Marrying security with technology at First Metro

Operating as one of the largest investment banks in the Philippines, First Metro Investment Corporation has a 55-year track record in the financial market.

Such a record comes with reputation, but also expectation, that the investment arm of Metrobank Group continues to evolve at pace.

Reputation in the form of security, and expectation through new advancements in technology – a perfect marriage of protection and progress.

“Our priorities for 2019 are focused on the strengthening and implementing of technical controls to reduce risk to an acceptable level,” said Arnel Azores, Department Head of Information Security at First Metro.

Based on a recent security risk and control assessment, key focus areas include the implementation of endpoint detection and response (EDR), cloud email security and enterprise mobility management (EMM).

“We measure success in security in several ways,” Azores explained. “Firstly, is time to respond. This metrics tells us how quickly and correctly to respond to information security incidents and security violations.

“By reducing time to respond, we can reduce the impact (including cost) of the security incidents and violations.

“Secondly is time to fix software vulnerabilities. This involves measuring how long to patch or remediate software vulnerabilities from the time they are identified. This measurement help the intuitions understand the window of risk exposure.

“Thirdly, is the per cent of IT security completed on time and on budget. This metric ensures that the information security team is accountable for delivering the ever-increasing value and improvements of security postures within the organisation.”

Headquartered in Makati City, First Metro specialises in origination, structuring, execution and distribution within the Filipino investment market.

Specifically, the organisation offers products and services across debt and equity underwriting, loan syndication, project finance and financial advisory, in addition to government securities and corporate debt trading, equity brokering, asset management and research.

Spanning public and private sectors, the business has relied on technological advancements for over half a century to help mobilise capital to fuel and sustain growth, alongside driving the country’s economic development.

“We have known for years that technology will progress to the point that it will become more efficient, faster and much more economically viable,” Azores added. “In the case of robotic process automation (RPA), existing people, process and technology of the organisation might become obsolete and needs to be upgraded or eventually removed or replaced.”

In the opinion of Azores, the most disruptive technology in the market today stands tall as blockchain.

“Blockchain has very immense potential to shake up all industries, especially banking, financial and payment services industries,” he observed. “Blockchain is so advanced and revolutionary, that it will inevitably change the way we conduct all sorts of business transactions.”

Reducing risk

Since joining the organisation eight years ago, Azores created and ran the Information Security Department, a department charged with creating and maintaining the security architecture for all technology platforms.

Delving deeper, the executive is also responsible for all aspects of security engineering, architecture, vulnerability and threat management for First Metro, with an emphasis on proactive and preventive controls that continually enhance the programs ability to identify, assess and respond to security threats.

“A security leader today needs to understand how the business works at all levels,” Azores said. “If a Chief Information Security Officer [CISO] can do this, they will become invaluable partners in the business. Security leaders may also find themselves accountable for both protecting the organisation but also driving business value.”

In assessing the market within the Philippines, Azores acknowledged that CISOs face increased challenges as the number and level of sophisticated cyber attacks heighten.

For example, take the rise in phishing, ransomware, advance persistent threat (APT) and malware as areas of concern for security leaders.

“Plus, the risk brought by emerging technologies,” Azores cautioned. “It’s imperative for CISOs to always stay on top of the latest trends in IT and the cybersecurity landscape.

“But also, to implement control measures – such as administrative, physical and technical – to prevent, detect and immediately respond to cyber attacks as they occur.”

As new security threats flood the market, Azores said CISOs must be “more hands on”, while also providing “constant communication” of information security risk to not only senior management but also the entire staff within an organisation.

“This includes methods used by cyber criminals to gain access and how their actions can lead to a data breach,” Azores explained. “Even with robust cybersecurity measures in place for networks, servers, individual workstations and endpoints, and with even the very best software tools, CISOs can’t protect against the actions of users.

“Whether a user opens the wrong email or visits a malicious URL, his or her unintentional click can facilitate intrusion and the infection of the enterprise network.”