As the Executive Vice President of Digital and Technology Transformation and the Chief Information Security Officer at Mitr Phol Group, Athikom Kanchanavibhu navigates the intersections of innovation and security in the corporate world. His career, stretching over two decades, spans consulting and industry realms, punctuated by achievements such as the CIO75 ASEAN award. His expertise, backed by credentials like PMP and SAP, fuels his commitment to transcending traditional business paradigms through digital transformation strategies. These strategies, rooted in extensive research and practical know-how, propel his journey in the digital landscape. Academically, he holds an MBA and MIS from Chulalongkorn University and is currently pursuing Ph.D. studies in innovation management. Beyond his corporate responsibilities, he contributes as a speaker, panelist, and author, enriching discussions on the Advisory Board for the ASEAN Innovation Business Platform.
Recently, in an exclusive interview with Digital First Magazine, Athikom shared his professional trajectory, dual roles and responsibilities as Executive Vice President of Digital and Technology Transformation & CISO at Mitr Phol Group, the secret sauce behind his success, pearls of wisdom, and much more. The following excerpts are taken from the interview.
Athikom, please brief us about your background and areas of interest. What put you on the path to becoming a leader in the world of information security?
My journey into the realm of information security is deeply intertwined with the evolution of digital business transformation. At the heart of it, my interest has always been centered around leveraging technology to drive business growth and efficiency. The adoption of cloud computing and modern architectural frameworks has been a cornerstone of this journey, enabling seamless interoperability between diverse digital platforms and business applications.
As the digital landscape evolved, so did the complexity and sophistication of cyber risks. This became particularly evident with the introduction of smart factory initiatives and the push towards transforming customer experiences. These innovations, while pivotal for business advancement, opened new frontiers in digital vulnerability. Recognizing this, it was essential to have at the helm individuals who were not just focused on digital technology but could also weave a security-first approach into the very fabric of digital evolution. It’s like fitting a square peg in a square hole – the synergy between deep technological understanding and proactive risk management is a perfect match.
My path to becoming a leader in this field was, therefore, a natural progression. Faced with the dual challenge of fostering digital innovation and mitigating cyber risks, I found myself at the confluence of technology and security. This journey has been about more than just understanding and implementing technology; it’s been about foreseeing potential risks, navigating through them, and ensuring that every step in the digital transformation journey is grounded in robust security measures. This foresight and strategic approach have been my guiding stars in this journey through the ever-evolving world of information security.
You serve dual roles as that of Executive Vice President of Digital and Technology Transformation & CISO at Mitr Phol Group. Tell us about your roles and responsibilities within the organization.
In my dual roles at Mitr Phol Group, I navigate the intricate waters of digital and technology transformation while anchoring the ship of cybersecurity as the CISO. The essence of my responsibilities is akin to being a conductor of an orchestra, ensuring every section – from technology to people – plays in harmony to create a symphony of digital innovation and security.
My primary objective is to steer the ship of digital transformation. This journey spans from improving our top-line to bottom–line performance, similar to nurturing a plant from seed to fruit – we cover the entire ‘farm to table’ value chain. The scope of my role stretches from the internal transformations of our company to the external stakeholders, including farmers, suppliers, customers, consumers, and the community at large.
To ensure a smooth and cohesive transformation, I spearhead the development of an integrated transformation management system. This system acts as both a compass and a map, helping us to gauge our current position relative to our transformation goals, and chart out a strategic roadmap tailored for each business unit. Under my watch, we’ve set sail on over 100 transformation initiatives, each one a wave that propels us forward in areas of technology, digitalization, data analytics, AI, people, innovation, culture, and overall business performance.
But a ship is only as strong as its foundation, and that’s where my role as the CISO comes into play. I lay the keel of governance, risk management, compliance, and enterprise architecture, ensuring that our digital endeavors are not only innovative but also secure and resilient. It’s a balancing act – investing enough to keep our ventures safe and buoyant, without weighing them down with unnecessary expenditures.
In summary, my roles at Mitr Phol Group involve not just planting the seeds of digital transformation but also nurturing and safeguarding their growth. It’s about bridging the gap between where we are and where we aspire to be, all while keeping a vigilant eye on the horizon to anticipate and navigate through the choppy waters of cyber risks.
You also serve as an Advisory Board Member at Industry Platform. Can you tell us about this firm and your role in it?
As an Advisory Board Member at Industry Platform, I have the privilege of contributing to a dynamic arena that fosters digital transformation across the ASEAN region. Industry Platform serves as a pivotal connector, bridging various entities and opportunities in digital transformation.
In this role, I offer insights and perspectives to help shape the evolving digital landscape. My contributions involve identifying emerging trends that could be critical for the platform’s focus in the coming years. This task, while challenging, is also incredibly rewarding as it allows me to apply my experience in a way that might benefit a broader community.
Part of my responsibility also includes participating in speaking engagements and panel discussions. These events are invaluable for sharing knowledge and experiences, not just from my journey but from the collective wisdom of the platform. It’s a humbling experience to interact with such a diverse audience, each interaction an opportunity to learn as much as I impart.
Additionally, supporting the network of startups within Industry Platform is an aspect of my role I find particularly fulfilling. Advising and connecting these enterprises with growth opportunities is not just about guiding them; it’s about fostering a thriving ecosystem where innovation can flourish. It’s a role that constantly reminds me of the ever-changing nature of the digital world and the collective effort required to navigate it successfully.
What are some of the top challenges that businesses are facing currently when it comes to cybersecurity?
In the realm of cybersecurity, businesses today find themselves in a relentless battle, reminiscent of fighting the mythological Hydra. As soon as they address one threat, another emerges, more complex than its predecessor. The rate at which cyber attackers evolve is staggering, utilizing AI and modern technology to constantly upgrade their tactics. This constant evolution means that the landscape of cybersecurity risks is like shifting sands, always on the move.
However, the real challenge for businesses is not just the threats themselves but how they respond to them. Continuously escalating cybersecurity measures can paradoxically be a double-edged sword. Protecting digital assets is crucial, yet there’s a fine line between adequate security and excessive expenditure. Overspending on cybersecurity can lead to escalating costs, potentially burdening customers with higher prices. This situation is like walking a tightrope, balancing the need for robust defense with sensible spending.
To maintain an edge, it’s vital to refine cybersecurity strategies, making them cost-effective as well as robust. It’s about being smart and resilient, not just technologically strong. This strategy involves constantly enhancing digital defenses while also being mindful of financial implications. Additionally, the human aspect in cybersecurity is crucial. It’s imperative to arm business users and management with the knowledge and awareness to serve as the first line of defense, like building natural muscle strength to support digital armor. This is more than just equipping them with tools; it’s about nurturing the right mindset.
Ultimately, navigating the complexities of the cybersecurity world demands more than technical expertise. It requires a fusion of economic savvy, strategic business thinking, and people skills. Effective cybersecurity is about embracing change, understanding risks, and making informed decisions – a comprehensive approach that ensures optimal risk management in a digital landscape that’s always evolving.
In your experience, how have you seen the CISO job change over time, either in responsibilities or in relationships with others across the organization?
The role of a Chief Information Security Officer (CISO) in today’s digital-first world has undergone a metamorphosis, much like a caterpillar transforming into a butterfly. This evolution is not just about the expansion of responsibilities but also a significant shift in the role’s organizational dynamics.
Initially, the CISO’s position was often eclipsed by IT-centric roles like the CIO. But with the growing complexity of the digital landscape and the sophistication of cyber threats, the CISO role has emerged from the shadows. It’s transformed from a backstage technical job to a central, strategic role, often holding as much, if not more, importance than the CIO in many organizations. This shift involves moving from a purely technical focus to adopting a more comprehensive business perspective. Modern CISOs need to wear multiple hats, understanding the intricacies of cybersecurity and possessing sharp business acumen. Engaging with board members and business leaders is now a regular part of the role, requiring CISOs to view cybersecurity as an integral part of business operations.
Additionally, the increasing prominence of the CISO role is highlighted by the rise of professional communities and networks dedicated to these professionals. These platforms offer opportunities for knowledge sharing, networking, and collaborative problem-solving, showcasing the strategic importance of the CISO’s position. Moreover, a notable trend is the repositioning of the CISO role to report directly to CEOs or other senior leaders, rather than under the CIO. This change emphasizes the need for independent judgment in managing technology risks, avoiding potential conflicts of interest that might arise when balancing cybersecurity performance with IT objectives.
In summary, the CISO’s role has evolved significantly, transitioning from a primarily IT security-focused position to a front-line strategic role. It’s like being in the eye of the storm, playing a pivotal role in navigating organizations through the challenging seas of cyber threats and digital innovations.
In the age of AI, could generative technologies outpace an organization’s ability to establish effective cybersecurity measures?
In the AI era, cybersecurity is like an ever-evolving chess game, raising the question of whether generative technologies could surpass an organization’s defensive measures. This isn’t a straightforward issue. While generative AI itself may not outpace an organization’s ability to strengthen its cyber defenses, it introduces a distinctive challenge.
This scenario is comparable to an arms race in the digital realm. Attackers constantly enhance their capabilities, transitioning from conventional tactics to sophisticated AI-powered techniques. This shift demands a corresponding evolution in organizational defense strategies. Integrating generative AI into cybersecurity practices is becoming more than an option; it’s a necessity for staying competitive.
Organizations that adopt generative AI in their cybersecurity strategies can maintain pace and possibly even gain an advantage over these advanced threats. It’s about using state-of-the-art technology to counter similarly advanced threats, essentially fighting fire with fire. I believe organizations that adapt and incorporate generative AI into their cyber defenses will be better positioned to maintain equilibrium between threat and protection. This process involves not only adopting new technologies but also reshaping the cybersecurity mindset.
Ultimately, staying ahead in the AI-era cybersecurity game hinges on leveraging the power of generative AI to bolster defense mechanisms. Successfully integrating these advanced tools into cybersecurity strategies can create an optimal balance between offense and defense, enabling organizations to confidently navigate the challenging waters of AI-driven cyber threats.
How can CISOs strike a balance between enjoying the benefits of generative AI and ensuring they don’t inadvertently contribute to the rise of more sophisticated cyberattacks?
Striking a balance between harnessing the benefits of generative AI and preventing it from becoming a Trojan horse in cybersecurity is a nuanced act, one that extends beyond the purview of just CISOs. It’s a tightrope walk that requires an organization-wide approach, integrating an AI Strategy and Governance framework that encompasses ethical and safe usage of AI and generative AI.
At the foundation of this strategy, organizations need to establish robust protocols for using enterprise Generative AI. This is akin to setting up a fortified castle where the benefits of generative AI can be leveraged without the risk of exposing sensitive business data. It’s about creating a safe playground within the organizational boundaries where innovation can thrive without compromising security.
The role of the cybersecurity team in this scenario is akin to being both a gardener and a guard. They need to nurture this enterprise generative AI tool, ensuring it flourishes in a controlled environment, while also safeguarding it against any external threats. This dual role is crucial in maintaining the equilibrium between innovation and security.
Moreover, spreading awareness and providing training to business users is an indispensable part of this equation. It’s not just about handing them the tools; it’s about teaching them to wield these tools safely and responsibly. This education is imperative to ensure that the entire organization is aligned in understanding the potential risks and safe practices around the use of generative AI.
In summary, the challenge for CISOs and organizations at large is to create an ecosystem where generative AI is a wind beneath the wings of innovation, not a storm brewing on the horizon. This requires a comprehensive strategy encompassing safe usage protocols, cybersecurity vigilance, and organizational awareness, ensuring that the use of generative AI is a step forward, not a stumble in the dark.
You have successfully charted a two-decade voyage through consulting and industry landscapes and have been bestowed with prestigious accolades like the CIO75 ASEAN award. What is the secret sauce behind your success?
My two-decade journey through the varied landscapes of consulting and industry, highlighted by achievements like the CIO75 ASEAN award, has been an exhilarating adventure. The secret to this successful journey lies in a mix of relentless self-challenge, continuous learning, and the ability to connect seemingly unrelated dots to innovate and solve complex problems.
Each year of my career has been a leap out of my comfort zone, pushing boundaries and embracing challenges head-on. This approach has kept the journey not just interesting, but increasingly enriching. Like a navigator in uncharted waters, I’ve relished the opportunity to steer through unknown territories, discovering new avenues for professional growth.
In this digital age, staying relevant means being a lifelong learner. Every day is a new page, filled with opportunities to learn something novel, especially in the realms of technology, business, and people management. My fascination lies in piecing together these varied elements, much like a puzzle, to create innovative solutions that address business challenges and unlock new opportunities.
My experience, spanning consulting and corporate sectors, multinational and local companies, and spanning both the selling and buying sides of business, has been instrumental. It’s given me a panoramic view, allowing me to empathize and understand different perspectives. This ability to see the big picture and consider all angles has been crucial in developing strategies that are not only effective but also equitable for all stakeholders involved.
Therefore, if you ask about the magic ingredient in my journey, it’s a combination of never becoming complacent, continually broadening my perspectives, and weaving together different strands of knowledge to create a solution that is both functional and fair for all. This approach has been my guiding star through two decades of a fulfilling and impactful career.
What are some ways that you stay abreast with the latest developments in cybersecurity?
Staying on top of the latest developments in cybersecurity is like trying to drink from a firehose – there’s a relentless flow of information. However, I’ve found that once you’ve carved out a niche in the digital world, especially around cybersecurity, staying informed becomes a part of your daily routine.
As I navigate the vast sea of digital information, with a solid digital footprint in cybersecurity, AI algorithms become my compass, guiding me to relevant updates. These updates stream in continuously, much like water flowing through a river, via LinkedIn, Google News Feed, Bing News Feed, and other digital channels. This steady stream of information ensures I remain informed without the need for exhaustive searching.
Beyond just receiving information, active participation in the cybersecurity community plays a pivotal role. Engaging in panel discussions, executive roundtables, and being a part of various cybersecurity networks is like joining a symposium of minds. These platforms provide not just updates but also insights, experiences, and perspectives that are invaluable. They’re a fertile ground for learning and staying ahead of the curve.
In summary, keeping abreast of the ever-changing cybersecurity landscape involves a blend of proactive learning and leveraging the digital ecosystem’s capabilities. It’s about creating a network of information sources and actively engaging in the community to ensure that you’re always riding the wave of the latest trends and developments.
What are your favorite hobbies or ways to spend time outside of work?
When I step away from the hustle and bustle of my professional life, my world revolves around two main axes: my family and my passion for continuous learning and knowledge sharing.
Spending quality time with my family, particularly my three children, is the jewel in the crown of my leisure time. These moments are invaluable, providing a much-needed counterbalance to my work life.
Beyond family, my interests lie in the realms of research and writing. Developing frameworks, assessment tools, and management systems to enhance business performance is more than a hobby; it’s a cerebral exercise that keeps my mind actively engaged. This pursuit is akin to piecing together complex puzzles, each solution offering a sense of achievement and the possibility of tangible impact.
Generative AI has become an invaluable tool in this pursuit. It enhances my research productivity and provides insights that are often transformative, acting like a window into future possibilities. Writing and sharing knowledge on various platforms is another aspect of my life that I cherish. It allows me to give back to the community, sharing pieces of wisdom gleaned from my experiences.
In essence, my hobbies are extensions of my professional life, reflecting a seamless blend of personal interest and professional passion. They provide a harmonious balance to my life, enriching it with continual learning and a continuous journey of discovery and contribution.
What top security advice would you have for organizations?
In the challenging realm of cybersecurity, the most crucial advice I would offer organizations is to focus on the unknowns. It’s like being in a dark room, aware of some obstacles while others remain hidden in the darkness. The greatest dangers often lie not in the risks we know and can manage, but in the unseen, unknown risks that lurk in the shadows.
In dealing with known risks, organizations often have a playbook – actions and measures ready to be deployed. However, it’s vital to remember that what we don’t know can hurt us the most. These blind spots are the Achilles’ heel of cybersecurity; they’re where the most damaging attacks can blindside us.
My recommendation is for organizations to adopt an approach similar to the iceberg principle: allocate about 20% of time and resources to managing the known, visible aspects of cybersecurity using standard frameworks and protocols for cost-effectiveness. In contrast, the lion’s share of your focus – I would say around 80% – should be directed towards identifying and strengthening defenses against unknown risks. This strategy is about more than just searching for potential threats; it involves continuous learning and adaptation to shine a light on hidden dangers and prepare for them.
Ultimately, robust cybersecurity relies on a vigilant, proactive approach that emphasizes the discovery and preparation for unknown threats over just reinforcing defenses against known risks. It’s a journey that requires constant vigilance, adaptation, and the willingness to delve into uncharted territories of the digital landscape.