THEOS Cybernova: The Cybersecurity Podcast for APAC Leaders

Paul Jackson: Welcome to episode four of season two of the THEOS Cybernova podcast. Today’s guest needs no introduction — famous not only in the cybersecurity community in his home country of the Philippines, but also right across the Asia Pacific region, where he has worked extensively. I’m delighted to welcome Jay Gomez, Associate Director in Cyber Advisory at BRG Consulting, to the show. Thanks for joining us today, Jay.

Jay Gomez: Thank you so much for inviting me. Really excited about this.

Paul Jackson: It’s a real honour to have you on the show. I’ve known you for a number of years now, and I’m really looking forward to hearing your stories and experience. So, on that note, perhaps you can kick us off by telling us about your career — how you made it from humble beginnings to being a recognised leader across the region. What’s your story?

Jay Gomez: Alright. I’ll probably start with this — I was a working student. I didn’t go straight to college. I took a two-year electronics course, and after the first trimester, I landed a job in a semiconductor company. I worked all throughout while studying. After graduating from that course, I joined Manila Electric Company, the power distribution company in the Philippines. I started out in desktop support, then moved into endpoint support.

Paul Jackson: Well, you really did start with humble beginnings, didn’t you? You went to the University of Life, I guess you’d call it.

Jay Gomez: Alright. I’ll probably start with this — I was a working student. I didn’t go straight to college. I took a two-year electronics course, and after the first trimester I landed a job in a semiconductor company. I worked all throughout while studying. After graduating from that course, I joined Manila Electric Company, the power distribution company in the Philippines. I started out in desktop support, then moved into endpoint support.

Paul Jackson: Well, you really did start with humble beginnings, didn’t you? You went to the University of Life, I guess you’d call it.

Jay Gomez: Yes, that’s correct, Paul. After that stint with Meralco, I worked at the Asian Institute of Management for six years. I started as desktop support again, then did some programming, network administration, and system administration back in the days of Windows servers. I then spent three years in Singapore, starting as a Lotus Notes administrator and later working as a systems administrator.

But the fun part in Singapore was that I had another role in the same company — I supported games like Counter-Strike and Warcraft. So I was a systems administrator on one side, and also gaming support on the other. It was actually part of my job to play.

Paul Jackson: Wow. I think you’ve got a lot of very jealous listeners right now who would’ve loved gaming as part of their job.

Jay Gomez: Correct. And then in 2003, we went back to the Philippines, and I became an asset manager in the contact centre industry, which was booming back then. I stayed in that industry for about 9 to 11 years, starting as an asset manager and eventually becoming a regional IT director. I was an IT guy through and through — managing IT operations, networks, helpdesk, software development, Windows administration, and server administration. I even built sites across the Philippines during my time at Alorica and Cognizant Technology Solutions.

After that, around 2012, I spent four years at Cognizant and then moved to ABS-CBN — the biggest broadcast network in the Philippines, which is also a conglomerate. I became Head of Information Security and concurrent Data Protection Officer. I stayed there for four years before moving to Hong Kong, shifting from being an in-house cybersecurity and data protection executive to now working on the consulting side.

Paul Jackson: Who persuaded you to make that move, Jay?

Jay Gomez: The greatest cybersecurity professional I know? It’s Mr. Paul Jackson. [laughs]

Paul Jackson: [laughs]

No, seriously — it was a good decision. I think your ability to share your extensive experience, everything you’ve done, has given you such a depth of knowledge. Consulting is the right place for you because those skills are so in demand. And we’ll cover that during this podcast.

But let me turn the question around — what made me transition from the IT side into cybersecurity? Was it natural, or just something I had a passion for?

Jay Gomez: That’s a great question, Paul. Back in my stint with Alorica — a US contact centre and business process outsourcing company — we supported clients handling credit cards and healthcare information. So we were regularly audited: PCI, Sarbanes-Oxley, HIPAA back in the day, and also ISO 27001.

Since I was managing IT infrastructure and operations, I went through audits from our US internal audit group as well as external auditors. Our Chief Information Security Officer at the time, also named Paul — Paul Agassi — asked me, “Jay, are you interested in cybersecurity? This is a very new and promising field.”

I said, “Why not?” He mentored me, encouraged me to take a course in cybersecurity, and get certified. So I did. I reviewed for the ISACA CISM — Certified Information Security Manager — took the review class, sat the exam in 2010, and passed.

I’ve maintained my certification and membership ever since.

Paul Jackson: Yeah, we’ll come back to your community engagement a little later, because your role with ISACA is huge — you’ve become something of a legend in that regard. But first, let’s talk more about the cybersecurity angle. You’ve got nearly 30 years in the field — despite looking like you’re still in your 20s, which is very annoying for someone like myself. [laughs]

You’ve been through IT, cybersecurity, and data privacy. What real shifts have you seen over the years, and how have you adapted your approach during that time?

Jay Gomez: Certainly, Paul. Back in the day there wasn’t any cloud — cloud wasn’t even a concept yet. It was all client-server, pretty much on-prem infrastructure. You had brick-and-mortar offices, physical firewalls, switches, MPLS, IPLCs — that was the setup.

Now it’s cloud, Wi-Fi, AI, and IoT in the mix. There’s a huge difference between IT then and what it looks like today.

Even the workforce has changed. Before, everyone worked in the office. Now you have hybrid setups — some people are fully remote, some never go into the office, and some only go occasionally. It’s very different from how we worked back then.

Paul Jackson: There’s nothing as sure as change in this industry, and that’s one of the challenges — keeping up with technology. Right now, with the shift in AI, it feels almost out of control in many ways. I try to follow the risks and threats of emerging technologies, but AI is a topic I’d like to come back to later in the podcast.

For now, let’s talk about your data privacy role, because it’s quite unusual to see a CISO and a DPO in the same seat. What motivated you? Did you volunteer, or were you volunteered into the DPO role at ABS-CBN? Because as I understand it — and correct me if I’m wrong — the law in the Philippines is one of the toughest for DPOs. If you fail to do your job properly, there’s even a threat of imprisonment. How scary is that? You could actually be locked up for failing to protect data. Is that true? And why on earth did you volunteer for that job?

Jay Gomez: Maybe I was crazy. [laughs] Back when I was still at ABS-CBN, I was handling information security. Then the implementing rules and regulations of the Data Privacy Act of 2012 came out in mid-2016.

The deputy commissioner back then, a good friend of mine, Dondi Mapa, messaged me and said, “Hey Jay, the DPA is now in effect. You guys need to comply.” I said, “What DPA?” He told me to look it up and get back to him. So I did, and that’s when I learned about the law.

The Act had been promulgated in 2012, around the same time as Singapore’s, but the IRR only came out in 2016. I thought, okay, this is something new. Coming from the contact centre and BPO industry, I was already familiar with frameworks and regulations. So I told my CTO, “I’ll volunteer.” It was a new field, a greenfield space, and I felt I could contribute — especially with the National Privacy Commission.

I think I was one of the first DPOs at the time — maybe number six or number eight. We went through the process, did training, and I implemented the program for my company. I also helped shape policies and regulations because everything was new for everyone.

It went pretty well, and eventually we were seen as one of the go-to groups for data privacy — regarded as experts, not just in the Philippines but even beyond, because we were among the first to adopt the regulations. So yes, that’s the story. I volunteered, Paul.

Paul Jackson: You volunteered — of course you did. You seem to volunteer for everything. [laughs] But now that you’ve settled in Hong Kong with your family, there’s a massive contrast, isn’t there, between the law in the Philippines protecting data and the law in Hong Kong.

I’m sure you’ve looked into this extensively. Do you get frustrated that the laws in Hong Kong aren’t tougher in terms of data protection?

Jay Gomez: Not really, because there is still the law — the PDPO, Cap. 486, the ordinance itself. But I think the Hong Kong government is trying to improve it. They’ve been looking at revisions to the PDPO, and of course GDPR has had some influence.

What’s new and exciting is the introduction of the critical infrastructure law. That brings an additional focus on protecting not just infrastructure, but also the data subjects who rely on it. So I’d say there’s progress.

Paul Jackson: Right. And I suppose that’s part of your role at BRG — and let’s give a shout-out to the firm, thanks for joining us from there. Your work involves helping companies grapple with these kinds of laws. You mentioned the cybersecurity bill in Hong Kong — I imagine a big part of your job is advising organisations on how to navigate these requirements and, if I can use the word, “operationalise” data privacy and cybersecurity obligations. That must be a key part of your role at BRG Consulting?

Jay Gomez: Yes, definitely. And not just in Hong Kong — I also cover the wider APAC region. It really depends on the jurisdiction.

For example, in Singapore, cybersecurity and data privacy are both top concerns. In Hong Kong, data privacy is less of a priority, but cybersecurity is the main focus.

In Indonesia, they’re new in terms of data privacy, so they’re still catching up. Malaysia is preparing updates, and now Thailand and Vietnam are moving forward as well. So there’s huge opportunity across the region in terms of data privacy. But cybersecurity remains the number one focus everywhere.

Paul Jackson: Data privacy is interesting, isn’t it? You could argue it’s more of a legal topic than a technical one. But in reality, I guess there are two components. You need the legal perspective, but you also need the technical side — ideally working together with in-house legal teams or external advisers.

Jay Gomez: That’s correct, Paul. Back when I was a Data Protection Officer, the company assigned a lawyer to support me. There was always debate about whether a DPO should be a lawyer, or whether a lawyer should simply provide support.

My argument was simple: the law doesn’t change that much. Yes, there may be revisions, new implementing rules, circulars, or memorandums, but overall it’s stable.

Cybersecurity, on the other hand, is constantly changing. Two years ago we didn’t have AI or ChatGPT. Now we do. But in that same time, how many updates were made to the law? Virtually none, right?

Paul Jackson: Right.

Jay Gomez: So I guess cyber and the threat landscape are far more dynamic than changes in the law. That’s probably why I was a good fit for the job at the time — but I did have support.

Paul Jackson: Yeah, that’s an interesting perspective. I often see DPOs who are lawyers rather than technologists. And you’re probably right — the dynamic nature of technology, and the need to operationalize it, falls more into the technical field than the legal field.

There’s no absolute right or wrong, but it certainly makes sense that someone like you would be a perfect fit for a DPO role. That said, many companies don’t feel they need a full-time DPO. In the Philippines, though, it’s obligatory, isn’t it? Am I correct?

Jay Gomez: That’s correct, Paul. The law requires any personal information controller or processor to appoint a Data Protection Officer.

However, the law and its implementing rules also say the DPO can assume other roles, unless there’s a conflict of interest. If there’s none, then that’s acceptable. That’s why I was Head of Information Security and, at the same time, the Data Protection Officer.

I didn’t have IT operational duties or responsibilities. I didn’t manage firewalls. I could review them, but not change rules. I couldn’t create user accounts, only audit access logs. That’s the difference.

Paul Jackson: You’ve got a fantastic memory for all these laws and regulations — I’m really impressed. It’s fascinating how the nature of the role has evolved. Looking around the region, though, many organizations still don’t appoint a DPO. And that, I guess, is where your kind of services come in, because they could outsource it, can’t they? They can have an external advisor as a DPO, or not as the actual DPO, but to advise on data privacy subjects. Is that correct?

Jay Gomez: That’s correct, Paul. Some jurisdictions, it’s very explicit in their laws that they should appoint a Data Protection Officer. For example, Singapore, and to some extent Malaysia. I think Thailand as well, and definitely the Philippines.

But there’s also a provision in the law that says you can outsource the functions of the DPO. So that’s a service we can provide. I may not be the appointed DPO of the company or the controller, but I can do the functions of the DPO — meaning I can monitor the DPO mailbox, I can handle data subject access requests, I can respond to subjects, I can do privacy impact assessments, and so on.

Paul Jackson: Got it. Before I switch gears slightly, has anybody actually been arrested in the Philippines for failing to do their duty as a DPO?

Jay Gomez: I believe the National Privacy Commission has cited a couple of companies in violation of the provisions of the law, but no one has been jailed yet. Maybe they were fined.

Paul Jackson: Yeah, it seems a bit severe, doesn’t it? To lock somebody up for that. But anyway, many organizations still don’t really get the need for this. That’s my sense. So how do you recommend getting organizational buy-in for a data protection program, especially in environments where awareness is low?

Jay Gomez: I guess the main driver for appointing a DPO is if the law requires it. If the law doesn’t, then there’s no incentive for companies in that jurisdiction to appoint one.

However, they are still bound to at least observe and provide due diligence and due care in how they protect the data they collect. But those jurisdictions that do require a DPO by law — then they have no choice. They need to appoint one.

Paul Jackson: And I guess it’s not only about the law, it’s about the stick, isn’t it? Look at Singapore — they’re pretty robust in enforcing their laws. The Philippines, maybe less so. I think there’s still a level of maturity the authorities in the Philippines need to reach to be really effective in investigating and enforcing the tough laws they already have.

Jay Gomez: To be honest with you, the Philippine Data Privacy Act is comparable to Singapore’s. Based on what I’ve seen across APAC, our law is maybe second in terms of how good and stringent it is. The only issue is enforcement. In Singapore, they do a very good job of enforcing. In the Philippines, we do enforce, but maybe not as strongly as we should. If that improved, a lot more companies would toe the line.

Paul Jackson: Yeah, but this is a tough one, isn’t it, for the authorities. And I get it, because it’s difficult. If somebody is good at this kind of work — cyber investigations, security, and so on — they tend to get grabbed by larger companies and move out of public sector roles into the private sector. Is that your sense in the Philippines?

Jay Gomez: That’s true to some extent, Paul. But I think one of the main challenges for the Philippine government, especially the National Privacy Commission — the regulator — and for us, is really about budget. I mean, resources. Running data privacy regulation is not an easy task.

There are a lot of companies in the Philippines, and a huge number of data subjects to manage — we’re a country of around 110 million people. So there’s quite a lot to handle. I guess it’s really a matter of resources. With ample support from the national government budget, they’d be able to hire more people with the right skills and manage the work properly.

Paul Jackson: Very good. Well, let’s stop picking on the Philippines too much. But I’ll ask you one last question about the Philippines. Let’s switch gears toward cybersecurity rather than just data privacy. What’s your perspective on the current standards of cybersecurity across the board in the Philippines versus the rest of Asia? You’ve had experience working right across the region — what’s your gut feeling about the skill levels here in the Philippines?

Jay Gomez: Comparing companies in the Philippines with the ones I’ve seen in APAC, I think the Philippines is improving. A lot of companies are now working to strengthen their cybersecurity posture — raising security awareness, putting the right governance in place with policies, applying proper risk management frameworks. They’re also implementing at least some solutions to minimize the risks they may be exposed to, given the resources they have.

Because at the end of the day, companies in the Philippines may not have as much budget  as companies in places like Singapore or Hong Kong. But I think they’re moving in the right direction.

The bigger issue is the number of small and medium businesses. SMEs make up probably 90% of companies in the Philippines. The big conglomerates are maybe less than 5% — the major banks and large corporations. But SMEs are the most exposed. They don’t have the resources or the capabilities to properly protect themselves, sometimes not even to put in the basics of security. That’s where the challenge lies.

And it’s pretty similar to what I’ve seen in Indonesia, Malaysia, and even some of the smaller companies in Hong Kong. At the end of the day, the priority for these businesses is keeping the lights on — IT operations, the basics needed to run the business. Security usually takes a back seat. It’s unfortunate, but that’s the reality. It’s similar across the region, just at different scales.

Paul Jackson: Yeah, it’s interesting. Do you think there are enough Chief Information Security Officers — CISOs — in the Philippines to fill the needs of all the organizations here?

Jay Gomez: Unfortunately, there’s a huge gap in terms of qualified CISOs. Even at the level of information security managers, directors, or leaders, there’s still a big gap. And again, it boils down to resources.

Admittedly, a lot of companies that have job openings for CISOs — especially in Singapore and Hong Kong — are offering salaries that are way higher than what’s available in the Philippines. So some of the really good ones I know have already left or are planning to leave. Not just to Singapore or Hong Kong, but also to the Middle East — places like Dubai and other Arab countries — and even to Australia and New Zealand, which are also opening doors for cybersecurity professionals.

Paul Jackson: I agree. It’s quite sad to see, because I’ve noticed that as well. There’s definitely a brain drain, unfortunately, from the Philippines of some top security talent. And I don’t know that either of us has the full answer to it — it’s just the economic reality of the industry here.

So I  guess that means companies in the Philippines should be looking toward vCISO-type services or external advisory. Because with that gap in skills, companies like yours and others can provide that kind of service. They may not need a full-time, highly experienced person — who would be very costly — but instead could bring in a part-time advisor to make sure they have a robust and mature cybersecurity approach.

Jay Gomez: I agree with that, Paul. Certainly. But it really depends on company demographics — basically, who would need such services. For small and medium enterprises, I’d say 100% they should consider a virtual CISO or fractional CISO who can help lay the foundations. Because resource-wise, they might not be able to hire and maintain a full-time one.

But for larger companies, it depends on the business. If it’s a consumer-heavy business, or if it’s in critical infrastructure — like hospitals, tollways, or telecommunications — then I believe they should have an in-house cybersecurity expert. Because in any organisation, you need to understand the business context and the dynamics from the inside. So for those kinds of companies, an in-house CISO would be more ideal. For smaller ones, yes — a vCISO would be highly recommended.

Paul Jackson: I think about this in a lot of different ways, and I fully agree with you. But even for bigger companies, when they do have a CISO, how do the leadership — the CEO and the board — know that the CISO is doing a good job, when they don’t have the experience themselves to oversee?

A CEO and board will have the expertise to oversee the other business functions, but it’s rare that they have experience in cybersecurity. So they have to trust their CISO is doing a good job. Maybe there’s also room for a vCISO-type service — not to replace, but to validate and enhance. Because one person can’t know everything, even as a CISO.

I’ve always thought it gives comfort and validation to the board and C-suite if an external advisor comes in and takes a look at the programs internally.

Jay Gomez: That’s a very good point, Paul, and I totally agree. What companies can do — and what some are already doing — is set up internal audit groups that actually audit the work of information security, or even the CISO themselves. And if it’s a mature and experienced CISO, that person should already have KPIs and metrics in place, and those should be reported to senior management on a regular basis.

It’s really the CISO’s responsibility to update and apprise the board on what’s going on within the organization. The skill comes in being able to communicate whether the programs implemented are moving the needle — whether the solutions and initiatives are actually delivering return on investment. The CISO should be able to communicate that to board.

Because trust alone isn’t enough. For senior management and the board to simply trust the CISO implicitly is not healthy. You need validation. And that’s where a second pair of eyes becomes valuable — an external, objective advisor who can assess the achievements or programs of the current CISO.

Paul Jackson: Yeah, I think we’re on the same page with that one. Let’s switch gears a little bit to talk about your community involvement as we close out the show. You’re something of a legend in ISACA, right? You’ve not only been a member for a number of years, but you’ve also volunteered to be on the board here in the Philippines, and you’re a regular speaker at events. How important is community involvement for you — and in particular, your role with ISACA?

Jay Gomez: Being a member of ISACA has been very rewarding for me. I joined back in 2010 and I’ve maintained my membership ever since. Early on, I volunteered in a number of committees.

Then, in 2016, I was nominated to be elected to the Board of Trustees. I’ve served as a trustee since then — with just a one-year gap — and I’ve also been part of committees like Professional Development, Membership, and Conference. What’s great about ISACA Philippines is that we’re able to reach not just our members, but also the wider community interested in governance, risk, and compliance.

I’ve also mentored members preparing for certifications. I teach some of the CISM courses, and I’m accredited to teach CDPSE as well. But probably the best thing I can share is that being an ISACA board member and volunteer is purely voluntary. We’re not paid — it’s all on our own time. The only “reward” is CPE hours to maintain certifications. What we really gain is experience, colleagues, and professional networks. And I’ve been doing that since 2010.

Paul Jackson: Wow. You’re such an inspiration, especially to our more junior listeners. I know you love mentoring and teaching, so let me close with this: if you could give one piece of advice to your younger self — back when you were starting your career in network support — what would it be?

Jay Gomez: Well, that’s a tough question. I guess I would probably have done more programming. Because back in the day I loved programming. But hardware is my first love — networking, infrastructure, networking endpoints.

But I probably would have focused more and learned more programming languages. I did assembly before, and C, C++, maybe a little bit of Visual Basic. But that’s about it. After that I really focused on infrastructure, networks, operations, and then became a leader or a manager after.

But I probably would have focused more on development, software development.

Paul Jackson: Got it. So you actually touched sort of a very important point in your answer, because a lot of people enter this field, right. And there are the technical level, which is great, of course, but you’ve made that leap, you’ve bridged that gap between being a technical person and being a leader. How do you advise those who aspire to be a leader like yourself — to be a Jay Gomez one day? What do you need to make that gap, to bridge that gap?

Jay Gomez: Maybe what I can say is that I didn’t start as a leader myself, but I was a very good follower. If my manager in Asian Institute of Management before said, “Jay, jump,” I would ask, “How high?” If he says, “Run,” “How far?” And I don’t really complain. I just take all the orders and just do it. If I found something kind of amiss, I’ll finish the job first and then complain later. But I think that’s how I started.

But I think probably the value that one must have in order to become a leader — a good leader or a great leader, for example — is actually you should be a trusted person. Because if you can’t be trusted, then you cannot be a good leader. Because it’s all about trust, especially in our line of job. If your people and your stakeholders cannot trust you, then you don’t have any place in cybersecurity or data privacy. Because once that’s blemished, then it’s not worth it anymore.

So trust is number one.

Paul Jackson: Absolutely. That’s a fantastic answer. And yeah, it’s something we live by of course in this field — trust, building trust, relationships, and credibility in our work.

I’m going to ask you one last technical question before I move on to the usual music question. But I had to come to it, right. We talked about entry-level positions and people entering the field in cybersecurity. Is there a concern that AI may be taking away some of these jobs and hence reducing the number of people who can enter at the bottom and work their way up? Because we’re talking about AI now being the next analysts in SOCs, which is a key entry point typically for cybersecurity. Do you see AI as, whilst it enhancing cybersecurity while also limiting opportunities for juniors to enter the field?

Jay Gomez: I don’t believe so. I mean, at the end of the day, humans are behind the keyboard. And in every AI conference or webinar that I attended, they would always mention there’s always a human in the middle or in the line. So there should be someone who’s really validating, verifying, and making sure that AI is doing what it’s supposed to do. It’s there as a tool, but the humans should still be the ones in charge.

It’s good to have. I mean, if we had AI before, back in the day, it would have made my work much easier rather than doing those repetitive tasks. But again, I’m not saying it’s going to take away jobs. I look at it as something that would enhance the work of the security analysts. But again, us as security professionals, we should always evolve, upgrade ourselves. If I see it, then why not study it? Why not use it to your own advantage? Because it’s a tool.

But at the end of the day, you need to get your basics right. You need to learn how networks work, how websites work, how endpoints work, how patching works, and all this stuff. But use this as a tool. If you can use it to your advantage, then it’s good for you. So that’s what I can say about AI.

Paul Jackson: That’s another great answer. And thank you so much for sharing your insights.

So to our listeners, if you’ve enjoyed the show today and all the other shows, please hit that like or subscribe button on whatever platform you’re listening to this episode on. It really helps us grow the show and reach a wider audience.

And so in closing, Jay, thank you again for being part of this today. But I always ask our guests what they’re listening to currently, music-wise, because it’s my way of unwinding, right. So I always like to hear from our guests what they’re listening to. And please don’t tell me it’s Freddie Aguilar, right? What do you listen to?

Jay Gomez: Thanks for that, Paul. I think I have a very wide repertoire of music that I love. I mean, as long as it’s good to listen to, I don’t really mind who sang it, which era. But actually, I’m listening to a lot of John Mayer songs. I really like him.

Paul Jackson: Is it true that, like all Filipinos, you have an amazing singing voice and you rock the karaoke?

Jay Gomez: I can sing, but I’m not a natural singer. I’m a developed singer. But I can sing. John Mayer is the one I really like and I always listen to when I’m traveling, especially on the plane.

Paul Jackson: All right, that’s fantastic. Look, Jay, thank you so much for joining us today, a big part of the show. I hope to get you on again because we skimmed through a few topics that we could really dig into, and I’d love to go into more depth with you on those one day in the future. But thank you very much for joining us today.

Jay Gomez: You’re welcome, Paul, and thank you for inviting me over.