Episode 326 – Quantify Security Effectively – Moving the Security Needle From the Security Trenches to the Boardroom


Highlights from BlackHat Asia 2022 keynote

Interview with George Do, Chief Information Security Officer, Gojek and GoTo Financial.

George has been working in the cybersecurity field for over 25+ years concentrating on the building and operating cybersecurity programs. He specializes in the transformation of cybersecurity, winning customer trust, and ensuring a strong cybersecurity posture for organization.

George has extensive experience in maturing global cybersecurity programs and teams, including securing applications (products and services), securing core IT infrastructure and cloud workloads, and maintaining a robust incident response capability. George leads global teams in cybersecurity, data privacy, governance, risk, compliance (GRC), and implementation of security frameworks. Working closely stakeholders across functions, the global programs he developed has ensured security is baked into products and services at birth.

Before joining Gojek and GoTo Financial, George served as the global Chief Information Security Officer (CISO) at Equinix where he built the global cybersecurity program from inception. Previous to that he worked at Exodus (Savvis / Century Link), and Tivo in senior security leadership roles. He began his career at the National Aeronautics and Space Administration (NASA) where he collaborated with senior federal officials to secure government information assets.

George serves on customer advisory boards for several cybersecurity firms and is an advisor for venture capital. He is a frequent speaker and panelist at cybersecurity industry events.

In this podcast, George shares highlights of his keynote at BlackHat Asia 2022, “Quantify Security Effectively – Moving the Security Needle From the Security Trenches to the Boardroom.”

Drawing on more than two decades of experience in the cybersecurity industry, he speaks on the value of risk quantification to gain board and senior management level buy-in to invest in cybersecurity areas that matter.

Explaining that organisation stakeholders may hold varying perceptions of what these areas, he introduces the concept of a Risk Register to prioritise the different cyber threats the organisation may face.

He also advises on applying a RACI (responsible, accountable, consultative, informed) model to address these cyber threats. Using ransomware as an illustration, he explains the importance to appoint a risk owner accountable for addressing the risk. Additionally, he stresses the importance for the board and senior management to empower the risk owner with the necessary resources.

George also notes that while there are successes at Gojek and GoTo Financial to ensure customer and partner trust and safety, online and cyber threats landscape is an on-going arms race where new threats are constantly emerging.

He wraps up the podcast by reminding the audience to avoid traps such as designing “solutions in search of problems” and adding to the technical debt by “compounding the security industrial complex”.

Recorded 13th May 2022 (BlackHat Asia 2022) Singapore 3pm.