THEOS Cybernova: The Cybersecurity Podcast for APAC Leaders

Paul Jackson: Welcome to Episode 2 of Season 2 of the THEOS Cybernova podcast. As a long-time resident of Southeast Asia, I’m always intrigued by the stories of cybersecurity professionals who’ve made the bold move to live and thrive in the diverse cultures of our region—and make a difference. My guest today exemplifies that and more. I’m honored to be here in the home of Neal Ysart, in sunny Manila.

Thanks for agreeing to join me on the podcast today, Neal, and for your hospitality in your beautiful home.

Neal Ysart:Thank you. I’m really pleased you were able to make the trip through the traffic—and you brought some sunshine too! I’m looking forward to the discussion.

Paul Jackson: Yes, the traffic—less so. That’s a whole separate topic, isn’t it? The joys of Manila traffic. But I’ve got to say , once I got here, the views were sensational. So well worth the trip. So thank you for inviting me. So anyway, onto the onto the podcast episode, how about you tell us? We’ll start off by telling us a little bit about your career story, because it’s fascinating. And I, I do love your story and how you ended up here in Manila.

Neal Ysart: It’s a long story, so buckle yourself in.  I started as a police officer. I joined the Metropolitan Police, which most people know as Scotland Yard—in 1984 and was posted to Paddington Green Police Station, which, for those who don’t know, was in the heart of the red-light district in Central London.

So I kind of gravitated to that type of policing, and very early in my career, I found myself on a Scotland Yard squad called CO14 Clubs and Vice, doing covert investigations into organized prostitution. That continued for about six years. And then there was a change in the law in the Obscene Publications Act. So they were looking for experienced investigators to start to do more serious investigations into the people behind obscene publications in Central London.

So I started to do that. And that led into the online pornography game—this was around 1995. So as an early computer user, I started to do a lot of the very early internet investigations. A lot of the stated cases and legal precedents are my cases, things like publication and jurisdiction—those type of issues.

As a result of that, PwC came and ask me to leave the police and set up cybercrime services for them  in the UK.

Paul Jackson: What dragged you away from the police, though? And surely, you know, the, the police work was fascinating, interesting and rewarding that you’re putting away bad guys, right?

Neal Ysart: Yes, it was very rewarding. And I probably did more in my 16 years than many police officers do in their entire careers.  I had the opportunity to work overseas, do international cases, do a lot of cases that were instituted really just to kind of prove a legal point round about internet investigations, But there wasn’t actually a place left for me to go and move forward.

So when the PwC came with the offer, the challenge was too much and it was perfect timing for me personally and the, you know. And the opportunities I was able to take advantage of in the private sector were phenomenal. So I stayed with PwC for 12 years. And then left with another PwC director and set up my own or our own business called 1st August. We continued doing the same type of thing—investigations, digital forensics, cybercrime investigation, those type of issues.

That led one of our clients to offer both me and my business partner senior roles, and that  took me to the Middle East. I joined HSBC in the Middle East, where I led their KYC operations team. It was a team of about 140 people—45 of whom were based in the Philippines. That was my introduction to the Philippines.

So I stayed with HSBC for three years before returning to consulting, where I took a role with EY in Dubai. And I led the forensic technology practice across the Middle East, the main type of work there were mainly cybercrime investigations, a few financial crime investigations but  the common threat there was the use of analytics and technology to make investigations more efficient, accurate, faster, and more cost-effective.

After three years with EY, I took a role in  a law firm called Clyde & Co—the biggest international law firm in the Middle East—and that role was as  their lead investigations and regulatory advisor. The idea was for Clyde & Co to build an in-house investigations consultancy. So rather than farming work out to other consultancies like EY, PwC and FTI and to a lot of the other consultancies, they would do it internally themselves.

Then COVID hit, and I decided the opportunities in the Philippines—which I had been eyeing for a while—were too good to turn down. My wife is from the Philippines, we’d always kind of promised that at some stage we would go and we’d relocate to the Philippines. So I accepted a role with Deloitte to lead their forensics practice, and I moved to the Philippines in 2022.

We handled some great investigations at Deloitte, but in August 2024, I resigned and set up my own company— MacNeal-LCB & Partners Inc.  MacNeal-LCB is, an investigations and open source intelligence (OSINT) consultancy. We do strategic risk focusing on the controversial things in businesses fraud, corruption, security, cyberattacks, and the like.

Paul Jackson: Indeed. It’s a fascinating story. I love the folks that end up here with that sense of adventure—willing to work in exotic locations. And the kind of work you do is fascinating, of course. But how do you see the elements of technology in the investigations?

Because, obviously you’re over the years you’ve become very adept at using computers for investigations. How important is it nowadays to have that kind of tech knowledge, in order to successfully complete these kind of modern investigations?

Neal Ysart: It’s absolutely essential. I cannot think of an investigation in the last 10 or 15 years that hasn’t involved digital forensics technology, or  analytics. I’d also add open-source intelligence to that list—I use it in every single investigation alongside the other tools.

Paul Jackson: Right. So I think it’s quite a rarity to actually find somebody who’s got that real solid investigation background, plus the tech knowledge, because I see in many places that the forensics,  the cyber is  as a support service to traditional investigators.

So in other words, you’ve got a traditional investigator working alongside a cyber person, a forensics person, you are all in one. How important do you think it is to have both skill sets all in one rather than, you know, relying on support from, say, a forensic person?

Neal Ysart: My view is that whether it’s all in one or whether it’s spread across a number of individuals, as long as you have it, as long as you have that spread in that range of skills, I think that’s okay.

I don’t believe everyone knows everything. I don’t believe there’s anyone that is an expert in all the various domains that you need to be a, you have to conduct a successful investigation. So  for me, as long as you have, that the aggregate total, you know, equals all the skills that you require. That’s fine. I mean, I’ve been fortunate in my 40 year plus career that I’ve had, you know, the opportunities to pick up some of these skills.
But I do recognize that particularly with things like AI and analytics that are far brighter, younger, sharper people than me, and I would seek to harness those skills on every single possible occasion.

Paul Jackson: You know, I think that’s a perfect example of the kind of work you’re doing at the moment. Can you just tell us a little bit more? So, short summary without giving away too many confidential information?

Neal Ysart: Yeah. I mean, the, the whole idea of boiler room investment frauds probably goes back to the, you know, the 1920s and 1930s where you’d have people literally in the basements next to the boilers, in rooms, cold calling people, trying to sell them penny shares or sell them and, investments in companies and stocks that didn’t exist these days. You know, technology has really  turbocharged these, these type of criminals. So nowadays they can have, you know, proper LinkedIn profiles. They have a proper internet profiles, they publish press releases, they have trading platforms, they produce dashboards. So when you as an investor get approached by one of these fraudsters, they almost check out. And, you know experienced investors are targeted as well as inexperienced investors.

And both experienced levels will be victims. So they’re very sophisticated. They’re very clever, but they’re using technology. For example, they use AI to produce realistic websites with realistic narratives, with realistic LinkedIn profiles and bios for  the so-called traders and brokers. And, you know, if you cast your mind back, even as recently as five, ten years ago where you were get really almost illiterate phishing emails with spelling mistakes and grammatical mistakes. We don’t get those nowadays because people use AI. And so the you know that the investment fraudsters are doing the same thing. Except that, you know, the stakes are a lot higher and people are losing their life savings. It’s a really, really cruel crime.

Paul Jackson: Interesting, interesting. So, you know, you often hear, right, people talk about DFIR. Which stands for obviously digital forensics and incident response. And they kind of lump it all together. Now you’ve already kind of given a glimpse into the kind of world that you live in, and it’s more on the DF side, the if you like the digital forensics plus online intelligence , online investigate options, etc.. So very different skill sets from the incident response where you’re dealing with like ransomware or life hacking or data breach attacks.

But a lot of people when I talk to them say, well, DF that’s just for law enforcement, isn’t it? That’s where they catch the bad guys and you know, and find evidence that they’ve done something on the computer that provides motive or links them to a crime. But it’s not, is it? It’s really, just as applicable in the corporate world.

Neal Ysart: Yeah, of course it is. And I mean, the well, the regulatory drivers for a start. So organizations need to be on top of this sort of stuff. And one of the things that regulators will look for is are you prepared for these type of incidents. Have you considered all the risks to your business and is your business well controlled and not having an incident response capability or, you know, policy or procedure?

If you don’t have that, you won’t be able to meet those tests. And that’s just on the regulatory side. On the operational side, you’re going to find yourself in a world of trouble if you can’t respond effectively. And often it takes an incident or pain to really focus the mind of an organization and to start to put these things in place so that, you know, getting bitten once is often what’s required.

And, you know, I think so if you look at the regulatory side and the operation side, those two, those two issues just demand that organizations are prepared.

Paul Jackson: But you can’t really expect that organizations have these kind of niche skill sets in-house. Right? So what should they be looking? I mean, should they be getting retainers or should they just be having somebody on standby where the, you know, the call in emergencies, the bat phone or, you know, how should you how would you advise corporates to be more resilient or to be more prepared.

Neal Ysart: Yeah. So and you know, as they’re looking at their risk assessments and they’re doing their scenario testing etc., one of the things that they should take into consideration is how would we respond to these type of incidents if they do not have the capability? And you make a great point. Of course, not all organizations will have an internal capability, and it doesn’t make sense for all organizations to have that.

But they should be prepared. And being prepared means that at the time of an incident, you’re not running around looking, trying to engage people, trying to  review proposals, etc. you need to have that retainer, you need to have access, and you need to have a decision as to who it is that you’re going to rely on and partner with in those times.

Paul Jackson: Absolutely. You know, great advice there. Unfortunately, as you, to quote you, you know, it’s being bitten sometimes that actually makes companies realize this rather than being ahead of the game and having that in place before the attack, so to speak.

Neal Ysart: Yeah. And often what I notice in this part of the world, and particularly in the Philippines, is even when organizations are bitten, once they get over the crest of the crisis, they’ll move on to the next crisis. And often the lessons are forgotten. And actions aren’t, you know, recommendations and actioned things aren’t completed and they’ll find themselves in the same position again. That’s the kind of a mindset thing. And I think it’s incumbent on people like THEOS and like MacNeal-LCB  to kind of spread the gospel and try and, you know, raise awareness within organizations that this just makes good business sense.

Paul Jackson: Absolutely. Okay. All right. Switching gears slightly, you’ve worked in the UK, the Middle East and now obviously Asia. What are your observations about the sort of the differences in maturity and capability of  the investigations side of things.

Neal Ysart: Yeah. So I think if you look at the UK, Middle East and, and the Philippines in that order, I would say that the, the levels of maturity, the Middle East was making huge strides when I left. But, you know, there’s still there’s still a way to go. The Philippines, I would argue, is at the start of the journey, lots of good initiatives. But there’s still many improvements that can be made, particularly around about, you know, training and creating a body of experts and a body of specialists that focus on digital forensics and investigations and understand the evidence side of things as well, because that’s also important.

Paul Jackson: Absolutely. Yeah. So actually,  I was talking to a very good friend of mine who runs DFIR, Digital forensics Incident Response training, and he’s run several programs and courses here in the Philippines. And he told me that, he feels that the level of talent in the Philippines is pretty small, and he rarely sees anybody who, who’s who, who with advanced capabilities in this area.

And I kind of I kind of agree with that because, you know, at THEOS, we have a large workforce here in the Philippines. And I would say we excel in finding ethical hackers. You know, the offensive security, the pen testers, the red team is etc.. And I think Philippines is a goldmine for this kind of talent. But I’ve got to say, we struggle to find good talent with investigative experience that, as you say, because there’s a lot of rigor to investigations. There’s a lot of requirements for needle in the haystack type work, documenting, ensuring that everything is legally admissible and that you have, you know, told a story at the end of the investigation. So, you know, it’s just that mesh with your experience here is, is do you feel that? You know, I don’t know, is it part of the culture or is it is it just because maybe the industry hasn’t matured enough because companies aren’t leveraging, you know, DFIR or incident response or forensics capabilities very often here?

Neal Ysart: Yeah, I think I think you’re right there. I don’t think, companies are leveraging it. If you look at or have conversations with, with lawyers and law firms here, their knowledge of digital forensics is probably limited to imaging laptops and maybe mobile phones. Anything beyond that is alien to them. And it’s I, I kind of struggle to kind of put my finger on what the reason is because there’s a huge talent pool here in the Philippines.

There’s a huge e-discovery outsourcing sector. So you actually you have people that have the understanding of data and they have the understanding of evidence. But what there isn’t, as you quite rightly point out, is, a community of digital forensics practitioners that’s growing. I don’t see that.

Paul Jackson: Yeah. And talking about communities, you know, we see endless numbers of cyber security conferences, right. So anybody who’s like a CISO or, you know, anybody in, security operations centers or anything to do with cyber security engineering, have a plethora of conferences that they can attend or societies that they can join. But, you know, we’re very limited, aren’t we on the investigation side? Yes. We have organizations like the ASF, the HTCIA, which is a bit sporadic. And I know this there’s not really a chapter here in the Philippines. So where would an investigator or somebody who wanted to get into forensics go to, if they wanted to learn from a community, if you like.

Neal Ysart: You know the beauty of, where we are just now is that it doesn’t matter whether someone’s based in the Philippines or whether they have a mentor that’s based on the other side of the world, because technology just brings us all together.

So, you know, if I was a young investigating the Philippines looking for, you know, for experience and looking to collaborate with other communities, yeah, I wouldn’t restrict myself to the Philippines. I would I would go global because there, you know, there’s so many people out there, there’s so many experts out there that that that are willing to help and collaboration is the key.

And I think if you if you restrict yourself to a single geographical area, you’re probably missing a trick.

Paul Jackson: Yeah, but I you’re absolutely right. I often get asked, you know, how do I become a good forensic investigator? How do I, you know, how do I get, you know, a start in life if I can’t get experience, you know, and it’s a tough one, isn’t it? Because. Don’t you feel as well? I’ve been in this game a long time. Like yourself. An experience is everything, isn’t it? And how It’s a it’s kind of a chicken and egg, isn’t it? How do you get that experience in the first place?

Neal Ysart: Yeah. So I mean the there’s probably two facets to answering that question. There are a number of businesses around that that don’t know yet that they need the digital forensic capability. And sometimes, you know, making a case to take you to those sort of companies might be a good idea. However, I think that, the primary route that I would recommend is some of the some of the well-renowned certifications that I mean, digital forensics is a mature domain now, unlike the open source intelligence domain, which doesn’t have standardized, globally accepted or agreed methodologies or procedures or standards or certifications, digital forensics does.

And, one of the things about this region is said applications matter when you’re looking for jobs, whether you agree with that or not, certifications matter and whether you have a certification or you don’t, you’re more likely to be to be employed if you have a certification. So from a digital forensics perspective, my advice would be to you to you to look at some of the certificate options that are, globally accepted.

And, you know, try to be passionate about it and appeal to some of the companies that that would employ you. There’s lots of companies that have, a need for digital forensics, not just investigations companies, but wider technology companies, security companies, even some of the global organizations that are based here, you know, have a need for those sort of skills locally. But there, you know, as you pointed out, they struggle to find the resource.

Paul Jackson: Agreed, agreed. And yeah, it’s always a challenge. Now we you and me, we’ve got remarkably similar backgrounds. Obviously, we’ve both done law enforcement. We both been in big banks and we’ve both done consulting. But harking back to my law enforcement days, I used to run a lot of training programs and on behalf of Interpol as well as the Hong Kong police, and I was quite a public figure, you know, I’ve represented the police in media, etc. and conferences. And one of the questions that kept cropping up again and again, bizarrely, was how do you recruit cyber investigators? Do you try to train police officers who have strong experience with investigations? You know, the rigor around documenting and, you know, all the human aspects of investigations as well, because we mustn’t forget the end of the day there’s hands behind the keyboard. Well, with AI, maybe not nowadays, but yeah, certainly back in the day. Hands behind the keyboards. And they kept asking you, should you be hiring, or should you be training your police officers to be better at the tech? Or should you bring in a real tech expert and teach them enforcement, teach them investigations and the rigor around it? What’s your view on that?

Neal Ysart: So I’m sure that, at THEOS, you would advise your clients to have blended defenses. And I think that, you know, the answer is the same. You need to have a blend of skills. I mean, I’ve always said that there is there’s no secret to be an investigator. Yep. And the, you know, the skills and the evidence, understanding the, you know, the procedures, understanding the safeguards that you need to put in place.

They can be taught in the same way that technology skills can be taught. What you can’t teach is attitude and passion and mindset and determination. So like any resource, my view would be not to kind of pigeonhole them as an investigator that’s got tech skills or a techie that’s got investigative skills. But look at the entire skill set, including the soft skills. There’s no point in having an investigator that can’t speak to people for sure. Yeah, yeah.

Paul Jackson: No, I think you nailed it there. Okay. So tell me a little bit about this, coalition of cyber investigators that you I believe you started. What what’s that all about? What triggered that? And what are the goals?

Neal Ysart: Yeah, so that the coalition of cyber investigators that was set up by myself and  long term friend and really, really excellent investigator called Paul Wright was based in the UK and we set it up as, open source intelligence, digital forensics and cybercrime think tank.

But it kind of took on a life of its own. So we were, you know, drafting, you know, thought leadership and articles and guidance, writing about open source intelligence around about the evidential aspects of, roundabout the procedures, commenting on the fact that there wasn’t standards and giving our view that there needed to be standards. However, it’s become so successful that we it developed into a kind of commercial organization.

We now provide services. So, for example, that, you know, the boiler room investment fraud investigation that we’ve just completed was a coalition of cyber investigators investigation. Additionally, we’ve been working with a lot of open source intelligence solution providers who to go back to the previous question, many of them are very bright technically, and they’ve got great technical solutions. But the solution isn’t appealing to investigators for a number of reasons. So we’re helping them with that. For example, if you are, a law enforcement investigator for example, and you are going to submit some open source intelligence to a website that that would find you matches or something that you’d want to know who’s behind it, you’d want to know where the data is. You’d want a certain level of transparency that you yourself could do your own due diligence and satisfy yourself that there, you know, there’s no red flags or that it’s a bona fide company. Many of these companies don’t have even that. So, you know, there’s lots of ways that we’ve been helping these different solution providers, as well as offering OSINT, open source intelligence advisory services, helping with helping organizations deploy open source intelligence to into the risk operations as well to manage risk also.

Paul Jackson: Fantastic. So for those who your listeners that we have on now, if you’re enjoying the podcast, please help us out by clicking the like and subscribe buttons. It really does help us to get the get these messages out to as many people as possible. So, I hope you are enjoying this. I’ve got a couple of, final questions for you, Neil. But before I go into that, I’d just like to say, you know, I think, honestly, I’m just getting to know you, right? We only met, for the first time a few weeks ago. And it is a small community here. And I think the Philippines and Asia in general is pretty lucky to have someone with your experience out there. And I do hope any listeners who have needs in terms of understanding how to be more resilient with their investigation world and, compliance side of things, would definitely reach out to you and learn more about, you know, the good work that you do in your company and with the, the coalition. So but before we close off, I always ask my guests about music. And looking around your house, you’ve got guitars everywhere. So I’m guessing you’re a music lover like myself. And I always ask this question to my guests. You know, because we work hard with stressful. So my way of releasing stress is very much to sit down and listen to good music with a good book and, you know, that’s just me. But how about you? What music are you listening to at the moment?

Neal Ysart: The moment I’m listening to, a UK band called Big Special. The first album was called, Post-Industrial Hometown Blues. And they’ve just released their second album. So I would recommend a big special go  look them up.

Paul Jackson: Fantastic. I was expecting The Proclaimers, but, maybe not. All right, I, you know, thanks very much for joining me today, but I’ve got one very last question for you. Are you able to say purple burglar alarm? Shall I give it a go? Go for it.

Neal Ysart: Purple burglar alarm.

Paul Jackson: Very good, very good. So there you go. You’ve just proven that, folks from Scotland can actually say that. Neil, you’ve been a brilliant guest today. Thank you so much for your time. And thank you for your hospitality. It’s a beautiful sunset we’re having. I could just see it out the window. So, thanks for joining me. And, I look forward to continuing the directions and watching how your company develops and, and seeing you around town here in Manila.

Neal Ysart: Yeah. Thank you. And, collaboration is a key, so, I look forward to working with you again in the future.