I recently had the privilege of engaging in an illuminating conversation with Engineer Eduardo Justo, an innovation lab leader with 23 years of experience in the IT industry. His profound insights into the rapidly evolving cybersecurity landscape offered me a comprehensive understanding of the challenges we face today and the potential solutions that lie ahead. In an era where digital transformation is reshaping every aspect of our lives, cybersecurity has evolved from a specialized technical concern to a critical national priority.
The Modern Face of Cybersecurity
My conversation with Sir Eduardo began with a fundamental question: What exactly is cybersecurity in today's context? His response immediately expanded my understanding beyond the conventional technical definitions.
"Cybersecurity is not just a mindset," he explained, "it's about protecting ourselves from different threats. It's not just the cyber realm. It actually includes what we call social engineers."
This holistic view immediately resonated with me. Too often, cybersecurity is perceived solely through the lens of firewalls and technical safeguards, but Sir Eduardo emphasized that the human element—the vulnerability to manipulation and deception—represents an equally critical component of the security equation.
What struck me particularly was his emphasis on how cybersecurity education should start at an early age. "Even at the age of 9 years old, we need to guide children on cybersecurity so they would know how to protect themselves and identify exploitations," he noted, referencing the alarming increase in online threats targeting children during the pandemic.
This perspective reveals how cybersecurity has transcended its original boundaries to become a fundamental life skill in our digital society. The protection of our digital identities and information must now be considered as essential as physical safety, beginning from childhood.
The Paradigm Shift: From Traditional to Zero Trust
One of the most illuminating aspects of our discussion centered on the fundamental paradigm shift occurring in cybersecurity strategies—the transition from traditional "castle and moat" approaches to the Zero Trust security model.
"Traditionally, we used what we call an outside-in approach or the castle and moat security strategy," Sir Eduardo explained. "Anything outside the firewall is untrusted, and anything inside the firewall is trusted."
This conventional model served organizations adequately for years, but the pandemic exposed its vulnerabilities when remote work became the norm. As employees connected to corporate networks from home environments, the traditional perimeter-based security model proved insufficient.
"When the pandemic hit, many employees needed to work from home. That's when VPNs came in to connect to office networks," he continued. "But later on, we saw the weakness of that approach using the traditional model for work from home."
In response to these challenges, the Zero Trust model emerged as a more resilient framework. Sir Eduardo articulated this shift eloquently: "We're now introducing what we call the inside-out approach, wherein both inside and outside of the traditional network are considered untrusted by default."
This evolution represents more than a technical adjustment—it reflects a fundamental reconsideration of how we conceptualize trust in digital environments. The traditional approach relied on role-based security, determining access based on a user's predefined position. In contrast, Zero Trust implements attribute-based security, which evaluates multiple factors simultaneously.
"It's not just about who's accessing; it's now defined by attributes," Sir Eduardo elaborated. "Your identity, your laptop, your location—that's how granular access control has become. If any one of the assigned attributes doesn't match, access will be denied."
This granular approach to security resonated with me as a significant advancement. By requiring continuous verification across multiple dimensions, Zero Trust creates a more resilient security posture that better addresses the complex threat landscape organizations face today.
The Government's Cybersecurity Challenge
As our conversation progressed, we addressed a critical question: Is our government prepared to confront the increasingly sophisticated cyber threats we face today, particularly with the rise of AI-enhanced attacks?
Sir Eduardo's assessment was candid but concerning. "The government started taking notice when high-level attacks occurred that they couldn't detect," he explained. "That's when they realized they needed to move to a different approach."
This reactive posture highlights a significant challenge in governmental cybersecurity strategies—the tendency to address vulnerabilities only after they've been exploited rather than proactively strengthening defenses against emerging threats.
A particularly revealing observation emerged when Sir Eduardo discussed expertise gaps in governmental cybersecurity initiatives: "We're not moving yet. Even organizations here in the Philippines that are looking for people with knowledge in Zero Trust are struggling to find them. So what more for the government?"
This talent shortage isn't unique to the Philippines—it's a global challenge—but its impact on national security infrastructure is particularly concerning. Without access to specialized expertise in advanced security frameworks like Zero Trust, government agencies remain vulnerable to sophisticated cyber threats.
Sir Eduardo suggested a practical first step toward addressing this gap: "If government agencies have IT people, they need to start training those people in Zero Trust. Once they understand the approach and the new way of thinking about network protection, they'll see its value."
This emphasis on education and capacity building struck me as a crucial insight. Technical solutions alone cannot address cybersecurity challenges without knowledgeable professionals to implement and manage them effectively.
The Academic Gap: Cybersecurity Education
The conversation naturally progressed to the role of education in addressing cybersecurity challenges. Sir Eduardo expressed concern about the current state of cybersecurity education in Philippine academic institutions.
"I was surprised that computer engineering is now just a four-year program. Why isn't cybersecurity included to make it five years?" he questioned. "It's difficult to adapt when you're already in the industry and only then starting to learn cybersecurity."
This observation highlighted a significant gap between academic preparation and industry requirements. As cyber threats become increasingly sophisticated, educational institutions must evolve their curricula to equip graduates with the necessary skills to navigate this complex landscape.
Sir Eduardo shared his own experience to illustrate this challenge: "I needed to study cybersecurity when I was hired as an assistant IT manager in 2012. One of my tasks was to provide information security awareness training to new employees. I had to adapt quickly, and even asked my boss for training, but he said I could learn it on my own."
This sink-or-swim approach to cybersecurity education is insufficient given the critical nature of these skills in today's digital environment. Sir Eduardo advocated for a more structured approach: "We should add cybersecurity to the curriculum and bring in speakers who can provide talks about advanced cybersecurity. That way, students will be more updated."
The conversation also touched on the potential role of technical education institutions like TESDA in addressing the cybersecurity skills gap. Sir Eduardo noted the high demand for cybersecurity professionals such as threat analysts and cybersecurity analysts, suggesting that certification programs could help meet this growing need.
"We're not just talking about protecting a specific organization or government department," he emphasized. "We're looking at it on a big scale. We need to protect the entire Philippines, from LGUs to every government agency."
This national security perspective underscores the urgency of developing comprehensive cybersecurity education programs at various levels, from university degrees to technical certifications.
Cybersecurity and Law Enforcement
An interesting dimension of our conversation explored the intersection of cybersecurity and law enforcement. Sir Eduardo noted an emerging trend among criminology graduates who are increasingly pursuing IT-related studies after completing their initial degrees.
This cross-disciplinary approach makes sense in a world where cybercrime represents a growing threat. Law enforcement agencies like the AFP and PNP are actively recruiting individuals with cybersecurity expertise, recognizing that traditional policing skills must now be complemented by digital investigation capabilities.
However, Sir Eduardo identified a significant barrier to recruiting cybersecurity experts into government positions: "We have capable individuals who are guaranteed cybersecurity experts. But the chances of them working for the government are so small because one of the government's requirements is civil service eligibility."
This administrative requirement creates an additional hurdle for recruiting specialized talent. "Cybersecurity is already difficult, and then you need to take a civil service exam too," he noted, explaining why many qualified professionals choose private sector opportunities instead.
This insight highlighted the need for government agencies to reconsider traditional recruitment models and potentially develop specialized pathways for cybersecurity professionals that acknowledge their unique expertise.
AI and the Changing Threat Landscape
Perhaps the most sobering aspect of our conversation centered on how artificial intelligence is transforming the cybersecurity threat landscape. Sir Eduardo's assessment was stark: "The impact of cybersecurity is really frightening now. You can become a hacker just using AI—that's how dangerous it is."
This democratization of hacking capabilities through AI tools represents a paradigm shift in the threat landscape. Previously, sophisticated cyber attacks required specialized technical knowledge. Now, AI tools can potentially enable individuals with limited technical expertise to execute complex attacks.
Sir Eduardo also highlighted the challenge of detecting advanced threats: "That's the weakness of cybersecurity version 1.0 or the traditional method. It really can't detect something malicious if it's already inside the network."
This limitation underscores the necessity of more sophisticated approaches like Zero Trust, which maintain continuous vigilance even within supposedly secure environments. Sir Eduardo described several advanced tools that address these challenges:
"Arista is a network product that can detect what we call network worms—they hide in the network and then propagate. We also have Enable for devices, which is Zero Trust 2.0 approved, and Sail Point for identity and access management."
These advanced security tools offer improved protection, but Sir Eduardo emphasized that no solution provides absolute security: "If you're using the traditional method of cybersecurity, you are 99 percent guaranteed. But if you are using the Zero Trust approach, you are 99.99 percent protected."
While this 0.99 percent difference might seem marginal, Sir Eduardo explained its significance: "That 0.99 is a very big number especially for C-level executives like CEOs and CIOs. Being attacked or hit by ransomware is a no-no, it's a big problem."
The stakes have increased dramatically as threat actors have become more sophisticated in monetizing stolen data: "The level of thinking among harassers has changed. If they get your data, they would sell it, and we all know data is the new oil."
The Need for Proactive Governance
A compelling metaphor emerged during our conversation when Sir Eduardo compared changing cybersecurity approaches to evolving traffic behaviors: "If you see a yellow traffic light, what's your reaction? Traditionally, you would slow down. But now, the approach has changed—you need to speed up before it turns red."
This analogy brilliantly captured how cybersecurity governance must become more agile and proactive. Rather than hesitating when signs of threat appear, organizations and governments must act decisively and quickly to mitigate potential vulnerabilities.
"That's the approach I want to see in government now," he continued. "They need to adapt to that type of change. If this was the approach before, it needs to be different now."
Sir Eduardo provided a specific example of where proactive governance could make a difference: "When DeepSeek (an AI tool) was released, I advised against using it because it's made in China and might capture your data. Last week, David Bombal released a video showing that DeepSeek can lie—it denied sending data to China, but traffic analysis showed data being sent there."
This incident demonstrates how AI tools themselves can present cybersecurity risks. Sir Eduardo advocated for decisive governmental action in such cases: "The government should be more proactive. The moment something like that is released, tell all telecom companies to block it."
This proactive stance represents a significant shift from traditional regulatory approaches, which often rely on extensive analysis before taking action. In the rapidly evolving cybersecurity landscape, such deliberation may create dangerous vulnerability windows.
Modern Problems Require Modern Solutions
One of the most incisive observations from Sir Eduardo addressed a fundamental challenge in governmental approaches to technology: "We have modern problems. Unfortunately, the people leading the government are giving us traditional solutions that no longer work for our modern problems."
This disconnect between contemporary challenges and outdated responses undermines effective governance in the digital age. Sir Eduardo advocated for digital-first approaches to government services: "Almost all Filipinos know how to use smartphones and the internet. So instead of traditional solutions like fining people, make processes online."
The benefits of this approach extend beyond convenience. "Make it online so it would be easier for people to transact and at the same time it's corruption-proof," he explained. "Transactions done online are corruption-proof."
This observation highlights how digital transformation can serve multiple governance objectives simultaneously—improving service delivery while also enhancing transparency and reducing corruption opportunities.
The Need for Tech-Savvy Leadership
Our conversation culminated in a powerful vision for the future of governance in the Philippines. Sir Eduardo expressed his desire to see more IT professionals involved in government leadership positions: "I'm always dreaming that a lot of people in the IT field become interested in joining the government. We really need people who think differently—IT people think differently."
This distinctive perspective could bring fresh approaches to longstanding challenges: "If there were a greater number of IT people in the Senate and Congress, our country would actually solve those modern problems because there would be a different mindset."
The challenge, however, is attracting tech talent away from lucrative private sector opportunities. Nonetheless, Sir Eduardo emphasized the potential impact of technologically informed governance: "When IT people provide solutions, they will always be future-proof."
A Cybersecurity Party List: A Vision for 2028
As our conversation concluded, Sir Eduardo shared a bold vision for advancing cybersecurity in the Philippines—establishing a cybersecurity party list for the 2028 elections. This specialized political representation would focus exclusively on advancing digital security and governance initiatives.
"During one of our sessions in our masteral program, we had the same conversation," he recalled. "One of the recommendations was for people in the IT field to establish a party list for cybersecurity."
This innovative political approach would create a focused channel for technology experts to influence national policy. "In 2028, I will ask for help from people who can help me establish a cybersecurity party list," he declared. "Hopefully, it's not too late."
This aspiration reflects a recognition that cybersecurity has transcended its technical origins to become a critical governance issue requiring dedicated political attention. Such representation could accelerate the development of more responsive regulatory frameworks and innovative digital governance initiatives.
My overall thoughts:
My conversation with Engineer Eduardo Justo left me with a profound appreciation for the complexity of our cybersecurity challenges and the urgency of developing more robust responses. His insights illuminated not just technical vulnerabilities but also governance gaps, educational shortcomings, and leadership challenges that collectively shape our national cybersecurity posture.
Perhaps the most compelling message from our discussion was the need for collective action. Cybersecurity is no longer the exclusive domain of IT specialists—it requires engagement from educators, government leaders, law enforcement professionals, and citizens alike. As Sir Eduardo emphasized, we need people with "passion for cybersecurity" who are committed to helping our government "work on its digitalization."
The vision of a more secure digital future for the Philippines depends on our ability to embrace modern solutions to modern problems. As technology continues to evolve at an unprecedented pace, our governance approaches, educational systems, and security frameworks must evolve as well.
The establishment of a cybersecurity party list represents one potential pathway toward this future, but the broader imperative is clear: we must collectively develop the technical expertise, governance structures, and leadership capacity to navigate an increasingly complex threat landscape.
As I reflected on our conversation, I was struck by both the scale of our cybersecurity challenges and the transformative potential of addressing them effectively. By reimagining our approach to digital security, we have an opportunity not just to mitigate risks but also to build a more transparent, efficient, and responsive governance framework that better serves all Filipinos.
The journey toward this future begins with raising awareness about cybersecurity realities and possibilities—precisely the kind of illuminating dialogue that Engineer Eduardo Justo so generously shared with me. His expertise and vision offer a valuable roadmap for navigating the evolving cybersecurity landscape, and I am grateful for the opportunity to share these insights with a broader audience through this discussion.
As we face the cybersecurity challenges ahead, his central message remains resonant: modern problems require modern solutions, and developing those solutions requires technical expertise, innovative thinking, and collaborative action across all sectors of society.
0 comments