programs, training & development
- Threat, risk, and vulnerability identification, assessment, management, and control
- Aviation and Supply Chain Security management standards (CTPAT, TSA, ICAO/ IATA, TAPA)
- Business Continuity (BC), BR/ DR, Incident response, and Emergency/ Crisis Management
- Events security, Executive facilitation/ VIP protection, Political, travel, and security analysis
Throughout his career, he has developed the ability to integrate his fields of expertise with other areas of the business and has been a consistent achiever receiving numerous company and industry awards & recognition such as but not limited to the following:
- Outstanding Certified Security Professional (CSP) Award in the field of Financial institution – 2017
- Letter of Appreciation, Home Credit – 2015
- Special Recognition, Asurion – TCP, for Outstanding performance; and for playing a key role in the Customs Trade Partnership Against Terrorism (C-TPAT) certification – 2010
- FedEx Express Asia Pacific Excellence Award – 2006
- Certificate of Appreciation as Resource facilitator for handling drug problems on campus, DLSU-College of Saint Benilde – 2001
Most importantly Roel is a happy family man. Outside of work, he spends his time serving his family, the Church, the security and business sector, and the community through volunteer work for the young professionals and street children; and speaking engagements. He has been recently invited to speak in an International business – economic forum.
Are there any common business roadblocks that prevent security practices from being implemented?
There are two major road blocks, most especially for less mature organizations, that prevent security practices from being implemented.
One is corporate culture, engendering the culture of security championed by the CEO and the Board of Directors within all levels of the organization is in itself a huge challenge. Security must be deeply ingrained into everyone’s “DNA”, otherwise, there will certainly be resistance that may lead to roadblocks as to security programs implementation. It all starts with the perception of what Security is, what is it for, and why does it even exist in the organization (purpose)?… Security causes inconvenience and discomfort making our lives uneasy and miserable in the office… security is there to monitor and control us (“control freak”)… security is just a waste of money… security does not form part of the organization’s strategic priorities nor does it in any way contribute to it … or Security is rather perceived as one of the company’s top priorities as it is key in ensuring protection of people, customers, company’s assets, processes, and revenue to ensure profitability and sustainability of the over-all business.
Another roadblock is Security being a cost or non-revenue generating center. Investment on security systems infrastructure, tools, equipment, and other resources are oftentimes deprioritized as the organization would rather invest on innovations and other operational business requirements that would generate income.
Now, how can these roadblocks be removed to clear the pathway for security programs implementation? First, the company must institutionalize corporate security governance and shape the security environment aligned with the organizational culture. Second, there must be a clear strategic value proposition and Security Return on Investment (SROI) established for program implementation.
How important is to have the CEO thinking that security matters?
A CEO thinking that security matters is a CEO taking security as one of its key strategic business priorities:
Corporate security governance is institutionalized. The role of the Chief Security Officer (CSO), and/ or Chief Information Security Officer (CISO), or SVP for Security, or Head of Security, or any top-brass Security people in an organization is truly valued. The role of security is not diminished under any other business function or unit. This strengthens the security posture in the organization which is crucial under the “checks and balance” principle. The CEO is the lead and the champion in engendering the culture of security within all levels of the organization. Thus, everyone in the organization thinks and feels that Security is important and that everyone has a role to play in Security as Security is everybody’s responsibility. — Security is deeply ingrained into everyone’s “DNA”.
Security processes are perceived as a “care point” rather than a “pain-point”. People view security processes as a helpful guide to protect them and keep them safe; to protect the customers, the company’s assets, revenue, and the over-all business against any form of risks or threats such as unauthorized access, intrusion, losses, potential data and information breaches, Business Email Compromise (BEC’s), CEO Fraud and other cybercrime related incidents, non-compliance with regulatory requirements, and many others. — That is, “Security processes are meant for me and not against me.”
Appropriate budget shall be allocated for security-related investment and resources. The money invested on security is worth the value of the protection of the business and its bottom line. — “Investing on security is investing on the business’ long-term profitability and sustainability.”
What advice do you have for security leaders?
All of us have some advice as to creating security culture within the organization. As I reflect on this topic, I can’t think of any word other than “SECURE” which stands for:
Seek your Why and How
- Establish the security organization’s mission & vision statement and set clear goals & objectives aligned with the business’ strategic priorities and core values integrated into an over-all strategic framework.
Tip: Before we even start, we need to ask ourselves these questions? Do I have my own personal mission statement, my WHY, my purpose? Have I set my own vision and established my goals to achieve it? Remember: “We cannot give what we do not have”
Embed security in everything you do
- The CEO with the Board of Directors (BOD) must lead and be the champion in engendering the culture of security within all levels of the organization.
Integrate security into the company’s mission, vision, strategic priorities, goals, policies, programs, work instructions, job aids, product, solutions, and service offerings provided to customers and employees across all departments and business units. Everyone in the organization from the CEO, CSO, CISO, and other C-suite level executives, to the managers, up to the housekeeping people and vendor employees think, feel, speak, and act in a way that Security is important and that everyone has a role to play in Security. Then and only then that everybody can genuinely say that Security is everybody’s responsibility!
Care for the business and the people
- Provide a clear strategic value proposition and Security Return on Investment (SROI) for programs implementation.
What is security for in terms of the over-all business? How does it help in the management of risk, threats, and vulnerabilities? How does it contribute to the bottom line? As for the people, how does the time I invest on security matters impact my productivity and operational efficiency? How does it help me do my job better and happier?
Unceasingly grow and innovate
- Embrace continuous growth and innovation in all aspects of the business in terms of customer service (internal & external), processes, learning & development, systems, resources and engineering attuned with the over-all business priorities, needs and demands of the market.
Influence people to be the best version of themselves in all aspects of their lives.
Reinforce and catch people doing good
- Set-up values based recognition and rewards programs for employees sharing a security bright idea, reporting irregularities, supporting security programs, etc.
Another aspect of reinforcement is providing opportunity for development and professional advancement for people within the security organization (i.e. career path or progression, education and training, etc.)
Engage, empower, and enjoy (3 E’s)
How do we do this in concrete terms? Let us ‘pick the brains’ of employees in the creation of security policies and programs with the purpose of correcting, enhancing and not punishing. Let us keep the employees informed on security related activities and on issues that matters to them through advisories and campaign programs. Let us educate employees through security awareness programs. Let us keep the employees involved in a fun environment such as security gamification, etc.
What unique security challenges does the financial industry face?
In this technological era, wherein data and information “fuels the engine” of not only the financial industry and other business industries but all sectors of society also cutting across various economic levels, I think of top three security challenges that the financial industry face today:
1.-Regulatory compliance pressure. Compliance with data privacy and protection, financial reporting, and other regulatory requirements may lead to the following business dilemmas:
- Profitability VS. Compliance dilemma. As businesses are meant to be profitable and as compliance efforts and excessive controls may be counterproductive leading to large increase in cost and operational complexities. There may be instances wherein organizations would be tempted to manage the risks of non-compliance through circumvention of regulations by creatively finding loopholes on the regulations in order to reduce overhead, production, or operational cost. Opportunity to commit bribery and corruption in exchange of regulatory favors or exemptions conspiring with scrupulous public officials can never be discounted.
- Image VS. Compliance dilemma. Given the high volume of data being processed on a day-to-day basis the operational risk probability level of potential data breach is also high. There are instances wherein organizations, due to fear of potential regulatory penalties and reputational damage, would take the risks of non-compliance by not reporting customer information or data breaches or cybercrime-related incidents to regulators and/ or law enforcement agencies, as prescribed for by law.
- Innovation VS Compliance dilemma. Innovation is essential to any organization’s success. Due to increasing and tough market competition plus the desire to be ahead of the pack, there are times when organizations tend to be careless and sometimes arrogant as they need to quickly implement changes and innovations be it process, product or service offerings, etc.
2.-Insider and external threats. Fraud and other financial and economic crimes such as cybercrime, asset misappropriation, money laundering, accounting fraud, and bribery and corruption committed by internal and external perpetrators. Cybersecurity-related threats and incidents such as data breach, phishing, Business E-mail Compromise (BEC), ransomware, DDoS attacks, CEO fraud, etc.
3.-Customer pressure. Exposure to financial, legal, and reputational risks due to potential failure to meet the rising demand and expectations from customers to have exceptional online/ digital experience delivered real time in various platforms or channels to ensure accessibility. Another aspect is the management of Third-party risks as many organizations engage into outsourcing of services in order to optimize processes, comply with regulations, reduce costs, and meet the demands of the market.
Financial institutions face strict expectations from regulators and consumers alike. This sets financial institutions up for serious reputation consequences if they let consumers down by suffering a data breach or by failing to innovate service offerings. How to address this reality?
“It takes 20 years to build a reputation and 5 minutes to ruin it.” — Warren Buffet
Know your risks and manage it.
Imagine your home or the physical structure that is the “house”. What do you do to protect your family against potential threats be it natural such as typhoon or man-made such as intruders or would-be offenders or any incidents such as fire, plumbing or water leaks, etc.?
- Have a regular RTVA (Risk, Threat, and Vulnerability Assessment)
- You do regular rounds inside and outside of the “house” for potential leaks, damages, intrusions, etc.
- Organize an incident response team
- You have your household briefed and trained to manage incidents
- Make and implement security policies and procedures
- You may have unwritten “house” rules and practices at home
- Establish controls: layered defense, insider behavior monitoring, intrusion detection and prevention
- You have perimeter fencing, gates, grilled windows, locks and keys, your cute dog, some with installed CCTV and home intrusion detection alarm system
Create security culture within all levels of the organization
Please refer to details on the previous topic as to creating security culture within the organization, SECURE is the answer:
- Seek your WHY and HOW
- Embed Security in everything you do
- Care for the business and the people
- Unceasingly grow and innovate
- Reinforce and catch people doing good
- Engage, empower, and enjoy (3 E’s)
Compliance… Compliance… Compliancenth
- Regulators are friends and partners not a foe
- Regulatory compliance programs are designed to protect the business and not to cause harm
- Regulatory compliance programs are designed to improve and strengthen the business and not to weaken or stagnate
You’ve been in the industry for 18 years. What are some of the biggest changes you’ve seen in terms not only of threats, but also how cybersecurity is viewed in an organization?
As technology advances, threats emerge, evolve and advance as well. Thus, technological advancement benefits both sides of the “fence”. While businesses and organizations employ technologically enabled solutions, the perpetrators do the same thing. Both the attacker and the defender, who at times fall into prey and be the victim, strive to be one step ahead of the other.
In this unending cyber-battle, the views of organizations on cybersecurity are crucial. Through all these 18 years that I have been in the industry, I should optimistically say that in general the global community’s response to cybersecurity has gradually improved. It all starts with each and every country’s government actions in managing cybersecurity through enabling of laws and its enforcement. Cybersecurity being a transnational issue or challenge requires transnational solutions to which regional cooperation amongst all countries is important.
As for those less mature corporations, Small and Medium Enterprises (SME’s) and other non-business sectors of society, I still see an opportunity for improvement as to how cyber security or security in general is viewed.
- Security must be viewed as a strategic enabler of business rather than a mere cost-driven control and non-revenue generating center.
- Everyone must think, feel, act, and own security as it is everybody’s concern and responsibility in any organization.
- Security cares and not a “pain in the ass”
Now is the time for business leaders to proactively re-think on the security posture of their respective organizations.
I firmly believe that Security must be a strategic core business priority of any organization and must not be devalued.
Thank you to all the people I have worked with through all these years of my professional career. Thank you to all my mentors. Thank you to my wife, daughter and our families. Thank you to our God Almighty! Linkedin