Gojek is now the ubiquitous unicorn in southeast Asia, known not only for its ride-hailing app but also its various forays into digital payments. Pulse Q&A spoke to the newly-minted CISO George Do about his first 100 days on the job as well as how an open collaborative company culture can bring with it its own security pitfalls.
Pulse Q&A: Tell me George, what were the first 100 days at Gojek like? Particularly in terms of your interaction with the board.
George Do: With any new role, I start out more by listening than anything else. It’s really important in the first 100 days to build a relationship with your stakeholders. Security is about risk management. In order for me to succeed in my job I rely on key stakeholders within the company. So I need to know who those stakeholders are and build a healthy relationship with them.
Beyond that, like I said, I’m just in a listening mode, understanding where the problems are with security. In the universe of cyber security there can be problems anywhere. There are a few things it can depend on, if it’s a B2B or B2C company for example. What kind of businesses is the company into? Are there heavy regulations and things like that.
Pulse Q&A: When you mentioned listening there’s ‘passive listening’ and there’s more sort of a proactive version of listening. Having spent most of your life in the Bay Area, I’d be interested to hear what sort of cultural differences you might have come across in going to Gojek in the Asia Pacific region.
Do: I really like that question. In the Bay Area where I’m used a conversation that is very interactive, a lot of back and forth here. I would describe it as the same but the key difference that I see here is more around the impact that myself or any other leaders would bring to the table is very high. In some conversations, I sense that they’re looking for me to talk more where I’m actually wanting to listen, to hear from them more. A lot of times we’re trying to tease out input from each other.
Whereas if I set the tone in meetings I can show that I’m a really good listener who wants to learn before I make a conclusion. I just want to learn about what you’re challenged with so we can align and then it becomes a little bit more smoother. Otherwise, it can be the case that I’m here and they’re just just looking for your direction. In the beginning, I want more of the reverse of that.
Part of my job is to teach that that’s not something you can solve with a logo. It’s more of an education and process.
Pulse Q&A: Having been in the role at Gojek for a few months, do you now have a sense of what your biggest challenges are to tackle?
Do: Gojek is an Indonesian-based company with the headquarters in Jakarta, but we operate in many countries and many more countries in the future. With that, part of our business model is being the right people in for ride-hailing. But we do so much more.
Especially within countries like Indonesia. Some of those businesses are regulated like e-wallets and payments. So one of the biggest areas is cyber compliance and privacy. When you’re a B2C and you’re dealing with partners–like drivers, food merchants–and you’re managing people’s money on your platform, there are regulations from various countries. You’re held to a standard where you have to manage security at a high level.
We’re very dynamic and we release a lot of features very quickly. One of the challenges is to make sure that what we’re doing from an architectural perspective, process perspective and implementation perspective is in line with what we’re mandated in terms of compliance and legislation. That’s a big one.
Gojek was born in the cloud. There’s almost nothing on-prem.
Another theme is our openness. The company is very collaborative and with that comes a legacy culture of being very open. People are just naturally friendly and they want to move fast to solve problems. There’s a need around security, education and awareness around that. It’s great to be open. Part of my job is to teach that that’s not something you can solve with a logo. It’s more of an education and process. That’s a cultural shift that will take some time to follow.
Pulse Q&A: Talk me through cloud computing and migrating to the cloud. How quick was Gojek able to accomplish that?
Do: Interestingly enough, Gojek was born in the cloud. There’s almost nothing on-prem. Most, if not all of our applications and workloads are is done in the cloud, which makes my role pretty interesting because a big portion of my job is to make sure that our workloads are managed tooling-wise as well as what has to be fixed and how the cloud operations are managed.
Pulse Q&A: It’s still Halloween today where I am. What what’s the thing that scares you the most? What keeps you up at night?
Do: Probably having a breach that has a critical impact to the business over an extended amount of period.
Depending on the business–you can be a hardware manufacturer, you can be a social media company, you can be a services company–regardless of what industry you’re in, if you suffer a security breach that takes you out of business for an extended amount of time, that’s the scary part.
A critical incident takes typically a lot longer time and a tremendous amount of orchestration in order to respond effectively and recover from.
Pulse Q&A: What’s your first reaction when there’s a breach? What are some first principles that you fall back on when there is a breach?
Do: I started out in incident response. That’s where I started my information security career so this is near and dear to me. There’s a whole incident response maturity lifecycle that exists today. Everything from what’s your thought strategy, security operations center, what’s your SIM strategy. How do you tool your enterprise and your production stack with the intrusion detection systems and virus systems or user behavior analysis items?
And then at the end of the day, when an incident does occur, how do you determine the severity of that incident and what playbooks do you have at your disposal to respond to the incidents? How do you coordinate within and outside the walls of the company in that response in case it is a critical incident.
Communication becomes critical. How do you communicate to the executives or communicate to your board? How do you communicate to the internal employees and users of the organization? And then, equally importantly, is what is the response from the organization to the public to the press and to social media? Because all pressures at that point are coming from multiple sides.
What it really comes down to is: what is the impact? Because a low level incident may not get past the security team. They’ve got it taken care of. A critical incident takes typically a lot longer time and a tremendous amount of orchestration in order to respond effectively and recover from. It can be anywhere from a week to a year regarding on the severity of that incident because at that point you’re talking about potentially bringing in third parties to help you with the investigation.
Pulse Q&A: Thank you so much for joining us today George. Really appreciate it.
Do: No problem. I enjoyed the session today.