In today's hyper-connected world, innovation thrives alongside a constant threat: cybercrime. As Chief Information Security Officer (CISO) at ASUS, I navigate this unseen battlefield, safeguarding our company and users from ever-evolving digital threats.
From Innovation to Responsibility: The Double-Edged Sword of Technology
The history of technology is a story of both progress and vulnerability. From the dawn of the mainframe to the ubiquitous internet, each advancement has opened doors for cybercriminals. Today, with over 450,000 new malware and potentially unwanted applications (PUAs) appearing every day, according to AV-TEST Institute, robust security is no longer a luxury but a necessity.
At ASUS, Security is Paramount
At ASUS, innovation is in our DNA. We've pioneered across a wide range of products and solutions, and now we're embracing AI to revolutionize our products. However, this drive for progress is balanced with a deep commitment to responsible AI use and data security.
At ASUS, every business unit meticulously evaluates how to leverage AI while upholding the highest security and privacy standards. We provide comprehensive training and guidelines to our teams to mitigate risks, ensuring the security of both our data and our customers' information.
Cybersecurity also plays a critical role within our ESG framework. Companies are increasingly required by ESG regulations to disclose their efforts to improve the safety of their products and services. That’s why our 2035 ESG strategy prioritizes strengthening our supply chain security. ASUS is also continuing to promote the ISO/IEC 27001 Information Security Management Systems (ISMS) to comply with international standards. Additionally, we comply with the European Union's GDPR to ensure that the collection, processing, and use of personal data are in compliance.
At the same time, ASUS has integrated existing internal resources to facilitate cross-departmental and cross-functional communication and collaboration. We call our vision: "Building Digital Resilience, Enhancing Brand Trust: Pursuing Excellence with Security in Mind".
The Digital Security Center: Our Cyber Defense Hub
Two years ago, we established the ASUS Digital Security Center. This dedicated team tackles internal and external threats, fostering a culture of security by design. We focus on product security across all devices, and work closely with industry leaders like Microsoft.
Our approach is proactive. In our monthly meetings with senior management, we evaluate how we handle security incidents. This involves detecting, analyzing, responding to, and recovering from security issues to lessen their impact and prevent future problems. We also talk about "DevSecOps" (Development Security Operations), which involves integrating security into product design – often called shift-left design. This approach encourages consideration of security, testing, and validation early in development, before mass production, to save effort and address issues sooner.
The Center also makes sure that security is fully integrated into our product design process so that we can prevent vulnerabilities before products reach customers. This effort involves incorporating features like fingerprint technology and conducting rigorous security audits.
I also established our Information Security Committee, which reports directly to the CEO and includes top executives and heads of each business unit. Monthly meetings ensure new products and solutions receive robust security measures, minimizing vulnerabilities. This collaborative approach extends beyond ASUS.
Furthermore, ASUS has spearheaded the formation of the High-Tech Industry Information Security Alliance. This alliance unites ten leading Taiwanese high-tech corporations, fostering collaboration and knowledge sharing to fortify the industry's collective cyber defenses.
Beyond ASUS Walls: Securing the Entire Ecosystem
The mission of my team includes ensuring the security of ASUS offices located across eighty countries and also encompasses our supply chain. It is important to not only secure areas that are directly connected to our company – today’s security issues require us to take a much wider view. This is because it is quite common that if hackers can't breach our direct systems, they may then try to target our supply chain, for example. We've encountered issues in this area in the past and are continuously working to enhance security for our suppliers to create a more secure supply chain, which is vital for overall resilience. This philosophy also applies to our subsidiaries.
The importance of supply chain security can be seen in the SolarWinds case two years ago. Russian hackers infiltrated the company, which provided software to the U.S. government, silently stealing information for years. This incident resulted in significant consequences, including a 30% stock price drop and a US$26 million settlement with shareholders. Additionally, the U.S. Securities and Exchange Commission (SEC) sued the company for allegedly failing in its duty regarding product and corporate security.
As far as our partners are concerned, Microsoft has had several cybersecurity incidents recently, such as the M365 email issues and vulnerabilities in some of their products. We regularly receive what's known as "Patch Tuesday" notifications from Microsoft. This is a monthly event where Microsoft issues formal notifications to all customers worldwide detailing vulnerabilities and bugs in their products, categorized by industry standards. Microsoft may address eighty to ninety issues each month in these announcements. This is a significant challenge and headache for any CEO or CISO.
The Human Element: Why User Education Matters
Often overlooked, human error is a significant contributor to cybersecurity breaches. According to a joint study by Stanford University and Tessian, employee mistakes account for a large portion of data breach incidents. For example, 52 percent of people clicked on a phishing email because it looked as though it had come from a senior executive at the company.
In fact, many security issues are due to simple configuration mistakes that leave devices vulnerable. Just like the early days of complex consumer electronics, many users struggle to properly configure their devices and services, inadvertently leaving them exposed. These issues are particularly relevant now that we are entering the era of AI PCs.
At ASUS, we address these challenges through comprehensive training programs. New employees undergo cybersecurity training within three months of joining, and annual refreshers equip our entire workforce with the knowledge to protect sensitive data. Phishing simulations and social engineering exercises further raise awareness, emphasizing cybersecurity as a shared responsibility.
The Future of Cybersecurity: A Collective Effort
Cybersecurity is an ongoing battle, requiring constant vigilance and collaboration. By prioritizing security by design, fostering user education, and building strong industry alliances, we can create a more secure digital future for all.
Read more about ASUS's commitment to ESG & information security:
https://esg.asus.com/en/philosophy/corporate-governance/information-security-management
Robert Chin
Chief Information Security Officer (CISO) at ASUS
About ASUS
ASUS is a global technology leader that provides the world’s most innovative and intuitive devices, components, and solutions to deliver incredible experiences that enhance the lives of people everywhere. With its team of 5,000 in-house R&D experts, the company is world-renowned for continuously reimagining today’s technologies. Consistently ranked as one of Fortune’s World’s Most Admired Companies, ASUS is also committed to sustaining an incredible future. The goal is to create a net zero enterprise that helps drive the shift towards a circular economy, with a responsible supply chain creating shared value for every one of us.