THEOS Cybernova
THEOS CyberNova is a cutting-edge podcast that explores the dynamic world of cybersecurity, hosted by THEOS Cyber CEO Paul Jackson.
Each episode delves into the latest trends, challenges, and innovations shaping the cybersecurity landscape, featuring insights from industry experts, thought leaders, and technologists. Paul brings his expertise and passion for cyber security to engaging discussions on topics ranging from emerging threats and data privacy to the future of AI in cyber defense.
Whether you're a professional in the field or simply curious about staying safe in the digital age, THEOS CyberNova offers an invaluable insight into the world of cybersecurity.
THEOS Cybernova
Jay Gomez: APAC Cybersecurity Challenges, Brain Drain, Data Privacy, and AI
From the Philippines to Singapore and Hong Kong, how do companies across APAC balance cybersecurity, data privacy, and regulation in a rapidly shifting landscape?
In this episode of THEOS Cybernova, host Paul Jackson speaks with Jay Gomez, Associate Director in Cyber Advisory at BRG, about what it takes to lead in one of the world’s most diverse and fast-moving cyber regions.
Jay reflects on his journey from IT operations and BPO leadership to becoming one of the Philippines’ first Data Protection Officers and now a regional consultant. He shares candid insights on the Philippines’ tough but unevenly enforced privacy law, the exodus of top cyber talent abroad, and why SMEs are increasingly relying on fractional or virtual CISOs to stay secure.
They also discuss why trust is the bedrock of effective cyber leadership, how ISACA has shaped the IT GRC community, and why AI is more likely to enhance the work of security analysts than replace them.
Production Credits:
Presented by: Paul Jackson
Studio Engineer & Editor: Roy D'Monte
Executive Producers: Paul Jackson and Ian Carless
Co-produced by: Theos Cyber and W4 Podcast Studio
This week on the Theo's Cybernova podcast. I used to support CrowdStrike and Warcraft so I was required to play in my job. If my manager in Asian Institute of Management before said Jay jump, I would ask how high. If he says run how far? Cloud is not even a concept back in the day, but now you have cloud, you have Wi-Fi, you have AI. Basically, the greatest cybersecurity professional I know it's Mr Paul Jackson. The Theo Cybernova Podcast hosted by Paul Jackson.
Speaker 2:Welcome to Episode 4 of Season 2 of the Theos Cybernova Podcast. Today's guest needs no introduction. Famous not only in the cybersecurity community in his home country of the Philippines, but also right across the Asia-Pacific region, where he has worked extensively, I'm delighted to welcome Jay Gomez, associate Director in Cyber Advisory at BRG Consulting, to the show. So thanks for joining us today, jay.
Speaker 1:Thank you so much, Paul, for inviting me over.
Speaker 2:Really excited about this. It's a real honor to have you on the show. I've known you well for a number of years now and I'm really excited to hear from you today and share your stories and your experience with our audience. So, on that note, perhaps you can kick us off by telling us about your career story, how you made it from pretty humble beginnings really to being a recognized leader across the region, as you are now. What's your story?
Speaker 1:All right, I'll probably start with. I was a working student before I didn't go straight to college, basically. So I took a two-year electronics course and then, after the first trimester, I was able to land a job in a semiconductor company, and then I worked all throughout after that and then, after graduating with that course, I was able to work in Manila Electric Company, which is a power distribution company in the Philippines, and then after that I moved. I was a desktop support before endpoint support.
Speaker 2:Wow, you really did start in humble beginnings then, didn't you this is really right at the beginning, and you went to the University of Life I guess you'd call it.
Speaker 1:Yes, yes, that's correct, Paul. So after that stint with Miralco, I worked at the Asian Institute of Management for six years, pretty much started as a desktop support again, and then I did some programming. I did network administration and system administration back in the day when we have Windows servers. And then I had a stint in Singapore for three years, started off as a Lotus Notes administrator and a Windows administrator. But the fun part with being in Singapore is that I have another role in that company. I used to support games. I used to support CrowdStrike and Warcraft, so I was a system administrator on the side and also a gaming support person. So I was required to play in my job.
Speaker 2:Yes, I think you've got a lot of very jealous listeners on this one who love to be gaming whilst on the job.
Speaker 1:Correct, and that's in 2003,. We went back to the Philippines and I became an IT manager in the contact center industry. So that was a booming industry back then and I stayed in that industry for about nine or 11 years, starting as an IT manager and then becoming a regional IT director before. So I was an infra guy through and through, so managing IT operations, networks, help, desk support, development, windows administration, server administration, and I was building sites actually across the Philippines in my stints in Alorica and also Cognizant Technology Solutions Then, after reaching back in 2012,. So I did four years in Cognizant. Then I went to ABS-CBN that's the biggest broadcast station in the Philippines, which is also a conglomerate so I became the head of information security and the concurrent data protection officer. So I stayed there for four years and then moved to Hong Kong and moved literally on the other side from being an in-house cybersecurity and data protection executive, if I can say that, and then now I'm on the consulting side.
Speaker 2:Who persuaded you to do that then, Jay?
Speaker 1:The greatest cybersecurity professional I know, it's Mr Paul Jackson.
Speaker 2:No, it was a good decision, because I think your ability to share you know, your extensive experience I mean, you know, all the stuff you've done has led to you know, to you developing such a depth of knowledge and information, and I think consulting right now is the right place for you, because it's so much in demand, all the skills that you have, and we'll cover that during this podcast. But what made you sort of transition from the IT side into cybersecurity, though? I mean, was it just a natural thing or was it just something you had a passion for?
Speaker 1:That's a great question, paul. Back in the day in my stint with Alorica, so we are a US contact center and business process outsourcing company, so therefore we were supporting clients that handle credit cards, handle healthcare information, so therefore we were being audited with PCI Service Oxley, for example, hipaa back in the day, and also ISO 27001. So since I was doing and managing IT infrastructure and operations, I was being audited by people from our US internal audit group and then also from external auditors. Then our chief information security officer then, whose name is also Paul, paul Legacy. He said, jay, are you interested in cybersecurity Because this is a very new and really good field? So I guess, and I said, yes, why not? So he mentored me and said you know what? Take a course in cybersecurity and then get yourself certified. So I did. I reviewed for ISACA's CISM, which is Certified Information Security Manager.
Speaker 2:I did a review class and then took the exam in 2010 and I passed it and I retained the membership ever since yeah, you we'll come to that in a little bit later because your, your role in community engagement uh, predominantly via isaka is huge and you, you become a bit of a legend in that regard. But let's, let's talk a little bit more about the, the, the cyber security angle first, because you know, with know, with your experience, you've got nearly 30 years in. Despite you look like you're still in your 20s, which is very annoying for someone like myself, but you know, you've been in IT, cybersecurity, data privacy. What real shifts have you seen in the field over those years and have you adapted your approach during that time?
Speaker 1:certainly paul, because back in the day it was there was, there wasn't any cloud. I mean, cloud is not even a concept back in the day. It's a client server, pretty much on-prem infrastructure. Basically, you still have the brick and mortar offices, so we set up firewalls, switches and those relevant connections MPLS, iplcs are there. But now you have cloud, you have Wi-Fi, you have AI, basically in the IT mix. So there's a really huge difference between the IT back then versus what IT looks like right now. Even the workforce themselves. Before we all used to work in the offices, but now you would have a hybrid setup. Some would work from home five days a week, some doesn't even go to the office, but some do come to the office once in a while. But it's very different from what we were doing back then.
Speaker 2:Yeah, sure, there's nothing as sure as change in this industry isn't there, and that's one of the challenges, isn't it? Keeping on top of the changes in technology. Right now, with the shift in AI, I mean, it's really becoming almost out of control in many ways Trying to keep up and follow the risks and the threats of the emerging technologies. Trying to keep up and follow the risks and the threats of the emerging technologies. But AI is a topic I'd like to come to later in this podcast, because it's definitely a hot topic right now and it's something that I'd like to chat with you further.
Speaker 2:But let's talk first about your data privacy role, because it's quite unusual, you know, to see a CISO and a DPO in the same seat, and you know what motivated you to I guess did you volunteer or were you volunteered, I don't know but into the DPO role when you were at ABS-CBN. Because, as I understand it right and correct me if I'm wrong, the law in the Philippines is one of the toughest for a DPO because, if I'm not mistaken, there is a threat of imprisonment if you fail to do your job properly. I mean, how scary is that you could be locked up for failing to protect data. Is that true, I mean? And why the hell did you volunteer for that job?
Speaker 1:Maybe so back in the day, when I was still with ABS-CBN, so I was doing information security, and then when the Implementing Rules and Regulation of the Data Privacy Act of 2012 came about in 2016 or mid-2016, so the deputy commissioner back then was a good friend of mine, don D Mapa, and he messaged me and said hey, jay, there's already a DPA, so I guess you guys need to comply. And I said what DPA? So just research it and then get back to me. So I did, and then I learned about the law. It was promulgated in 2012, alongside with Singapore back then, but the IRR only came about in 2016.
Speaker 1:So I said, ok, this is something new and, coming from the contact center and BPO industry, we're very familiar with frameworks and regulations. So I said to my CTO back then okay, I'll volunteer because this is a new field, this is a green field and I think I can contribute with the regulator, which is the National Privacy Commission. So I think I was one of the first DPOs back then. I think I was DPO number six or number eight. So we went through the process, did some trainings and then I was able to implement the program for my company back then and then also helping out, you know, shaping the policies and the regulations, because we are all new. And then I think it went pretty well because now we're considered as the go-to guys in terms of data privacy and the leading experts, not just in the Philippines but also in APAC, because we were the first ones who adopted such regulations.
Speaker 2:So I think that's the story, so I volunteered, paul. You volunteered? I'm sure you did. You seem to volunteer for everything. In my experience You're one of those kind of people. But you know, in one of the big bugbears, you're now settled in Hong Kong. You know, working there and with your family, et cetera, in Hong Kong, and there's a massive contrast, isn't there, between the law in the Philippines protecting data and the law in Hong Kong, and I'm sure you've looked extensively at this.
Speaker 1:Do you get frustrated that it's not tougher, perhaps, in terms of data protection in Hong Kong? Not really, because there's still the law, there's still the PDPO or CAP 486, the ordinance itself, but I guess I think the government of Hong Kong is trying to improve it. I think they now have introduced, apart from PDPO and revisions of the PDPO in the pipeline, but now they have their critical infrastructure law, which is getting everyone excited because that would add another kind of focus, if I can use that word, in protecting not just infrastructure but also the data subjects that are using those infrastructure. So I guess there's a positive there.
Speaker 2:Yeah, so I guess your role at BRG. In fact, we should actually give a shout out to BRG Consulting and appreciate you joining us from there, but I guess this is in part of your role, isn't it? Because companies are grappling with these new laws, such as, you mentioned, the cybersecurity bill in Hong Kong, and I guess it's a key role for you to be advising companies and organizations how to navigate this and in many ways, to I don't know if this is a real word or not but operationalize, you know, the requirements of data privacy and of things like the cybersecurity bill, and I'm guessing that's a key role for you at BRG Consulting.
Speaker 1:Yes, definitely, and not just in Hong Kong, but I also cover the wider APAC region. It depends on the jurisdiction. For example, in Singapore, definitely, cybersecurity and data privacy are really top concerns, yes, but in Hong Kong, obviously, maybe, data privacy would probably be in a lower, not priority, but cybersecurity is top, is the top, most focus. So it depends on the jurisdiction. Indonesia, because they're the new guys in the neighborhood in terms of data privacy, so they're catching up, and so does Malaysia be updating theirs, and now comes Thailand and Vietnam. So there's really a huge opportunity out there in terms of data privacy. But cybersecurity must not be forgotten because still it's the number one focus basically so data privacy is an interesting one, isn't it?
Speaker 2:Because you could argue that it's a legal topic rather than a technical topic, but in reality, I guess there's two components to it, isn't there? You know you should be working side by side, you know, and I'm not a data privacy expert, but I guess you should be working side by side with the in-house legal team or external legal advisors, that's correct.
Speaker 1:Paul. You're correct in saying that back in the day when I was a data protection officer, the company attached a lawyer to me. Ah, okay, well, there were questions before whether should we appoint a lawyer as a DPO and maybe consider Jay as the support for that data protection officer. But my argument was very simple. What I said was the law doesn't change that much. There may be revisions to the law or there might be implementing rules, of regulation, adjustments, basically, or new memorandums or new circulars, but it's stable. It doesn't really change much. But cybersecurity and threats they always change. Two years ago we don't have AI, we don't have chat GPT. Now we have chat GPT, but what other additional or updates in the law were made? Virtually none, right, right. So I guess cyber and the threat landscape is more dynamic than any changes in the law. So I guess that's the reason why I was kind of perfect for the job back then. But they did give me support.
Speaker 2:Yeah, that's an interesting perspective. You know, because I see this a lot you know where a DPO is actually a lawyer rather than a technologist. And you're probably right that the dynamic nature of technology and you know, operationalizing it, which is the hard part, is really falling into the technical field rather than the legal field. So yeah, I guess there's no right or wrong here, but it certainly makes sense that somebody like yourself would be a perfect fit for a DPO role. But again, companies, I guess they may not have or feel that they need a full-time DPO. Now, I know in the Philippines it's obligatory, right, it's a must. Am I correct in the law?
Speaker 1:That's correct, paul. So the law requires for any personal information controller, and also processors, to appoint a data protection officer. However, the law and the implementing rules and regulation also says that the DPO can also assume other roles unless there's a conflict of interest. If there's none, then that should be fine, right? That's why I was head of information security, but I was also concurrent data protection officer, because I don't have any IT operational duties or responsibilities. I don't manage the firewalls. We review the firewalls, but we cannot change any rules. We cannot update any rules. We audit Windows user access logs, but we can't create user access or usernames. Right?
Speaker 2:So that's the difference. I see, Okay, so I mean you've got a fantastic memory for all these laws and regulations. I see, Okay, so I mean you've got a fantastic memory for all these laws and regulations. I'm really impressed. But you know, it really is quite, you know, fascinating to me how the job nature has evolved. And, looking at other organizations around the region, many don't appoint a DPO and that, I guess, is where you know your kind of services come in because they can outsource it, can't they? Your kind of services come in because they can outsource it, can't they? They can have an external advisor as a DPO, or not as the aside DPO, but to advise on data privacy subjects, Is that correct?
Speaker 1:That's correct, paul. Some jurisdictions it's very explicit in their laws that they should appoint a data protection officer, for example, singapore, to some extent. Malaysia yes, they said you're required. I thinkailand yes, philippines definitely, but there's also a provision in the law that says you can outsource the functions of the dpo. So that's a service that we, we can provide. So I may not be the appointed dpo of the of the company or the controller, but I can. I can do the functions of the dpo, meaning I can monitor the controller, but I can do the functions of the DPO, meaning I can monitor the DPO mailbox. I can do the data subject access request. I can respond to subject increase. I can do the privacy impact assessments and so on.
Speaker 2:Yeah, got it. Before I switch gears slightly, has anybody actually been arrested in the Philippines for failing to do their duty as a DPO?
Speaker 1:I believe the National Privacy Commission has cited a couple of companies in violation of the provisions of the law, but no one has been jailed yet. Maybe they were meted out fines.
Speaker 2:Yeah, it seems a bit severe, doesn't it? Locking somebody up for but anyway, so you know, but many organizations still don't really get the need for this. I feel it's my sense. I mean, how do you, you know, what do you recommend for getting organizational buy-in for a data protection management program, especially in environments where awareness is low?
Speaker 1:You know, there are many places like that in the Asia Pacific region where awareness is low, you know, and there are many places like that in the Asia-Pacific region. I guess the main driver for appointing a DPO is if the law requires it. If the law doesn't, then there's no incentive for the companies within that jurisdiction to appoint a DPO. However, they are still bound to at least observe and provide due diligence and due care on how they would protect the personal data that they collect. However, those jurisdictions that do require to appoint a DPO because of the law, then they have no choice or option. They need to appoint one.
Speaker 2:Right, and I guess it's not only about the law, it's about the stick, isn't it? You know, you look at Singapore. They're pretty robust in enforcing their laws. Philippines maybe less so. Do you think there's a level of maturity there that the authorities in the Philippines still need to reach in order to be effective in investigating and enforcing the quite tough laws that they have?
Speaker 1:To be honest with you, the Philippine Data Privacy Act is comparable to Singapore. I think, based on what I saw across APAC, our law is actually maybe second in terms of how good and stringent it is. The only issue is that and the main difference with Singapore is that they do enforce. In the Philippines we do enforce, but maybe not as ideal. But if they do a very good job in enforcing it, then maybe a lot of companies would toe the line.
Speaker 2:Yeah, but this is a tough one, isn't it for the authorities? And I get it because it's difficult. If somebody is good at this kind of stuff, is good at cyber investigations, security etc. Then they tend to get grabbed by larger companies and taken out of private sector roles oh sorry, public sector roles into the private sector. Is that your sense in the Philippines?
Speaker 1:That's true to some extent, paul, but I think one of the challenges of the Philippine government, especially the National Privacy Commission, the regulator themselves, is really about budget. I mean resources, because running data privacy regulation is not an easy task. There's a lot of companies in the Philippines, there's a lot of data subjects that you need to manage, because we're like 110 million people yeah, a lot. So there's there's quite a bit. I guess it's a matter of resources. Given ample support from the national government budget, uh, they would be able to hire more people with the right skills and be able to manage that that properly very good point.
Speaker 2:So well, let's not pick on the Philippines too much. But I'll ask you one last question about the Philippines. Let's sort of switch gears towards cybersecurity rather than just data privacy. What do you feel about the? You know? What's your perspectives on the current standards of cybersecurity across the board in the Philippines versus the rest of Asia, because now you've had experience working right across the region. What's your gut feeling about the soil levels here in the Philippines.
Speaker 1:Comparing the companies in the Philippines with the ones I've seen in APAC, I think the Philippines is kind of improving in a way that a lot of companies are now moving towards improving their cybersecurity posture by trying to raise security awareness, trying to get the right governance in place in terms of policies, applying right risk management frameworks, also implementing at least solutions that would minimize whatever risk that they may be exposed to, given the resources that they have, because, at the end of the day, companies in the Philippines may not have as much money as the other companies, let's say, compared to Singapore or Hong Kong, but I think they're going in the right direction.
Speaker 1:Now, the only issue is that there's a lot of small and medium businesses in the Philippines and those companies comprise at least probably 90% of the companies in the Philippines. The big conglomerates are just maybe less than 5%, if you're going to ask me, and those have money right the major banks, the large conglomerates out there but the small, medium enterprises, they're the ones that are really exposed and they don't have the resources, they don't have the capabilities to protect themselves, even putting in a semblance of security within their own organizations. So I think that's where the challenge is and that's pretty much similar to what I've seen in Indonesia, what I've seen in Malaysia and some other smaller companies in Hong Kong as well, because at the end of the day, the priority is keeping the lights on meaning IT operations Right, the basics that they need to run their business, but security normally would take a backseat, which is kind of unfortunate. But it's kind of similar, just on different scales maybe.
Speaker 2:Yeah, it's interesting, but it's kind of similar, just on different scales maybe. Yeah, it's interesting, and do you think there's enough chief information security officers, cisos, in the Philippines to fill the needs of all the organizations here?
Speaker 1:Unfortunately, there's a huge gap in terms of qualified chief information security officers or, at the minimum, maybe just information security managers or directors or leaders. Basically, at a minimum, maybe just information security managers or directors or leaders. Basically there's a huge gap in that one because, again, it boils down to resources because, admit it or not, a lot of companies that have job openings for CISOs, especially in Singapore and in Hong Kong, where the salaries are way, way higher than what's being offered in the Philippines. So some of the really good ones that I know already left or are planning to leave, not just in Singapore or in Hong Kong, but also in the Middle East, like Dubai and those other Arab countries and not including Australia and New Zealand which are also opening doors for IT security professionals.
Speaker 2:I agree. It's quite sad to see, because I've seen that as well. You know there's definitely a brain drain, unfortunately from the Philippines of some top security talent, yeah, which is? I don't know, either of us have a ready answer to that, but it's unfortunately an economic reality of the industry here. So I guess that means that companies in the Philippines perhaps should be looking towards VC so-type services or external advisory services skills. Here the companies like yourselves and others provide that kind of service where they may not need a full-time, really experienced person who's going to cost an awful lot of money, but rather just have a part-time advisor to come in and make sure that they have a robust and mature approach to cybersecurity.
Speaker 1:I agree with that, paul certainly. Approach to cybersecurity I agree with that, paul, certainly. But it really depends on what company demographics basically who would need such services. So, for example, for small and medium enterprises, then 100% they should consider a virtual CISO or a fractional CISO. That probably can help them lay the foundations, because I mean, resource wise they might not be able to hire one or and maintain one. But for those larger companies depends on what their business is, whether it's a business that handles a lot of consumers, or maybe businesses who are into critical infrastructure or services like hospitals, hallways, telecommunications. I do believe that they should have at least an in-house cybersecurity expert, because in any organization you need to understand what the company is doing, basically what's the business all about, and the context within the company should understand the dynamics, even right. So I think an in-house CISO would be more ideal for those kind of companies, but for the smaller ones, yes, a V-CISO would be highly recommended.
Speaker 2:I kind of think about this in a lot of different ways and I fully agree with you, of course. But also, I think, even the bigger companies, right, when they have a CISO, how do their leadership, how does the CEO and the board know that that CISO is doing a good job to protect them, when they don't have that experience themselves to oversee? So a CEO and board et cetera will probably have the expertise and experience to oversee all the business functions, but it's very rare that they would have experience to oversee cybersecurity. So they have to trust their CISO that he or she is doing a good job, right. So maybe there is room, therefore, for a vCISO type service to validate and to enhance or to Because one person can't know everything as a CISO and I always think that it gives comfort and validation to a board or a C-suite if an external advisor comes in and just takes a look at the programs, et cetera, internally.
Speaker 1:That's a very good point, paul, and I totally agree on that.
Speaker 1:What the companies can do and probably some of the companies are already doing it.
Speaker 1:I mean in some organizations they would have an internal audit group which actually audits the work of IT, the work of information security or the CISO themselves.
Speaker 1:And obviously if it's a mature and experienced CISO, that person should have already KPIs and metrics that they keep and that is reported to the senior management in a regular basis.
Speaker 1:Now, cisos, it's our responsibility to update and apprise the board on what's going on within the organization and that is where the skill of the CISO being able to communicate such programs that he has implemented within the company if it's moving the needle or not, or if the solutions or the different implementations that he or she has done within the organization is bearing fruit or meaning there's a return of investment that the CISO should be able to communicate that to the board on a regular basis. Because I think trust for the board, the senior management, to implicitly trust the CISO, is not a good thing, because you need someone to, kind of to your point, need to validate what he or she's been doing and a second pair of eyes would be very helpful and an objective one, for that matter, like an external CISO like me, being able to assess the achievements or the programs of the current CISO, the in-house CISO.
Speaker 2:Right, yeah, I think we're on the same page with that one. Let's switch gears a little bit to talk about your community involvement as we close out the show, because you are something of a legend in ISACA, right, you've obviously been a member now for a number of years, but you've not only been a member, you've volunteered to be on the board here in the Philippines and you're a regular speaker at events etc. And you're a regular speaker at events etc. How important do you view community involvement and, in particular, your role with ISACA?
Speaker 1:So being a member of ISACA is very rewarding for me in a sense that when I joined back in 2010, so I maintained the membership ever since, so I was volunteering in a number of committees before and then, fast forward 2016, I was nominated to be elected as part of the Board of Trustees, which I was able to win, and then I think I was Board of Trustees from 2016, skip a year and then from 2018 onwards, I have been a Board of trustee ever since and then a member of the different committees, like professional development, membership conference, for example, and the good thing with being a member of ISAC of Philippines is that we are able to reach out to our members and even the wider group who are interested in governance, risk and compliance, and the other thing is that I was able also to mentor some members if they're planning to take the certification, and so on.
Speaker 1:The other thing also is that I'm also teaching some modules of the CISM course and I'm also accredited to teach the CDPSE certification as well. But probably the best thing, or maybe the one that I wanted to probably share with the listeners, is that, being an ISACA Board of Trustees and a volunteer, we're not being paid. It's all under our own time, so this is on a purely voluntary basis. So what we get out of volunteering is just the cpe hours, just to maintain the certification, but we're virtually getting nothing but really good experience and good colleagues and networks within the professional organization, and I've been doing that since 2010.
Speaker 2:Wow, you're such an inspiration to the. You know the more junior listeners that we have on a regular basis to this podcast. So you know, and I know you love mentoring and I know you love teaching. But let me change. I was going to ask you you know how you encourage more talent to enter the cybersecurity field, because we need more talent. But instead of that, I'll ask you if you could give one piece of advice to your young self when you were starting off in your career in network support. What would it be?
Speaker 1:Wow, that's a tough question. I guess I would probably have done more programming because back in the day I love programming but hardware is my first love Networking, infrastructure, networking, endpoint. But I probably would have focused more and learned more programming languages. I did assembly before in C, C++, Maybe a little bit of Visual Basic, but that's about it. After after I really focused on infrastructure networks operations and then became a leader or a manager after. But I probably would have focused on on development, software development got it.
Speaker 2:So you actually touched on a very important point in your answer, because a lot of people enter this field right and they're at a technical level, which is great, of course, but you've made that leap, you've made that you've bridged that gap between being a technical person and being a leader. How do you advise, um, those who aspire to be a leader like yourself, to be some, to be a jay gomez one day? How do you what, what, what do you need to make that gap to bridge that?
Speaker 1:gap. Maybe what I can say is that I didn't start it as a leader myself, but I was a very good follower. If my manager in Asian Institute of Management before said Jay jump, I would ask how high. If he says, run how far, and I don't really complain. I just take all the orders and just do it. If I found something kind of amiss, I'll finish this job first and then complain later. But I think that's how I started. But I think probably the value that probably one must have in order to become a leader or a good leader or a great leader, for example, is actually you should be a trusted person, because if you can't be trusted then you cannot be a good leader, because it's all about trust, especially in our line of job. If your people and if your stakeholders cannot trust you, then you don't have any place in cybersecurity or data privacy, because once that's blemished then it's not worth it anymore. So trust is number one absolute.
Speaker 2:That's a fantastic answer and, yeah, it's something we live by, of course, in this field trust building, trust relationships and uh, you know, credibility, um, in in our work. I'm gonna ask you one last technical question before I move on to the usual music question. But, um, ai, I had to come to it, right. Ai, now we talked about, you know, entry-level positions and people entering the field in cybersecurity. Is there a concern that AI may be taking away some of these jobs and hence reducing the number of people who can enter at the bottom and work their way up, because you know we talk about AI now being the next analysts in socks, which is a key entry point, typically for cybersecurity? Do you see AI as, whilst it enhances cybersecurity, do you also see limiting opportunities for juniors to enter the field? I don't believe so.
Speaker 1:I mean, at the end of the day, humans are behind the keyboard and in every AI conference or webinars that I've attended they would always mention there's always a human in the middle or in the line. So there should be someone who's really kind of validating, verifying and making sure that AI is doing what it's supposed to do. It's there as a tool, but the human should still be the one who's going to be in charge. It's good to have. I mean, if we have AI before, when we were back in the day, it would have made my work much easier rather than doing those kind of repetitive tasks. But again, it might. I'm not saying that it's going to take away jobs, but I'm looking at it that it would enhance actually the work of the security analyst. But again, us as security professionals, we should always kind of evolve, upgrade ourselves.
Speaker 1:If AI is here, then why not study it, why not use it to your own advantage? Because it's a tool. But at the end of the day, you need to get your basics right. You need to learn how to network, how websites work, how endpoints work, how patching works and all this stuff. But AI is just a tool. If you can use it to your advantage, then it's good for you. So that's what I can say about AI.
Speaker 2:That's another great answer, and thank you so much for sharing your insights Now to our listeners. If you've enjoyed the show today and all our other shows, please hit that like or subscribe button on whatever platform you're listening to this episode today. It really helps us to grow the show and reach a wider audience. So, in closing, jay, thank you again for being part of this today. But I always ask our guests what they're listening to currently music-wise, because it's my way of unwinding, right. So I always like to hear from our guests what they're listening to, and please don't tell me it's Freddie Aguila, right? What do you listen to, jay?
Speaker 1:Thanks for that, paul. Actually, I have a very wide repertoire of music that I love. I mean, as long as it's good to listen to, I don't really mind who sang it, which band, which era, but actually I'm listening to, listening to a lot of john mayer song okay, okay.
Speaker 2:And is it true? I really like him, is it true? Like all filipinos, you have an amazing singing voice and you rock the karaoke.
Speaker 1:I can sing, but I'm not a natural singer, I'm a developed singer but I can sing. But John Mayer is the one I really like and I always listen to when I'm traveling, especially on the plane.
Speaker 2:All right, that's fantastic. Look, Jay. Thank you so much for joining us today and being part of the show. I hope to get you on again, because we skimmed through a few topics that we could really dig into and I'd love to, you know, go into more depth with you on those one day in the future. But thank you very much for joining us today.
Speaker 1:You're welcome, Paul, and thank you for inviting me over.
Speaker 2:Theos Cybernova was presented by myself, paul Jackson, the studio engineer and editor was Roy DeMonte, the executive producer was myself and Ian Carlos, and this podcast is a co-production between Theos Cyber and W4 Podcast Studio in Dubai.