THEOS Cybernova

THEOS CyberNova is a cutting-edge podcast that explores the dynamic world of cybersecurity, hosted by THEOS Cyber CEO Paul Jackson.

Each episode delves into the latest trends, challenges, and innovations shaping the cybersecurity landscape, featuring insights from industry experts, thought leaders, and technologists. Paul brings his expertise and passion for cyber security to engaging discussions on topics ranging from emerging threats and data privacy to the future of AI in cyber defense.

Whether you're a professional in the field or simply curious about staying safe in the digital age, THEOS CyberNova offers an invaluable insight into the world of cybersecurity.

All Episodes

THEOS Cybernova

Theos Cybernova – Silvia Ihensekhien: Cybersecurity, Leadership & Breaking Barriers

March 21, 2025 • Theos CyberNova • Season 1 • Episode 11

0:00 | 32:43

How do you secure a multinational company while navigating complex cyber regulations and evolving threats?

In this special Women in Cyber episode, Silvia Ihensekhien, CISO at Swire Coca-Cola, shares her incredible journey from IT operations to leading cybersecurity for a global enterprise. She reveals how she navigates complex cyber regulations across multiple jurisdictions, secures both IT and OT environments, and champions diversity in the field.

Host Paul Jackson explores Silvia’s perspectives on the evolving cyber threat landscape, the critical role of communication for CISOs, and how organizations can bridge the gap between cybersecurity and business strategy. Plus, Silvia offers advice for women looking to build a career in cyber and break through industry barriers.

If you’re interested in cybersecurity leadership, risk management, or the future of women in cyber, this episode is packed with insights you won’t want to miss.

Production Credits:

Presented by: Paul Jackson
Studio Engineer & Editor: Manny Peñamora
Executive Producers: Paul Jackson and Ian Carless
Co-produced by: Theos Cyber and W4 Podcast Studio

Introduction to Theos Cybernova

Paul Jackson 0:00

Wherever you are in the world, welcome to the Theos Cybernova podcast. My name is Paul Jackson, your host, and before we begin, I've got a quick favour to ask from you. There's one simple way that you can support our show, and that's by hitting that follow or subscribe button on the app that you're listening to and show on right now. It makes a huge difference in helping get the show out there to as many people as possible. So, please, please, give us a hand and click on that button now.

Silvia 0:36

The Theos Cybernova Podcast hosted by Paul Jackson.

Meet Sylvia Ehensikan, CISO of Swire Coca-Cola

Paul Jackson 0:41

So here we go with episode 10 of Theos Cybernova podcast. I'm Paul Jackson, and each week I'm digging into the latest trends, challenges and innovations shaping the cybersecurity landscape, as well as talking to a fantastic mix of leading industry experts, thought leaders, legal eagles and technologists, with a particular focus on the Asia-Pacific region. So, whether you're a professional in the field or simply curious about staying safe in the digital age, we hope Theos Cybernova will offer up valuable knowledge and actionable insights for everyone. Today, I'm delighted to welcome Sylvia Ehensikon. Have I got that right, sylvia?

Silvia 1:25

Yeah, yeah, almost perfect, almost.

Paul Jackson 1:28

Go on pronounce your name for us, please.

Silvia 1:30

Ehensikan.

Paul Jackson 1:31

Ehensikan. Okay, I'm not going to try that again. We'll call you Sylvia from now on in the episode, if that's all right with you.

Silvia 1:37

Okay.

Paul Jackson 1:38

But you know, giro, this is Women in Cyber Month March, and it's a true honor to have you on the show, because you are one of the leading lights in the world of cyber from a female point of view, because you've risen to the dizzy heights of CISO, of Swire, coca-cola, and I know many in the audience will love to know your career journey and how you got to where you are. So why don't you start by introducing yourself a little bit and letting us know a bit about your career story?

Silvia 2:06

Okay, Hi everyone. I'm Silver E Hansingen.

Silvia 2:09

Nice Okay so why do you think that my E Hansingen coming up? A little bit about myself, right? Of course it's my puppy's last name. So when we got married I tried to not changing my last name because you know, changing your last name is so different changing all the documents. So I asked him. It took a long time and then he only gave me three words take your time. So that means I have no choice. And here I am using sylvia in hensington instead of sylvia lamb very good.

Paul Jackson 2:38

Yeah, how long did it take you to get used to pronouncing it?

Silvia 2:41

at first. I need to get the spelling right. It's very embarrassing to spell something wrong. It takes me a month or so to really get it in my mind. Yeah, I might be a slow learner.

Paul Jackson 2:53

Okay, no, but I'm definitely a slow learner. But anyway, it's lovely to have you on the show, sylvia. So talk to us about your career. I mean, how did you get started in cyber?

Silvia 3:05

Okay, so it is a pretty long story. Okay, I graduated from second school, right. So when I go to university, first I said, hmm, which subjects should I choose first? So it's a lot of subject that you don't have in secondary school. And then I saw, hmm, I look at the subject title, I said computing studies sounds interesting and that's why I choose it, not because it is a more positive, it's because, just like I'm interested in it, I feel so use my gut feeling to study computers. At that time there was no cyber security. It's not yet at that stage, right? So I start in my computer studies journey and then, after I graduate, the first thing is that I become a teacher. I didn't go on commercial, become a teacher, and then for about two years I said let me just like, because I was young at that moment. You want to change?

Paul Jackson 3:51

that you still are Sylvia.

Career Journey from Computing to Cybersecurity

Silvia 3:52

Thank you. So I want to change a different field instead of coaching the student who might be taller than me. So that's why I changed the commercial field get my certifications and go to the commercial field and later what I discovered is that I'm the one I like to solve the problem bringing the technology and operation together, no matter which business I was on. So I've been to many industry startups and then remember startup rooms and then a lot of startups I've been working on, and then mnc and the educational field. I work on operation mostly, so bringing technology and human together. Then somehow in my last job before I joined why coca-cola? My last job was a e-commerce platform on shipping, so I've been working there almost 15 years.

Paul Jackson 4:46

Wow A long commitment. Yes.

Silvia 4:48

Yes, yes, it is quite a niche company. Small because it's only offer to shipping marine time. So we bring ship owner and ship supplies together, have the procurement platform. So you might wonder why the company with such a niche market right can keep me for 15 years. Because they offer me a lot of opportunity.

Paul Jackson 5:13

I thought you were going to say they offered you a lot of money, but that is another discussion, paul, let's talk about later. Yeah, opportunities.

Silvia 5:21

Opportunities, right. So I become a project manager because helping to kind out to make sure the integration work coming well, and then later, of course, I take care of the customer support, taking more and more responsibility. Finally, development, qa, and then, of course, at that time under IT operations that is a part security, but it is integrated in the IT operations is a part security, but it is integrated in the IT operations. So it's very natural that a lot of companies do it that way at that time. So, when the security is starting booming and you have more and more focus points as a e-commerce platform, we also really need to protect our customers. And that time the company decides, hey, I need to protect our customers.

Silvia 6:05

And that time the community said, hey, I need to set up a new security team. And then they invite me are you willing to be the head of the security? Right, cyber security, not physical, so I'm not body. So I say yes, and then that's why I came to the cyber security field. So I always say that it is not me choosing cybersecurity, it's cybersecurity choose me. So after that, of course, right, I've been doing improve the security posture and saw an opportunity in Swag Coca-Cola. So I want to go to a bigger MMC. And also why I'm choosing Swag Coca-Cola is because of at that time Swag Coca-Cola had a really wide geo coverage right.

Silvia 6:51

In my previous company, although it's e-commerce worldwide, but they don't cover China. So if I plan to stay in Hong Kong, I need to have a good connection to China, and I think it would be best for me to have a China working experience. So that's why I joined Swag Coca-Cola.

Paul Jackson 7:07

Interesting, Interesting, but many would say well manufacturing, do they really need cyber?

Silvia 7:13

Yeah, that's true. But manufacturing they also are vulnerable to attack because of the manufacturing lines. They use a lot of legacy systems and then, in order for the evolution that is industry 4.0, that means they become using more and more internet, they are using cloud, so it is all a new attack surface to all the manufacturing industry. On top of that, we also have our IT infrastructure. Consider we have a lot of location China, southeast Asia, hong Kong, taiwan, us West. So what do you think? How do we connect together? We use, of course, it technology, and that's why we are also vulnerable to IT cyber attacks. So IT and OT.

Paul Jackson 7:58

Right, okay, that's interesting. So do you see the convergence of the IT and the OT environments as one of your biggest challenges? Then here.

Silvia 8:05

It is, it is, it is always. I think all the manufacturing, the CISOE manufacturing businesses will say the same. But it is important to separate it because you don't want to cause it to isolate the OT network from the IT.

Paul Jackson 8:20

You are isolating it. I am. That's interesting because more manufacturing that I talk to they're actually integrating it for efficiencies, et cetera.

Manufacturing Security Challenges and IT/OT Integration

Silvia 8:28

You're still keeping it separate, yeah we're still keeping it separate, unless this is a really, really key point that we need to integrate it. But, this is something that we might think of later. Maybe our plants become fully automation right. Have more and more technology happen, Then we might consider that.

Paul Jackson 8:45

That's really interesting. I would have thought, I would have imagined there would be more integration already. But yeah it's certainly going to be a challenge as and when you go down that path.

Silvia 8:53

We need to be slowed down. We don't need to do anything in a rush.

Paul Jackson 8:57

And just to prove, I'm here at Coca-Cola's facilities. I'm just opening a can of your product. Thank you for support. Well, you gave it to me, but you choose Coke Zero. There we go. I'm trying to be healthy. You see, Sylvia.

Silvia 9:09

I know.

Paul Jackson 9:10

Yes, but yeah, so interestingly you also touched on the physical security side of things. And that is interesting to me because one of our upcoming guests is actually a physical security side of things and that is interesting to me because one of our upcoming guests is actually a physical security head but where they integrate more between the cyber and the physical world, and he's going to be telling the story of how that converges.

Paul Jackson 9:29

Do you find here that you isolate this? Do you not collaborate so much with the physical security, or is there good overlap here?

Silvia 9:36

I think there is some kind of overlap. Of course, the plant already have a really good physical security in place because the plant is really important access for us. So there's strict restriction for physical security. They have very good in place. And then, of course, for the office. That's why we have the physical security also. That's why we set the governance.

Paul Jackson 9:56

Yeah, and, as I said, you know it's an interesting topic for me because you know my law enforcement background. So I have many friends who work in physical security, which is a natural progression from law enforcement. But they all tell me that there's a far better need for them to understand the technology, because A physical security is all about tech. Nowadays it's all you know, internet connected, etc.

Silvia 10:19

For the physical security. We also very emphasize on safety of the employees because of all these mechanical parts right.

Paul Jackson 10:27

Oh, 100%. Yes, I never thought of it that way. But yes, of course, health and safety in the workplace must be a huge issue for you.

Silvia 10:34

Yes, Interesting.

Navigating Multiple Jurisdictions and China's Regulations

Paul Jackson 10:35

Okay, so let's talk a little bit about your geographies. Yeah, I know that's a tricky issue here in Asia, and you know, me and you. We do a lot of conferences right and we've seen each other on panel discussions and invariably one of the hot topics is how to deal with entities operating, say, in China or in other parts of the region where the laws may differ from, say, hong Kong or other of the region where the laws may differ from, say, hong Kong or other, and how difficult it is if you not only just China let's talk about that specifically in a moment but you operate in a number of jurisdictions.

Paul Jackson 11:06

How challenging is it for you to keep up with all the changes in laws and regulations, et cetera.

Silvia 11:10

It is quite challenging. Especially we have to keep growing our business. Last year we acquired Thailand and Laos, so we are growing our southeast asian market, and then previously cambodia, vietnam, so all this new entity right, that means new jurisdiction take place and then we need to find a whole common ground to set our framework so we have a good framework and apply to all the region, and of course, all the region can have customized according to their regulations, but our framework is based on the best practice, which is about the same for all of them.

Paul Jackson 11:44

So what best practice frameworks do you use?

Silvia 11:46

For example, if you're using well data privacy, you say PIA, right, PIA, it is amongst all of them, so you need to have consents, pia, all this. And for cybersecurity, you use the security control. You need to think of it. So we have defined a number of security controls to make sure that the framework and then, of course, we are forwarding the standard ISO 27001 needs all this.

Paul Jackson 12:10

Right, okay, interesting, and are you getting lots of? You've got to say this, of course, but are you getting lots of buy-in from your leadership here? You've got to say yes to this obviously yes, yes, of course right.

Silvia 12:21

So a lot of my time right Maybe a lot of audience thinking I see so spend a lot of time doing the technical thing implement or looking at where the attacker is. Of course we do, we do. But a lot of my time is on stakeholder management. You can't believe over 70% of my time it is to lobbying communication. Make sure that they're understanding all this.

Paul Jackson 12:44

Yeah, no, I know full well because historically I've done board and ex-co briefings to the SWIRE group, as you know, down the years, and I actually find that the level of engagement here is actually amazingly good. There's a lot of interest, of course, as there should be over cybersecurity as a concern from the executive level.

Paul Jackson 13:03

But something you just touched on resonates because a lot of people ask me you know CISO, what is their role really? You know, should it be technical or should it? And my own view is that you've got to be a good communicator. You've got to be able to translate the technical concepts, the security concepts, into business language and language that the business leaders understand. So it's very interesting that was the first thing you mentioned about your role yeah, it is.

Silvia 13:27

It is always always because the executive leadership don't understand. What is the vulnerability? Cve, what, what's dve? No one understand all this. So you need to talk to their language, not living in your own world? Yeah, that's true. Yeah, but on the other hand, you, you know, you obviously need to talk to their language, not living in your own world.

Paul Jackson 13:39

Yeah, that's true, yeah, but on the other hand, you, you know, you obviously need to speak the technical language with your teams yeah, yeah, that is another. So I have two sides right yes, face, right yeah but I imagine you've got a very good team here and that you um, obviously uh have the right people in the right place. Yeah, lucky me, lucky, yeah, my team you indeed.

Silvia 13:57

Yeah, my team is quite good at the moment, and then they, of course they are well doing a lot of different things. And then I'm surprised, some of them, they are really knowledgeable, and then they pick up things right, right, so lucky me.

Paul Jackson 14:08

Yep, lucky you indeed. And so let's go back to China, because, honestly, that's a hot topic, and in a future episode we're going to be talking more specifically about the China cybersecurity laws and the complexities that this entails. But you are right at the front line of this because obviously you have significant operations in China and the data transfer laws, the laws around what you can and can't do, around security, must be quite baffling for you.

Silvia 14:35

Yeah, it is, because, of course, china is also one of our biggest regions among all of us, right? In terms of the number of people.

Paul Jackson 14:44

Definitely.

Silvia 14:44

So, in terms of all this regulation, whether CIS or PIPL, all this new regulation, we really need to keep tap into the latest trend, because they are always changed. Maybe the first announcement of the law enforcement of the law is not very clear and later they make some official amendment hey, there is a draft Others. So this is something that we make it clearer and clearer and then we can see that actually the China government is also helping the company to achieve this by making a clear guideline.

Paul Jackson 15:18

That's interesting. Do you attend sessions with the government, the government-led sessions, to help clarify things for you, or is it just you know the stuff that you see online?

Silvia 15:26

then Well, we do have some. I do have some peer which is very, very professional in Chinese law, the cyber security law and data privacy.

Paul Jackson 15:35

Do they actually understand the law?

Silvia 15:36

Yeah, they do, they make the living. So we have very good communication. We always catch up with each other, discuss some of the what is the change, what is the impact? Of course, we use consultants as well to help us, to guide it.

Paul Jackson 15:50

Right. Interestingly, because obviously all these laws are translated into english but you never get. I mean, the real, true definitions are in chinese right do you find there's any conflict or any difference between the english versions and the and the chinese versions that are online for us foreigners who don't read chinese?

Paul Jackson 16:07

uh, actually I can read chinese I know you can, I know you can, but for me I can't right. So I know you can. I know you can, but for me I can't right. So you know, do you think there are nuances that perhaps we might not get by not being able to read it in Chinese?

Silvia 16:18

I think a lot of people right, especially the Hong Kong system in the middle of between the two world. It is very capable to translate it into English, Right? Yeah, I'm not worried about that.

Paul Jackson 16:30

Yeah, but it is very complicated, it Right? Yeah, I'm not worried about that. Yeah, but it is very complicated it is. And some of the definitions are a little bit vague. Mm-hmm, yes, do you not find that?

Silvia 16:39

It is, as I say, the Chinese government always right. They were just like making clearer, clearer guideline instruction later on. So I think a lot of us some of them are very weak and not clear at the moment, but later we'll know exactly what to do, especially when we come to the time we need to, for example, file any assessment with CAC, and then we will come to know. Of course, we always I would suggest always consult the local legal, because they know best.

Paul Jackson 17:09

A hundred percent. You know and this you know certainly from Theo's point of view because we often get asked if we can help international companies to test the security of their operations in China or maybe help with investigating a cyber incident that's happened to their entity in China. And sometimes navigating that from a legal point of view can be challenging and obviously, like yourself, we work with the correct legal guidance. But you know it's always very difficult. For example, you know if we're doing an investigation, what constitutes personally identifiable information, because we will pull information. If we're doing an investigation they should be metadata, but sometimes that metadata may be defined as personally identifiable information. So it's a bit of a gray area when you're trying to resolve a security issue.

Paul Jackson 17:56

Do you find, though, that, in general, the authorities in China are basically there to try and help companies be more secure, rather than be too pedantic over the laws?

Silvia 18:06

I think this is the former part. They try to help companies. Of course, they set up their law, the regulation, and then there, so, so much they need to protect, right. And then there's some clarifications.

Paul Jackson 18:16

New pending right, yes, it's a. Well, it's a never-changing uh game, isn't it? You have to keep an eye on the updates just like, for example, when you first launch gdpr.

Silvia 18:26

It's still some uncertainty at that time.

Paul Jackson 18:29

So I think it is a similar stuff yes, and I guess it's a wait and see. You know and see how companies are. You know those who breach, if you like, these laws, how they are dealt with and under what circumstances they are deemed to have breached. So, yes, I guess it's a wait and see, isn't it really? But it seems like you're well positioned to navigate all of this though.

Silvia 18:48

At least we know who to get if I need help.

Paul Jackson 18:51

Right.

Silvia 18:52

You need to have your network, your resources ready right.

Paul Jackson 18:55

And I guess that would be your key advice to anybody who's operating in China have your network and your guidance right.

Silvia 19:00

You cannot do everything yourself right, because you're not a legal expert. You don't understand the law as well as the local experts, so always rely on the local resources, on the regulations.

Women in Cybersecurity and Career Development

Paul Jackson 19:10

Right right, no great advice there. Great is rely on the local resources, on the regulations. Right right, no great advice there. Great advice, and I'm sure there's a lot of our listeners who this? Is a hot topic for them. Yeah, so let's switch gears a little bit and let's talk about, you know, promoting. You know it's Women in Cyber Month March, and you know we were talking, before we started recording, about how few female CISOs there are in Hong Kong, right, yeah, definitely in a minority. Is it likely to change anytime soon? Sylvia?

Silvia 19:36

I think their situation will be improving, but change, I think, still needs a little bit more time.

Paul Jackson 19:42

What are the barriers, then, at the moment?

Silvia 19:43

I think a lot of ladies feel just like not comfortable sitting in cybersecurity because they still have the mindset hey, this is not for the female world, this is always the guys dominate the world, right? So tech, not even on the cyber. Cyber is only a part of tech, right? So if you look at the tech, always like that, so even cyber is more niche. So they are thinking of, hmm, this is well, I may not be good enough to do that. That is so technical.

Paul Jackson 20:12

Right. How do we change that perception, though? Sylvia, are you involved in any initiatives here in Hong Kong or anywhere?

Silvia 20:20

Yeah, I do. Actually, I graduated from Hong Kong Polytech University and then I'm still a mentor there. Oh good yeah to mentor. And then I've sometimes invited for a career talk, which I'm happy to share, to go to the university or school to talk about it and then to promote. Because you need to plan your seat right.

Paul Jackson 20:54

Starting early, not become when they are just like going to graduate, and then it's too late. Parents, they push their kids to go into perhaps what they perceive to be more um, I don't know higher level jobs, you know, in law firms or in banks, or in doctors, or you know. Is that, is that a misconception, or do you think that's a? That's a, a true statement interesting question.

Silvia 21:06

I think I think it's his, but remember, cyber security now become the hot topics and the top career. Right there's a lot of shortage of well talent, so that might be a good chance for them to get into the field.

Paul Jackson 21:20

Okay. So to any young females who are maybe listening to this podcast, what advice would you give them now starting out in their career? How should they, you know, approach this and get on the ladder, if you like, to success?

Silvia 21:30

I think, well, a lot of the terms I heard is imposter syndrome, right. So don't be just like well, don't think yourself less than the others. You need to have confidence in yourself, the first thing, and don't afraid to make mistakes, Because everyone makes mistakes. If you don't make mistakes, you can't learn.

Paul Jackson 21:47

Right, you're absolutely right. But I think also some of these candidates may think oh, I need to study the tech, I need to study the tech and certainly when I'm mentoring, when I'm teaching, I say get out there, try and do presentations, try and learn communication skills episode. You mentioned that communication is vital and I entirely agree. So how do we get them out of their comfort zone? Because they will say to me well, nobody will let us speak at a conference or you know, because we're too junior.

Paul Jackson 22:19

So how do they get that kind of practice?

Silvia 22:21

interesting though. Uh, lately, um, I joined a club called host master, so we form a tech talk host master exactly to address this problem, because we always think the tech people not only cybersecurity they are not. The soft skill part is a kind of lacking. So we are here to help them, to see how they will do public speaking. So you don't have a chance, but you can have the experience, the chance to practice.

Paul Jackson 22:48

Right yeah. So how do these sessions? Because I've heard of the Toastmaster Club but I've never attended any sessions. So a former colleague of mine in the police, sean Lynn, who you may know is actively involved in that, as well yeah, sonia's our, you know cop. Yes, I know he's good at this, right so, but how you know what? You know? What is the process? You know? So say you know junior candidate listening right now and they're thinking, oh, sylvia mentioned toast massacre, what. What does that actually involve?

Silvia 23:14

you know how do they go about joining and okay, so they need to have a strong commitment to the cup. I say it is not really light for a lot, right, because if we want to learn, they have calls, online calls, you need to attend and then they have different education path pathways for choose whether you want a professional speaker or the others yes but the first thing is that you need to have your commit.

Silvia 23:35

Am I what? I really want to do this, before you commit on anything, go to the website to have look exactly what is a toast master, and then you get an idea. And, of course, you are always welcome to reach out to me in case you have any question or so on.

Paul Jackson 23:51

Well, that's very generous of you. So anybody listening, uh, sylvia. Sylvia, she will be open to requests, I guess via LinkedIn or somewhere.

Silvia 23:57

Yeah, yeah, yeah yeah.

Paul Jackson 23:59

And also you're regular on the conference circuit as well, and I guess you know seeing you do that and quite a few other CISOs do it as well, although mostly male, sadly.

Silvia 24:08

It is yeah.

Paul Jackson 24:13

Because I obviously chair a lot of panels and I see them all and we've got one tomorrow. Actually we're at the Hong Kong. Institute of Bankers tomorrow doing one, but anyway, again male-dominated panel, unfortunately. But you know, giving up your time like this is pretty generous, but I think you do it as well because you probably think it helps you in your job right to get out there and communicate regularly.

Silvia 24:33

It is because for me to getting all right I'm not just like it's always two way.

Paul Jackson 24:37

Yes.

Current Challenges and Emerging Technologies

Silvia 24:37

I can learn from the others. I can learn from everyone right. I can learn from my peers. I can even learn from the first graduate. See what are they thinking.

Paul Jackson 24:44

Yes.

Silvia 24:45

So to see how we can get them engaged to the cybersecurity field.

Paul Jackson 24:49

Right, okay, okay, okay. Well, the last question I've got to ask you is around your work and what are you seeing as the big challenges at the moment? What's really keeping you busy right now in the cybersecurity world?

Silvia 25:05

I think at the surface on the cybersecurity right, because it's a lot of new emerging technology coming up, like I need to talk about it, right, gen AI?

Paul Jackson 25:09

Of course, everyone talk about it. Why, out of interest as a company, are you looking into how AI Gen AI can assist in your business?

Silvia 25:18

We always look at all this opportunity right, Because if you want to drive the business, we might need to have a look at the emerging technology. But emerging technology is the other way you bring additional attack surface to it. So how do you balance it? It is a kind of challenging because you need to have the executive management well aware enough. Hey, if goal of a full lease, fully support, right, but at the time you need to make sure that the risk is minimized.

Paul Jackson 25:45

So that's interesting. You say that because when I talk to other you know folks in your position they sometimes say well, the business goes ahead and does this sort of stuff without consulting us. You know they're trying to explore ways that it could enhance the business and they're not really thinking about security. Hopefully that's not the case here. Right that they are collaborating and you are looking at any emerging tech that's being used from a security standpoint.

Silvia 26:08

Yes, we do. We second the governance model, governance framework, even on emerging technology and, of course, right since I'm thinking that we are doing quite good on this because our senior leadership is aware of the risks as well. So we have the framework and everyone. If you want to use a new technology, you need to go through a review process.

Paul Jackson 26:30

Okay.

Silvia 26:31

A risk assessment.

Paul Jackson 26:32

Okay, without revealing any company secrets. Are you able to say, because I'm curious, you're Coca-Cola right, everyone knows Coca-Cola right. How might you be using AI or Gen AI in the okay in the business? Is there something you're able to talk about?

Silvia 26:46

well, one of the things right two sides right on the customer side, how you engage with customers, doing the analytics right all this you need ai right, for example. And for your internal side, every company is using the same. How do you smooth your internal process, make your life even more efficient, right that. That means less people do more work.

Paul Jackson 27:05

Okay, okay, all right. Well, that sounds reasonable. What about supply chain, though? Because I mean we always talk about supply chain risk and you have a huge supply chain, right? So does that keep you awake at night?

Silvia 27:15

It is, it is, it is. Supply chain is a really, really new threat for us right For all this production line.

Paul Jackson 27:26

But of course we have a strategy to mitigate the risk, right, and can you talk at all about that strategy, or is it top secret?

Supply Chain Security and Budget Strategies

Silvia 27:29

It's just like a little bit, just like separate. It's like before, separate the OT with the IT network and make sure they are aware. Right the awareness.

Paul Jackson 27:37

So do you. I mean you assess their levels of security and whether they might be a risk to you I think.

Silvia 27:45

I think it's a full step right. A company can do it. Before you sign in a contract, you need to evaluate the vendor properly on the procurement process, so at that time you need to squeeze in some security requirements to that yes and then when they sign you need to do a risk assessment if any high risk you might need to render to correct it before go live right.

Silvia 28:04

And after that annual you might need to do spot check to have a risk assessment. Ask them to do the risk assessment again to see how their risk posture.

Paul Jackson 28:12

Okay, is there a lot of pushback from them?

Silvia 28:16

It might be, but we are the customers right Of course, yes, you hold all the cards.

Paul Jackson 28:20

It is our responsibility as the vendors, as, I say, partners, to understand where, why we do this right it's not helping us, it's also helping that right, okay, well, that sounds, uh, yeah, of course, like a good strategy to do this. Yeah so you know when, when you're obviously a lot of this costs money, right, a lot of your incentives, etc. What's your strategy for getting budget? Because that's another big question that we get asked what? How do you convince the leadership? Because you're talking about your communication skills, you're obviously good at persuading them to give you the budgets.

Silvia 28:52

Just be the best friend of your cfo, just kidding hope the cfo is not listening yeah, of course right, you need to just like every, every other business unit also fighting for the same project.

Paul Jackson 29:13

We are on the same pool, so that we need to satisfy. And then what we did is always on a risk approach or a business enabler so it's not viewed as a cost center.

Silvia 29:22

Do you have?

Paul Jackson 29:22

any? I mean, maybe a bit difficult in manufacturing. I'm not so sure. Do you have any ways of making it look like you're more of an earner rather than a cost center?

Silvia 29:30

That will be difficult to change right, but we are the business enabler.

Paul Jackson 29:34

Yeah, oh, for sure, you know you need production.

Silvia 29:37

It's just like basic IT, it infrastructure, right, right, all this they are business enabler.

Paul Jackson 29:45

Without them the business cannot survive. Same as cyber right. So, um, before I ask you about the music question because I always ask a music question in these podcasts but, um, before I go there, where's next for you? So you're now a cso, right? Um, where would be, you know, if you were sort of, uh, imagining your, your future position? Where, where do you think you would go from here? Not that I'm saying you should leave the Swyker Coca-Cola of course not for one minute.

Silvia 30:07

That would be interesting. I think maybe coming up with my own company that may be a thing.

Paul Jackson 30:13

Yeah Well, you're very famous here in Hong Kong.

Silvia 30:16

Maybe, but that is not yet on my plan, yet on top of my head. I'm quite happy to be here, of course, as long as I want to promote cybersecurity.

Paul Jackson 30:26

That is my goal 100% and I think you know your role honestly as an ambassador in Hong. Kong you do tremendous work. I mean you're so well known now and the amount of time I know you're in a busy job, but the amount of time you devote to conferences, because I've seen you obviously at loads of conferences and events and I think the community as a whole thanks you, you know, for your participation and being such a good role model. Thank, you.

Paul Jackson 30:49

Yeah, it's pretty awesome. So normally, you know, at the end of these chit chats I switch over a little bit to music because it's my way of decompressing, right. Okay, after you know work, I love vinyl. I'm old school, you know work, I love vinyl. I'm old school, you know vinyl records and uh, it's nice to sort of uh, um, listen to a bit of music in the evening, um to to relax after busy days, and uh, I was curious to know what my friends and and connections in the cyber world are listening to.

Paul Jackson 31:18

So do you, do you listen to music do you have any, I do, you do, okay, what kind of stuff do you listen to, then uh, do normally pop song, okay, kanto or or western western such as go on the name somebody you're listening to at the moment um kelly carson kelly carson. There you go. We got another person in the room is nodding and appreciating your taste in music there yeah I'm not so sure. I'm a kelly clarkson fan, but uh yeah, but no, it's a, you know it's honestly oh, taylor swift yeah are you a taylor swift fan?

Paul Jackson 31:50

I'm not. Did you go to singapore to watch her?

Final Thoughts and Musical Preferences

Paul Jackson 31:52

I want to next time give me a ticket, all right, yeah, okay, that's the deal there's a thank you for being on our show, but um, really, sylvia, you know I I honestly appreciate your giving up a bit of time to um to talk to the community and share your experiences. You've you've had an amazing career and you're definitely an inspiration, and it's fantastic to have you on the show during women in cyber month. So thank you once again. Thank you very much for joining us. Theos cybernova was presented by me, paul jackson, the studio engineer and editor was Roy DeMonte, the executive producer was me and Ian Carlos, and this podcast is a co-production between Theos Cyber and W4 Podcast Studio in Dubai. The Theos Cybernova Podcast.