National Cybersecurity Talent Workforce Assessment Report of the Philippines.pdf

National
Cybersecurity
Talent
Workforce
Assessment
Report of the
Philippines
With the support of:
This report is made possible by the support of the American people through the United States Agency for International Development (USAID).
The contents are the sole responsibility of IBM and do not necessarily reflect the views of USAID or the United States Government.

Page i
Table of Contents
Section Page
Executive Summary................................................................................................................................................ 1
1. Introduction........................................................................................................................................................ 7
1.1 Objective........................................................................................................................................................... 7
1.2 Background...................................................................................................................................................... 9
1.3 Intended Audience........................................................................................................................................... 9
1.4 Key Assumptions – Initial and Revised............................................................................................................ 9
1.5 Methodologies Used....................................................................................................................................... 10
2. The Current State of Cybersecurity Workforce Development in the Philippines............................................ 13
2.1 Current Cyber Talent Pool Status................................................................................................................... 14
2.2 Current Pipeline – Training Programs – Academic and Commercial............................................................ 21
2.3 Current Cyber Career Pathways..................................................................................................................... 23
2.4 Current Job Roles and Responsibilities......................................................................................................... 24
2.5 Current National Cyber Talent Framework.................................................................................................... 26
2.6 Current Governance/Risk/Compliance.......................................................................................................... 28
3. The Way Forward for Cybersecurity in the Philippines.................................................................................... 29
3.1 Track 1 – Incremental.................................................................................................................................... 30
3.2 Track 2 – Jumpstart/Adaptive........................................................................................................................ 38
3.3 Major Recommendation 1 of 5: Appoint an Executive Agency for Cybersecurity........................................ 42
3.3.1 Ecosystem Action 1. Review and Right-size Current Cyber Laws.......................................................... 43
3.3.2 Ecosystem Action 2. Use Tax Incentives to Create Cyber Apprentice Programs with Philippine
Industries .......................................................................................................................................................... 45
3.3.3 Ecosystem Action 3. Provide Grants to Create Cybersecurity Centers of Excellence (COE)................ 47
3.3.4 Ecosystem Action 4. Provide Vouchers for Examinations...................................................................... 48
3.3.5 Ecosystem Action 5. Provide After-the-fact 50% Scholarships to COE Graduates that Pass
Selected Cyber/Privacy Examinations; and Regulate Cost of Training............................................................ 49
3.4 Major Recommendation 2 of 5: Implement a Cybersecurity Curriculum..................................................... 51
3.5 Major Recommendation 3 of 5: Make the Government Cyber Pay Scale Competitive................................ 52
3.6 Major Recommendation 4 of 5: Enhance and Implement Cybersecurity Legal Training
for Judges........................................................................................................................................................ 53
3.7 Major Recommendation 5 of 5: Sponsor a Philippine National Cyber Consortium ..................................... 55
4. Recommended Areas for Further Research and Analysis............................................................................... 56
Appendix A: The US CAE Cyber Program and Sample Curriculums...................................................................A-1
Appendix A: KU Alignment Requirements for CAE-CD.......................................................................................A-1
Appendix A: Examples of POS Validation Requirements....................................................................................A-2
Appendix B: Interview Sources...........................................................................................................................B-1
Appendix C: Secondary Sources.........................................................................................................................C-1
Appendix D: Example Job Roles with Descriptions and Partial RACI................................................................D-1

Page ii
List of Figures
Figure 2.1-1: ASEAN CISSP Count......................................................................................................................16
Figure 2.1-2: ASEAN CISSP Count, Per Million Population.................................................................................16
Figure 2.1-3: ASEAN CISSP Count, Per Million Population (Singapore removed).............................................. 17
Figure 2.1-4: Top BPO Nation CISSP Count........................................................................................................ 17
Figure 2.1-5: Top BPO Nations – CISSP Count, Per Million Population..............................................................18
Figure 2.1-1: Cybersecurity Compensation Comparison....................................................................................20
Figure 2.1-2: Outside vs Individual View.............................................................................................................21
Figure 2.4-1: Cyber Forensics Job Profile...........................................................................................................25
Figure 2.6-1: Cybersecurity Framework, From: DICT’s National Cybersecurity Plan 2022..............................28
Figure 3.1-1: NIST’s Approach to Security Frameworks.....................................................................................22
Figure 3.1-2: Track 1 Incremental.......................................................................................................................30
Figure 3.3.5-1: Jumpstart/Adaptive Five Key Ecosystem Actions.....................................................................43

Page iii
Term Definition
Defensive Cybersecurity This refers to a reactive approach to security that
focuses on prevention, detection, and response to
attacks.
Offensive Cybersecurity This refers to a proactive approach to security primarily
using ethical hacking.
General Cybersecurity This approach utilizes a mix of offensive and defensive
tactics (as defined above) to provide cybersecurity.
Frameworks These are not laws, per se, but are sector-enforced
sets of security controls, such as banking frameworks.
Security controls can include minimal standards,
mandatory tools/techniques, mandatory training,
required processes/procedures, mandatory reviews/
audits, etc.
Ecosystem This refers to the highest view of an interdependent
community of national and international institutions,
policies, activities, and their dynamic “living”
interdependencies.
Center of Excellence As used within this report, a COE is a mark reserved
for educational institutions that have met specific
cybersecurity curriculum criteria which will be
established by an Executive Agency for Cybersecurity.
Pipeline As used within this report, a pipeline is any training
or educational institution that instructs students in
cybersecurity. These institutions can be within any
Philippine business, private or state college/university,
two-year vocational institution, or military.
Gap In this context, “gap” refers to the delta/difference
between the current state or status of the field, topic or
institution in question, and the desired state or status of
the same.
Glossary of Terms Acronyms

Page iv
Acronym Expansion
APAC Asia-Pacific
BCY Basic Cryptography
BEACON Better Access and Connectivity
BIR Bureau of Internal Revenue
BMAP Bank Marketing Association of the Philippines
BNW Basic Networking
BPO Business Process Outsourcing
BSP Basic Scripting and Programming
CAE Centers of Academic Excellence
CCICADA Command Control and Interoperability Center for Advance Data
Analysis
CHED Commission on Higher Education
CII Critical Information Infrastructure
CISSP Certified Information Systems Security Professional
CISA U.S. Cybersecurity and Infrastructure Security Agency
COE Center of Excellence
CPE Continuing Professional Education
CPM Cybersecurity Planning and Management
CSA Cyber Security Agency
CSF Cybersecurity Foundations
CSP Cybersecurity Principles
CTH Cyber Threats
DICT Department of Information and Communications Technology
DoD Department of Defense
DND Department of National Defense
EO Executive Order
ESI Electronically Stored Information
GESI Gender Equality and Social Inclusion
Glossary of Acronyms

Page v
Acronym Expansion
GRC Governance, Risk [Management], and Compliance
ICT Information and Communications Technology
IMDA Infocomm Media Development Authority
ISC IT Systems Components
IRR Implementing Rules and Regulations
KU Knowledge Unit
LEDAC Legislative-Executive Development Advisory Council
MOE Ministry of Education
MSSP Managed Security Services Providers
NDF Network Defense
NICE National Initiative for Cybersecurity Education
NIST U.S. National Institute of Standards and Technology
NGO Nongovernment Organization
NSA National Security Agency
OFW Overseas Foreign Worker
ONSS Office of Naval Strategic Services
OSC Operating Systems Concepts
OSSP Organizational Structure and Staffing Plans
OTJ On-the-Job
OTCCF Operational Technology Cybersecurity Competency Framework
PIDS Philippine Institute for Development Studies
PHILJA Philippine Judicial Academy
PLE Policy, Legal, Ethics and Compliance
PN Philippine Navy
POLO Philippine Overseas Labor Office
SEA Southeast Asia

Page vi
Acronym Expansion
SOC Security Operations Center
SPM Security Program Management
SRA Security Risk Analysis
STEM Science, Technology, Engineering, and Mathematics
USAID United States Agency for International Development
USCYBERCOM United States Cyber Command
TESDA Technical Education and Skills Development Authority

Executive Summary
However, there is a growing global cyber-crime
wave, wherein “The Philippines had the highest
number of users attacked by banking Trojans—a
type of malicious software—in the Asia-Pacific
(APAC)”2
and wherein the Philippines is the “[4th]
most targeted country by cybercriminals in 2021.”3
These data points and the cybersecurity
information found by during research suggest,
unfortunately, that the Philippines is poised to
jeopardize the U.S. portion of its Business Process
Outsourcing (BPO) market, which is 75 percent of
the $23 billion Philippine BPO market.4
“A growing global internet market is an opportunity
for the nations that respond well to the increasing
wave of cyber-crime.
The nations that do not respond well to the wave
of cyber-crime will at best stagnate their BPO
markets, and will at worst, lose their BPO market
share to other nations that prioritize cybersecurity”.
In this context, countries and economies investing
in cybersecurity capacity are better equipped to
weather increasing and relentless cyber-attacks
and information security breaches. However,
significant shortages in talent capacity exist across
countries and at a global level. In 2021, estimates
suggest that there are at least 3.5 million unfilled
cybersecurity positions, and this number has been
increasing substantially since 2013.5
In the United
States alone, there are more than 700,000 open
cybersecurity positions and the shortage is even
more acute in developing countries where technical
talent gaps are the largest.6
This is a time
when “… the
internet economy
hit U.S. $100
billion, having
more than tripled
between 2015
and 2019.”
1
1
Infocomm Media Development Authority, “Accelerating Singapore’s Digital Economy.” https://www.imda.gov.sg/annualreportfy20/index.
html#p=1
2
Lacsamana, “PHL is top target of banking malware in Asia-Pacific, Kaspersky says.” https://www.bworldonline.com/
technology/2021/10/15/403860/phl-is-top-target-of-banking-malware-in-asia-pacific-kaspersky-says/
3
USAID BEACON, “Advancing Women and Diversity in the Information Security Workforce”
https://sites.google.com/view/beaconactivity/women-in-infosec/webinar-materials?authuser=0
4
Averia, et al. “Cybersecurity in the Philippines.” https://asiafoundation.org/publication/cybersecurity-in-the-philippines-global-context-and-
local-challenges/
5
Farber, “Cybersecurity Jobs Report: 3.5 Million Openings Through 2025 (einpresswire.com)”, https://www.einpresswire.com/article/556075599/
cybersecurity-jobs-report-3-5-million-openings-through-2025
6
Jones, “White House takes on cyber workforce gap through 120-day apprenticeship sprint”, https://www.cybersecuritydive.com/news/white-
house-cyber-workforce-apprenticeship/627705/

IBM, in partnership with the U.S. Agency for International Development’s (USAID) Better Access and
Connectivity (BEACON) Activity, investigated the current state of the Philippines cyber workforce, and
ultimately, also studied the national ecosystem supporting that cyber workforce.
The report offers the following key points:
• The Philippines normalized cyber-capacity, when compared to other BPO nations and as measured
by the number of Certified Information Systems Security Professional (CISSP) certifications—
considered to be the gold standard of professional cybersecurity certifications—is only ahead of
Indonesia and Ukraine, and is behind Bulgaria, Chile, Argentina, Thailand, Mexico, Malaysia, Brazil,
Poland, India, Japan, and China.
• The Philippines’ academic pipeline, which should be providing cybersecurity graduates, is very
minor; the Philippines military-to-civilian pipeline, which should be providing trained cyber
professionals, upon retirement or resignation, back into the civilian sector, is almost non-existent.
• The Philippine Government lacks a competitive pay scale to recruit and retain cyber-talent and
privacy-talent within the government agencies.
Recent articles offer these concerns, as follows:
• “The Philippines is one of the least cybersecure countries in Asia, based on the presence of phishing
sites and malware hosting platforms and average number of accidental downloads of computer
virus and other malicious codes, according to a study by an online marketing firm.”7
• “The Marcos administration has been urged to ramp up initiatives supporting the development of
the local cybersecurity workforce given the increasing need for digital protection alongside the
greater use of digital platforms.”8
• “As it pushes forward with a digital shift to shore up collections, the [Philippines] Bureau of Internal
Revenue (BIR) is looking for data scientists and cybersecurity experts to join the country’s biggest
tax agency, Commissioner Lilia Guillermo said on Friday (Aug. 19).”9
7
Paid, “PH among least cybersecure in Asia, says study”, https://business.inquirer.net/356065/ph-among-least-cybersecure-in-asia-says-
study#ixzz7cq6fsqt8
8
Paid, “Marcos gov’t urged to beef up local cybersecurity workforce”, https://business.inquirer.net/356326/marcos-govt-urged-to-beef-up-local-
cybersecurity-workforce#ixzz7eKCTCxG6
9
Vera, “Help Wanted at BIR: Data scientists, cybersecurity experts”, https://business.inquirer.net/358144/
help-wanted-at-bir-data-scientists-cybersecurity-experts#ixzz7eKDeNak4

This report concludes that the Philippines cyber ecosystem may be deadlocked
and that if the current situation continues, the country will:
• Fail to substantially increase the size of its cyber workforce in the nation’s business market;
• Continue to have great difficulty recruiting and retaining cyber talent within the national government
departments/agencies; and
• Be unable to take advantage of a burgeoning world demand for cyber expertise
(i.e., via the Philippines’ BPO Market).
Based on the cyber challenges found thus far and given this report’s recommendations are for the
new Marcos Administration. The following two tracks of recommendations are offered which are
intended to be implemented simultaneously: 1) Incremental and 2) Jumpstart/Adaptive.
Track 1—Incremental. The incremental recommendations are natural evolutions/extensions of
existing cybersecurity activities and are considered low risk. These recommendations are designed
to move the Philippines’ national cybersecurity posture forward in successive steps:
• Encourage Cyber Awareness at All Levels. Review existing programs that raise cyber awareness
among the Filipino population, beginning at the K-12 level. Survey points of coordination and
collaboration between sectors of society (e.g., industry, academia, and military) so that potential
lessons learned in one sector are visible to and absorbed by other sectors as well.
• Ensure that the Philippine Government, Especially the Department of Information and
Communications Technology (DICT), is Staffed by Competent Cybersecurity Personnel and
Cybersecurity Initiatives are Sufficiently Funded to Harden Information and Communications
Technology (ICT) Infrastructure in the Near Future. Review the DICT staffing mix to confirm the
right blend of experience and specialization so that DICT has the capability to engage and improve
directly even the hardware-dependent elements of cybersecurity.
• Move Toward Formal Adoption of a Cyber “Common Consistent Lexicon” such as that offered
by The National Initiative for Cybersecurity Education (NICE) Workforce Framework for
Cybersecurity (NICE Framework) U.S. National Institute of Standards and Technology (NIST)
Special Publication 800-181, revision 1. Provide a common language and vocabulary so that
various sectors of Filipino society are not “talking past each other” in meetings and forums meant
to foster collaboration. Consider the Operational Technology Cybersecurity Competency
Framework (OTCCF) developed by the Cyber Security Agency (CSA) Singapore as a first step.

• Ensure Filipino Citizens have the Right to Freeze their Credit. Provide viable defensive responses
in the wake of inevitable cyber-scams and -attacks; make sure laws and banking regulations permit
citizen-victims to stop and mitigate the impacts of cyber-attacks that impact
their personal credit histories.
Track 2—Jumpstart/Adaptive. The jumpstart/adaptive recommendations are designed to prime the
pump for a more robust Philippine cybersecurity ecosystem. These recommendations move the
Philippines forward by a leap that is more radical and therefore must also be adaptive.
There are five major recommendations, with five key ecosystem actions that would be assigned to the
proposed Executive Agency for Cybersecurity, which follow:
1. Appoint an Executive Agency for Cybersecurity. This Agency is the nexus for the Philippine cyber
ecosystem. Key ecosystem actions that the Agency would oversee are listed as follows:
• Review and Right-size Current Cyber Laws. Create a task force/working group to address the
current cyber laws and their right-size for the Philippines. Create recommendations to adjust/
maintain current plans, policies, controls, techniques, tools, as well as enforcement, and/or
punishments.
• Use Tax Incentives to Create Cyber Apprentice Programs within Philippine Industries. Create
criteria for a government-approved cyber apprentice program (e.g., minimum months duration,
subjects/tools covered, training provided, minimum prior cyber education required for the
apprentices, etc.). Provide sizeable tax incentives for BPO providers, the ICT providers (such as
undersea cable providers, etc.), Security Operation Centers (SOC) providers, Managed Security
Services Providers (MSSP), etc., that elect to create a government-approved cyber apprentice
program. The cyber apprentice program should require prior cyber-education but no prior cyber-
experience; and the provider-businesses must develop apprentice job descriptions/requirements
that help guide curriculum development.
• Provide Grants to Create Cybersecurity Centers of Excellence (COE). Create criteria for
government-approved cyber COEs using the cyber apprentice program job descriptions and
other market inputs. Certify pipelines (State University four-year institutions and State two-year
institutions) as COEs and provide sizeable-and-appropriate grants to start up and/or expand their
various cyber programs.
• Provide Vouchers for Examinations. Negotiate with certification organizations and purchase a block
of fully paid certification examination vouchers for key certifications (for privacy and cybersecurity).

Award one-time exam vouchers to graduates of government-approved COE pipelines. For example,
the voucher will pay for their first CISSP examination, and pay for their first CISA examination, and
so forth. The graduate pays for second attempts at passing the examination and not covered by the
voucher program.
• Provide After-the-fact 50 Percent Scholarships to COE Graduates that Pass Selected Cyber/
Privacy Examinations and Regulate Cost of Training. Create and fund a scholarship program.
Award 50 percent of training fees to those that pass the examination if the training was from a
COE—this is an “after-the-fact scholarship”. In turn, control the inflation of cyber-training fees
charged by a government-approved COE. Confirm that the training fees charged by the COEs remain
globally competitive and are not inflated due to the government providing after-the-fact 50 percent
scholarships.
2. Implement a Cybersecurity Curriculum. Require the Commission on Higher Education (CHED) to
develop a cybersecurity curriculum for the state universities’ undergraduate (four-year) programs
as directed by the Executive Agency for Cybersecurity. Require the Technical Education and Skills
Development Authority (TESDA) to develop a Cybersecurity Curriculum for vocational (two-year)
programs as directed by the Executive Agency for Cybersecurity.10
Confirm a technical cyber
training specialization/track and a non-technical cyber training specialization/track that meets the
government-approved COE criteria. This is similar to a college/university offering the Management
of Information Systems track and the Computer Science track.
3. Enhance and Implement Cybersecurity Legal Training for Judges. Require the Supreme Court
to require cybersecurity legal training for the judges appointed to hear cybersecurity cases in
coordination with the Executive Agency for Cybersecurity. In turn, this recommendation may feed
back into the CHED and the Philippine Judicial Academy (PHILJA) to develop a legal cybersecurity
curriculum for future cyber judges and/or cyber-law attorneys.
4. Make the Government Cyber Pay Scale Competitive. Require the Civil Service Commission
to develop a Cybersecurity/Privacy Government Career Path with a competitive pay scale in
coordination with the Executive Agency for Cybersecurity. The competitive pay scale will help
retain cyber-talent and privacy-talent within government agencies. Develop cybersecurity job
descriptions, possible career pathways, etc., that are reflective of a mature cyber ecosystem.
Obtain exemptions to the Salary Standardization Laws, as required.
10
One source offers that the TESDA initiatives could also be in partnership with ILO’s Women Can Do It Scholarship Program with targeted
mentorship to help women gain quality employment and advancement opportunities in STEM-related jobs. This may require collaboration to
ensure course offerings in cybersecurity. https://www.ilo.org/manila/aboutus/WCMS_632711/lang--en/index.htm

5. Sponsor a Philippines National Cyber Consortium. This consortium should meet every
quarter (every three months) to improve and adapt these initiatives; and to report status and
accomplishments back to the President of the Philippines. The Executive Agency should create
and chair this National Cyber Consortium to validate that the cybersecurity ecosystem is improving
and adapting to the changing Philippine and global cybersecurity market. These meetings should
include representatives from across the Philippines cyber ecosystem: Philippine Administration,
DICT, cyber organizations in the military and intelligence, cyber-law investigation/enforcement
agencies, CHED, TESDA, Department of Education (for K-12 security awareness training), Supreme
Court, COE universities/candidate universities, COE two-year institutions/candidate institutions,
industry apprentice programs, and cyber associations/cyber nongovernment organizations (NGO).
Implementing the above two tracks of actions will enable the Philippines to better withstand cyber-
crime, take advantage of the growing internet economy, and grow its share of the future BPO world
market.
The following risks exist if only Track 1 is implemented:
• Risk 1—75 percent of the $23 billion Philippines BPO may soon be jeopardized. Without a
jumpstart for the Philippines cyber ecosystem, there is a high business risk to the Philippines’
economy, especially to BPO sector.
• Risk 2— If cyber staff shortages continue within the Philippines, then real—not hypothetical—
negative cyber consequences will result. The authors of the global 2021 (ISC)² Cybersecurity
Workforce Study stated, “Staff shortages have real-life, real-world consequences. What are the
benefits of bridging the workforce gap? Would we really be more secure if we eliminated the
gap? To find out, we asked participants, for the first time, to share what negative impacts their
organizations have experienced because of their own cybersecurity workforce shortages.”
By contrast, there are notable benefits to implementing Track 2 via an Ecosystem View:
• Positive Result 1 — An ecosystem view allows cybersecurity stakeholders to ask questions that
address issues and concerns above-and-beyond mere compliance.
• Positive Result 2—An ecosystem view allows the use of many positive levers to manipulate the
environment. The ecosystem view is above-and-beyond a classic view that noncompliance must be
met by punishment/fines.

1 Introduction
1.1 Objective
This report provides significant recommendations for
increasing the cybersecurity posture of the Philippines as
a nation over the next four years. This includes actions
to be taken primarily by the new Marcos Administration
that will affect the cybersecurity workforce of the
Philippines positively, enhance and encourage the
pipelines that instruct/develop that cyber workforce,
and help establish cybersecurity career pathways.
Furthermore, these recommendations should ultimately
also positively influence the definition of cybersecurity
roles/responsibilities, cybersecurity frameworks (such as
sector cybersecurity guidance), as well as national cyber
governance, risk management, and compliance (GRC).
Maturity of Cybersecurity. The Philippines, as a nation,
must improve its cybersecurity posture to better combat
the increasing global cyber threat landscape, and to set a
foundation for business growth within the Philippines
through a robust cybersecurity ecosystem11
. As stated
by the Department of Information and Communication
(DICT), “In comparison with our neighboring countries,
the state of our [national] cybersecurity is still at its
infancy stages”(Ref. 21)
—which makes the Philippines a
prime target for threat actors, cybercrime, and/or
invasion of privacy, as stated by Angel S, Averia, jr, et al.
Impact on Philippines business growth.
The lack of a robust cybersecurity ecosystem limits
business growth at a time when business has tripled. As
stated by Angel S. Averia, Jr, et al, “In an interconnected
world, the Philippines will be confined to processing
low-value commodities if it does not enhance its
information security game because highly developed
economies will not entrust it with sensitive data for
“In the Philippines,
cybersecurity is not seen
as a priority yet. Because
the country is still at the
initial stage of digital
transformation, there seems to
be a misconception that threat
actors do not pose as serious
a threat or that the Philippines
is not a target.”(Ref. 07)
Cyber
‘infancy’ combined with
‘misconceptions’ may account
for why one source asserts
that the Philippines is the “[4th]
most targeted country by
cybercriminals in 2021.”(Ref. 01)
11

The term “ecosystem,” as used here, implies the highest view of an interdependent community of national and international
institutions, policies, activities, and their dynamic “living” interdependencies.

processing. Data as the ‘new oil’ should be treated as a
resource that impacts economic development.”(Ref. 07)
An improved national cybersecurity posture protects the
flow of information for government and business. The
track records for the safety and security of potential host
countries are a primary consideration for multi-national
corporations seeking candidate countries to provide
business services (e.g., server hosting). Eliminating data
breaches by promoting confidentiality and integrity of
data hosted within the Philippines can encourage a
rapidly growing internet economy. This improvement will,
in turn, increase cyber workforce employment and provide
a greater tax base for the government.
However, a state of cyber “infancy” and “misconceptions”
amid rising cyber-crime and during a tripled South East
Asia (SEA) market increase, implies a two-track approach
to solutions for the Philippines: (1) an incremental
track that focuses on protecting the general security
infrastructure and increasing the security awareness of
the general population, and (2) an ecosystem approach
that can bring rapid and significant improvement. The
second track of recommendations is designed to
jumpstart or prime the pump of the Philippines
cybersecuriy ecosystem.
“A Google, Bain, Temasek
report on SEA’s E-conomy
[sic] states that in 2019, the
internet economy hit U.S.
$100 billion, having more
than tripled between 2015
and 2019.” (Ref. 04)
The need
for cybersecurity within
the Philippines (or any
country for that matter) is
well-stated by former DICT
Undersecretary Eliseo Rio,
jr. “There is no physical or
economic security without
cybersecurity.”(Ref. 21)
As stated by Mr. Chan Yeng Kit,
Chairman, Infocomm Media
Development Authority (IMDA)12
12

IMDA, as described on its website: “As a statutory board in the Singapore government, it seeks to deepen regulatory capabilities for a converged
infocomm media sector, safeguarding the interests of consumers and fostering pro-enterprise regulations.”

1.2 Background
IBM developed this report for the U.S. Agency for International Development’s (USAID) Better
Access and Connectivity (BEACON) Activity. BEACON promotes economic growth by improving the
country’s access and connectivity securely and transparently to information and communications
technology (ICT) infrastructure. BEACON also promotes an inclusive digital ecosystem in the
country through integrating Gender Equality and Social Inclusion (GESI) as a crosscutting objective
to enhance its key development interventions. Leveraging existing innovation and investment in the
Philippines, the project will help enhance the Philippines’ digital ecosystem by focusing
simultaneously on institutional capacity; policy, regulatory, and process improvements; and
underlying systems, infrastructure, and interoperability—all undertaken with intensive private
-sector and multi-stakeholder engagement. The result will be a stronger and more competitive
telecommunication market and digital economy needed to accelerate economic growth and regional
competitiveness; and a more diversified and inclusive workforce capable of addressing cybersecurity
challenges in a currently male-dominated field.
1.3 Intended Audience
This report is written for the new Marcos Administration, which was elected in May 2022 and took
office in July 2022; and is also written for leadership at DICT, industry, and academia.
1.4 Key Assumptions—Initial and Revised
Initial assumptions used as the basis for this report are listed below:
A. Interviews will be conducted with key resources from four key sectors: government, industry,
academia, and military
B. Given the four sectors, the report will emphasize defensive cybersecurity for the Philippines’ cyber
workforce, with insights into offensive cybersecurity (from the military sector).
C. The report will emphasize talent development—that is, cyber workforce development. Further, the
report will not delve into cyber policy/law development nor critical infrastructure protection.
D. Early exposure to military interviewees might expose a fifth sector, namely, the Philippine
intelligence community.
Revised assumptions: As the answers, issues, and facts during the interviews of 29 personnel
selected from the different sectors of Filipino culture were compiled, assumptions were revised as
follows:
A. Interviews will be conducted with four key sectors: government, industry, academia, and military.
Access to conduct interviews with academia and military personnel will be limited.
B. Given the four sectors, the report will emphasize defensive cybersecurity for the Philippines’ cyber
workforce, with limited insights into offensive cybersecurity (from the military sector)
1.5 Methodologies Used
The IBM team interviewed 29 key personnel involved with the Philippines’ cybersecurity ecosystem
primarily in March and April 2022. The team conducted the interviews virtually. Additionally,

secondary sources were reviewed—articles, reports, slide decks, etc., —most of which were identified
by IBM or provided by USAID’s BEACON Activity, and/or the Philippine interviewees.
A system-of-systems viewpoint was initially taken with the intent to study systematically:
• The current, target/goal, and gaps of the following areas: the cyber workforce, cyber pipelines that
develop/educate the cyber workforce, cyber careers available to the graduates of the pipelines, and
cyber jobs/roles/responsibilities within those careers;
• The cyber frameworks;13
and
• The cyber GRC as shown in the national cyber laws.
Over time, it was realized that the system-of-systems view produced recommendations that would
lead to only incremental change—which is good and needed—but incremental change would not
allow the Philippines to become competitive within the growing national and international cyber
marketplace for many years.
Indeed, incremental change alone would most likely allow the highest-value data commodities and
its related business market to move to other nations. As stated by Angel S. Averia, Jr., et al, “In an
interconnected world, the Philippines will be confined to processing low-value commodities if it does
not enhance its information security game ….” (Ref. 07, our emphasis in bold)
Therefore, an ecosystem viewpoint was also taken to ascertain additional recommendations—
providing the finding that the ecosystem view provided recommendations that would jumpstart
the cybersecurity workforce within the Philippines and allow a quicker entry into the national and
international cybersecurity marketplace.
In general, interview questions related to understanding the current cyber ecosystem, revealed a
limited cyber ecosystem in the Philippines, generating the following initial concerns:
• No curriculum feedback loops between industry and academia (e.g., training alumni who leave as
overseas foreign workers [OFWs] do not return to teach, thereby taking with them potential lessons
learned from Philippine industry);
• No incentive for industry to have a multi-month apprentice program;
• No incentive for academia to ramp-up its cyber pipeline; and
• No well-funded Executive Agency for Cybersecurity to manage the feedback loops and incentive
programs.
One source has offered the following analysis:
“ For the past few years, the Philippines has been in a bit of a stalemate when it comes to demand
and supply of cybersecurity skills. Demand has always been high and continuously increasing,
however the interest to pursue the field has been one of the challenges to jump start the
production of cybersecurity skills to meet the demands.
13
Frameworks are not laws, but are sector-enforced sets of security controls, such as banking frameworks.

“ Cybersecurity seems to be still a niche. A good majority of people aren’t aware of it, especially
those outside of Manila. People who are aware, do not really understand it and it’s not seen as
a proper field with good job opportunities and professional growth; hence people tend to choose
other fields instead.
“…for those who recognize the importance, investing in cybersecurity skills comes with big costs,
both for the person pursuing it and also the organization.
“…Training centers do not see it [cybersecurity] as sustainable to invest in, [such as by] providing
cybersecurity courses (like investing on being a proper ISC2 Official Training Provider, etc.),
especially given the expensive costs of both investing, delivering and even selling the training itself.
“ The same case applies to schools and universities seeing it [cybersecurity] as not really
sustainable to invest in [by] developing and providing cybersecurity courses to college students.
“ The government’s effort on it [cybersecurity] is mostly for itself and has very little [emphasis]…
on the sustainability of cybersecurity skillset for the country as a whole and how it supports
economic growth. This lack of support has kept the market for cybersecurity skillset and trainings
in stalemate.”
The normal stream of information, trends, requirements, and suggestions that flows between
academia, industry, the military and government in a mature cybersecurity environment (feedback
loops) is missing, according to information gleaned from interviews conducted in support of this
report.

The next three text boxes explain the system view, the system-of-systems
view, and the ecosystem view using brief analogies:
The System View
Using an Automobile Analogy:
The wheel of your car is a “system”—which contains a tire, a valve stem, a
metal rim, spokes, pressurized air, and lug nuts holding the rim in place.
The System-of-Systems View
Your entire car is a “system of systems”—which contains a drive train,
wheel systems, electrical systems, light systems, braking systems, music
systems, air conditioning system, etc.
The Ecosystem View
Your car is an active participant within an “ecosystem”—which contains
your car, your city’s cars, your state/nation roads, the roads’ signal/
light systems, the gasoline distribution system (underground pipes,
refueling trucks, gasoline/petrol stations, oil container ships, etc.), a
legal system for traffic enforcement, multiple parts distribution systems,
auto repair systems, and buying and selling systems. In the case of the
gasoline distribution system and the parts system, the ecosystem can be
international in scope. Many of these systems can be in active competition
with each other and/or very dependent upon each other (and a single
failure of one system can be far reaching).
Constraints occurred due to the methodologies employed by the IBM
team: the educational institutions may have been overly optimistic due to
a need to promote their current courses; the DICT assisted the IBM team
with several clarifications which, in turn, may be only from the viewpoint
of DICT; and the interviewees were not supplied the questions prior to the
interview and thus their answers reflect spontaneity as opposed to well
thought-out position statements.

2. The Current State of Cybersecurity Workforce Development in the Philippines
Six years ago, a massive data breach rocked the Philippines. This breach, commonly referred to as
“COMELEAK”, involved data from roughly half of the entire Filipino population and has been covered
in the international press in detail. A few select quotes from "When a Nation is Hacked:
Understanding the Ginormous Philippines Data Breach," by the internationally recognized
cybersecurity expert, Troy Hunt, provide a snapshot of the scope and impact of the damage:
“The data consists of 76GB worth of (usually) compressed files, most notably a MySQL
backup that expands out to 338GB. There’s a raft of other .SQL files in the breach as
well ranging from a few KB up to hundreds of MB. The breadth of data in these is quite
significant; … Amongst the huge volume of data is a total of 228,605 email addresses.
This may sound like a small number out of the 55M records, but according to reports, a
lot of the sensitive data such as passport numbers belongs to a ‘mere’ 1.3M overseas
voters”.(Ref. 12)
“The Philippine Overseas Labor Office (POLO) states there are 10 million OFWs
at any given time.(Ref. 13)
The average OFW is said to ‘remit’, on average,
$400 per month back to the Philippines.”
Given the importance of overseas citizens to the Philippine economy, the 2016 data breach, impacting
such a huge percentage of the entire population, carried potentially serious national economic
implications far beyond the obvious personal and political considerations.
Further, the Philippines, as a growing destination for BPO, has deep economic motivation to preserve
its reputation as a safe and reliable destination for international corporations and organizations
considering relocation of their hardware and data to the Philippines.
Traditional Sources of Cyber Strength
Given the Philippines’ status as a host of business services for multiple prominent multi-national
corporations and given its long history of cooperation with the U.S. military, the IBM team assumed
several facets of cybersecurity in the nation would be either fully developed or in the process of
maturing.
Prominent among initial assumptions, the IBM team anticipated that the following elements and
features would be either established or in progress:
• A substantial, if not fully mature, academic pipeline providing formal cybersecurity degrees and
programs at the undergraduate and graduate levels;
• Some progress toward introduction of cybersecurity concepts and skills at the K-12 education
levels;
• A military-to-industry and/or a military-to-academia career path in which cybersecurity skills and
knowledge gained while in uniform would lead to continued applicability in a post-military career;
and

• A military-to-government career path allowing for continued use and cultivation of cybersecurity
skills in a post-military career.
For reasons explored in various sections below, initial assumptions about both the pipeline and
Filipino career-paths proved incorrect. The subsections that follow explore causation and discuss the
corrected assumptions in light of input from interviews.
2.1 Current Cyber Talent Pool Status
The IBM team conducted an examination of the current cyber talent pool status via interviews, a
comparative analysis of CISSP certifications, and some miscellaneous approaches.
Interviews
While tallies of hard data indicating the Philippine-specific shortfalls of cybersecurity talent are
difficult to find, the approach of interviewing key figures within various Filipino sectors rendered
significant anecdotal evidence of talent deficits. The industry sector, which could be thought of as the
most significant customer of cybersecurity talent, produced multiple representatives who expressed
concern about a large gap between current pools of cybersecurity talent and the current and
projected needs of Filipino industry. For example, Anton Bonifacio, of GLOBE Telecom, noted,
“The requirement for cybersecurity services has certainly increased in the Philippines.
… There is a lack of talent, per se. … What is lacking are security operations analysts
and talents that are able to do the necessary, you know, whether that’s a threat hunting,
threat intelligence so on and so forth. That’s why I find myself, for example, looking for
talents, not even in the security space.” (Int. 01)
Recognition of a Philippines-specific cybersecurity talent shortfall is not limited to representatives
of industry. Professor Jocelynn Cu, of De La Salle University, indicates that recently the national
awareness of the need for robust cybersecurity has blossomed. She notes that the two short years
since the onset of COVID 19 provided a sort of “wake up” call for the country:
“I think that there’s really a lot of room for improvement, especially to the workforce. We
don’t have enough experts in that area. … I think it’s just the recent in the past two years
when they indicate that everybody became … aware of what information security is, how
to keep themselves paid. They’re shopping online doing everything online. I think that’s
the time [i.e., the COVID lockdown period] when it made everybody realize that, hey,
information security is the serious matter, but even before that we noticed that there’s
really a big demand for information security experts, but we’re not producing enough
graduate[s] for that.” (Int. 02)
Comparative Analysis of CISSP Certifications
The depth of the cyber workforce can also be measured by the number of cyber workforce
members holding professional third-party cyber certifications. The Certified Information Systems
Security Professional (CISSP) certification, issued by the International Information Systems Security
Certification Consortium ( (ISC)2 ), the largest not-for-profit global cyber certifying organization, is
often considered the gold standard of the possible professional cyber certifications.

This is confirmed by the following statement from
Credly, an independent third-party company
that records certifications (and does not offer
the CISSP training or CISSP examination, and
therefore has no conflict of interest): “Required
by the world’s most security-conscious
organizations, CISSP is the gold-standard
information security certification….” (Ref. 25)
A certifying organization, such as (ISC)²,
CompTIA, or ISACA, serves as an independent
third-party to test an individual’s cyber
knowledge via proctored examinations. Someone
that passes the examination therefore has
demonstrated a certain level of knowledge and
understanding of selected areas of cybersecurity.
A certification shows that the holder has
passed the examination, and has the minimum
experience required by the certifying
organization. The individual then continues to
obtain Continuing Professional Education (CPE) in
order to maintain their certification.
Using the 2021(ISC)²
Cybersecurity Workforce
Study (Ref. 19)
, the IBM team examined the number
of cyber professionals holding the CISSP
certification.14
Marnel Peradilla, also of De La Salle
University, noted:
“The cybersecurity workforce is
very small. Okay. So, they get
consultation from these well-known
professionals in information security.
…I think the cybersecurity workforce
in general, there are few people, are
few professionals that are really good
in offensive cybersecurity, in the
offensive side. Of the professionals
here in the Philippines when they have
a chance to go abroad…if they have a
chance to, they will ‘go for it’ and they
usually don’t come back.” (Int. 03)
14
The 2021 (ISC)² Cybersecurity Workforce Study collected survey data from a record 4,753 cybersecurity professionals working with small,
medium, and large organizations throughout North America, Europe, Latin America (LATAM) and Asia-Pacific (APAC).”

As shown in Figure 2.1-1, the Philippines’ 202 CISSP certifications compared favorably with other
ASEAN countries (except for Singapore which has 2,804 CISSP holders).
When normalized by population, the Philippines’ 202 CISSP certifications still compared favorably
with other ASEAN countries (again, except for Singapore which has 2,804 CISSP holders).
See Figure 2.1-2.
Figure 2.1-1: ASEAN CISSP Count
ASEAN CISSP Count
ASEAN CISSP Count, Per Million Population
Figure 2.1-2: ASEAN CISSP Count, Per Million Population

Singapore is removed from Figure 2.1-3 to allow for easier comparison among the other ASEAN countries.
However, when compared to other well-known BPO countries in Figure 2.1-4, the Philippines’ 202
CISSP holders were less than Thailand, Mexico, Malaysia, Brazil, Poland, and significantly less than
India, Japan, and China.(Ref. 50a, 50b, 50c, 50d)
Figure 2.1-4: Top BPO Nation CISSP Count
ASEAN CISSP Count, Per Million Population (Singapore Removed)
Figure 2.1-3: ASEAN CISSP Count, Per Million Population (Singapore Removed)
Top BPO Nation CISSP Count

Figure 2.1-5: Top BPO Nations—CISSP Count, Per Million Population
Using the above data, the Philippines should endeavor to gain a total of 1,212 CISSPs, which would
yield a score of 10.8 (slightly above the score of 10.6 for Bulgaria). This is a six-fold increase—that is,
202 * 6 = 1212.
Miscellaneous Approaches
Global Cyber Growth vs. Philippines Cyber Growth.
Globally, the cyber workforce gap is estimated at 2.72 million cyber positions, as reported by (ISC)2:
“For 2021, our study estimates there are 4.19 million cybersecurity professionals worldwide, which
is an increase of more than 700,000 compared to last year. By contrast, the cybersecurity workforce
gap is the number of additional professionals that organizations need to adequately defend their
critical assets. For the second consecutive year, the cybersecurity workforce gap has decreased,
down to 2.72 million compared to 3.12 million last year. Together, the cybersecurity workforce
Estimate and cybersecurity workforce gap suggest the global cybersecurity workforce needs to
grow 65 percent to effectively defend organizations’ critical assets.”(Ref. 19, our emphasis in bold)
However, as implied by the previous CISSP analysis, a six-fold increase in the cyber workforce would
more likely place the Philippines in a globally competitive position (assuming that a large number of
the six-fold increase would achieve CISSP).
While a six-fold increase may sound unachievable, it is important to note that the U.S. experience
with the original National Centers of Academic Excellence in Cybersecurity (NCAE-C) program—which
began with only seven universities in May 1999— now has 380 universities, colleges, and research
programs.
However, when BPO nations are normalized by population, the Philippines has 1.8 CISSP holders
per million population. This view in Figure 2.1-5 shows that Bulgaria, Malaysia, Poland, and Japan
are much better positioned to have a BPO market handling sensitive information. Additionally, the
Philippines is only ahead of the competition when compared to Ukraine and Indonesia.
Top BPO Nation – CISSP Count, Per Million Population

Degree Status, STEM Education, Compensation Analysis
The 2021 (ISC)² Cybersecurity Workforce Study asks,
“What Does the Global Cybersecurity Community Look Like? With varied pathways
to cybersecurity positions, it’s hard to pin down what defines a typical cybersecurity
professional. Our survey revealed in 2021 the global cybersecurity workforce is [as follows]:
• Well-educated—86 percent have a bachelor’s degree or higher.
• Technically grounded—among those respondents with college degrees, most graduated with
degrees in STEM fields (46 percent computer science, 18 percent engineering, 3 percent
mathematics) and some from business fields (8 percent business, 4 percent finance, 3 percent
economics).
• Strongly compensated—[global] respondents reported an average salary before taxes of U.S.
$90,900—up from U.S. $83,000 among respondents in 2020, and U.S. $69,000 in 2019—with 31
percent reporting a median annual salary of U.S. $100,000 or more.” (Ref. 19)
Interview data did support that the majority of the Philippines’ cyber workforce was well-educated
and did hold a STEM degree (most often, the Bachelor of Science in Computer Science).
However, the Salary Expert Platform was used, indicating that the average mid-level Filipino
cybersecurity specialist salary was ₱747,054 (PH Pesos), which is approximately $14,224 (U.S.
Dollar). (Ref. 39 and Ref. 40)
Using the Salary Expert Platform for the United States, a mid-level cybersecurity specialist earns
$110,890 (U.S. Dollar) in annual salary.(Ref. 47)
Using a simple reckoning that the Philippines’ cost-of-living is one-third of the U.S. cost-of-living (Ref. 35)
then (for a valid PH vs. U.S. comparative analysis) the Philippines compensation must be increased,
by a factor of three to approximately $42,600. (For ease of comparison, the U.S. salary of $110,890
is rounded up to $110,900.)
A cost-of-living adjusted comparative analysis of $42,600 vs. $110,900 is shocking (Philippines vs.
U.S., mid-level cybersecurity specialist). The difference between the two salaries is $68.3 thousand.
However, this enormous difference may help to explain the movement of cyber workforce members
from the Philippines to the U.S. markets—given that they will receive (in the average U.S. market) the
same standard of living plus an additional income of $68,300.
The difference of the $68,300 can then be invested in remittances to the Philippines, increasing the
person’s standard of living, investing in his/her education, and so forth. Granted, the Filipino working
in the United States may pay more in taxes—however, U.S. taxes will not consume the entire $68,300.
And thus, working within the United States can be extremely enticing to the cyber-trained Filipino.
The IBM team recognizes that this cost-of-living comparative analysis is ignoring psychological
motivators, such as status/achievement, power, and peer approval/affiliation. Arguably, if

renumeration differences were equalized within the framework of similar cost-of-living and similar
psychological motivators, then perhaps the cyber workforce Filipinos may be more incentivized to
stay in the Philippines and work in-country. However, this is conjecture.
On the other hand, a raw cost analysis of $14,200 vs. $110,900 can also be extremely intriguing—as
this implies a U.S. company could employ seven Filipinos (working in the Philippines) for every one
U.S. cyber workforce member (working in the United States).
See Figure 2.1-6.
One US Mid-level
Cybersecurity Specialist
at $110,900 Seven Filipino Mid-level Cybersecurity
Specialists at $14,200
This raw analysis implies a tremendous business opportunity for explosive growth within the
Philippines’ BPO market—if the Philippines cyber ecosystem can develop and deliver equivalent
skilled graduates and an equivalent cyber-protected business infrastructure.
In summary, the individual cyber-trained Filipino can view the world of cyber-employment through
a cost-of-living comparative analysis. However, outside nations view investment in the Philippines
business market through a raw cost analysis as illustrated in Figure 2.1-7.
Figure 2.1-6: Cybersecurity Compensation Comparison

Figure 2.1-7.
Figure 2.1-7: Outside vs Individual View
2.2 Current Pipeline—Training Programs—Academic and Commercial
The U.S. model for cybersecurity includes both functional/structural factors (educational
opportunities, legal and regulatory structures) and cultural factors (career progression opportunities
and trends). Roughly speaking, the U.S. pipeline model involves a foundation of early-career exposure
to cybersecurity concepts and skillsets via formal education and/or via military experience. Because
the United States has no cultural equivalent to the Philippines’ OFW phenomenon, the next step
beyond that foundation usually involves movement to a cybersecurity career in either industry or,
post-military career, in government.

Arguments could be made (and refuted) that the U.S.
model for a cybersecurity talent pipeline provides a
type of international standard. There are complications
with any direct emulation of the U.S. model. The POLO
(Philippine Overseas Labor Office), after describing the
10-million-plus Filipino workers abroad and their ongoing
role in the economy of the nation, lists all the following as
“reasons Filipinos work abroad”:
• They can provide income stability for their family.
• They have access to better career opportunities.
• They are able to provide for their children’s education.
• They can maximize their skill sets in order to gain better
employment through skills training and higher learning.
• They feel like they have more freedom than working in
the country because of the reasons listed above.
• They take jobs that they believe will lead to better
opportunities for themselves and their families. (Ref. 13)
Taken as a whole, these points—the credibility of which
is enhanced by the fact that they come directly from a
Philippine government office—provide deep-seated reason
to believe that traditional U.S. cyber-talent pipelines (e.g.,
widely available college programs, ex-military follow-on
careers, etc.) will not work for retaining cyber workforce
within the nation of the Philippines.
Normally the talent pipeline for a relatively new industry,
such as cybersecurity, takes its shape from the interplay
between training and education (academia) and the end-
user demand for the skillsets relevant to that new industry.
In short, while nearly all industries benefit from interaction
between formal training institutions and the workplace, a
young industry such as cybersecurity has a distinct need
for this interplay. The feedback loops provide essential
input in both directions. With Filipinos going abroad at
(or near) the completion of training due to differences in
economic opportunity and an imbalance of renumeration
levels that interplay is broken and threatens to destroy
vital feedback that could keep the pipeline relevant
and adequate.
“One overarching factor in
the Philippines will always
inhibit the direct transfer of
the U.S. cybersecurity talent
model from working as a
template for the Philippines—
the strong acceptance by
the Philippines of the OFW
phenomena. Economic
opportunities abroad will
likely keep the OFW process
alive for the foreseeable
future, keeping the “brain
drain” relevant.

2.3 Current Cyber Career Pathways
As far as traditional cybersecurity career pathways involve a four-year undergraduate degree fol-
lowed, perhaps, by a master’s degree before moving to an industry or government position, traditional
cybersecurity career pathways barely exist in the Philippines. Only a handful of Filipino universities
offer any sort of cybersecurity degree, undergraduate or otherwise.
Likewise, there appears to be minimal military-to-industry or military-to-government career pathways
for cybersecurity. This is certainly the case, in part, because the first Philippine military units
specializing in cybersecurity were established roughly in the past five years(Ref. 15)
. (Int. 04) Insufficient
time has elapsed for the first cadre of cybersecurity personnel in uniform to have made the transition
out of the military into a post-military second career. Whether or not that first cadre will elect to stay
within the country with their post-military cybersecurity skillset and experience remains an open
question and a potential area for Philippine government involvement.
It should be noted that there are some variations of military-to-industry or military-to-government
career pathways in other sectors, fortunately or otherwise (e.g., the manned/ physical security
industry, because of RA 5487 and a marked preference of private security agencies to hire retired or
ex-military/police personnel).
15
This statement is based, in part, on information provided by Major Ely Tingson during the 9 May 2022 interview with Jeff Krinock. It’s
noteworthy that Major Tingson helped with the writing and publication of the Philippines’ National Cybersecurity Plan.

2.4 Current Job Roles and Responsibilities
Given the state of the cybersecurity pipeline and career pathways in the Philippines, it’s not surprising
that cybersecurity job roles and responsibilities are not defined clearly at a national level. As DICT’s
National Cybersecurity Plan 2022 notes in its conclusion, “Admittedly, the Philippines’ state of
cybersecurity is still at its infancy stage….” When the National Cybersecurity Plan 2022 does speak
to job roles and responsibilities, it covers these at a high and general level.
In a subsection named, “Develop”, the plan states: “In order to address the issue on the supply-
demand gap for cybersecurity specialists, an inventory of IT professionals working within the
government shall be conducted. While these short and midterm actions are being implemented by
DICT, the long-term direction shall be on defining and developing the cybersecurity skills needed
across the population.”
Note that even the foundational step of “defining” cybersecurity skills is listed as a “long term”
objective.
By contrast, a snapshot of another Asian country’s status with defining cybersecurity roles can be
seen in Figure 2.4-1. Singapore, arguably the “gold standard” in Asia for cybersecurity, provides
numerous detailed definitions for many cybersecurity roles, and they make these definitions and
profiles publicly available. As seen in Figure 2.4-1, Singapore takes a knowledge, skills, abilities
(KSA) approach to defining job roles and responsibilities. In addition to creating profiles for multiple
cybersecurity roles, Singapore attempts to list in table form the nuances of each role’s relevant skill
sets, sorted by Levels 1-6.
[The IBM team found no equivalent job role descriptions anywhere in the Philippines, publicly
available or otherwise. Though the Civil Service Commission is the national government agency that
sets job descriptions, there are none for cybersecurity, and ICT job descriptions currently available
are, at best, archaic.]

Figure 2.4-1: Cyber Forensics Job Profile
From: https://www.skillsfuture.gov.sg/skills-framework/security
Skills Framework for INFOCOMM Technology
Technical Skills & Competencies (TSC) Reference Document
TSC Category Operations and User Support
TSC
Title
Cyber Forensics
TSC
Description
Develop and manage digital forensic investigation and reporting plan which specifies the
tools, methods, procedures and practices to be used. This includes the collection, analysis
and preservation of digital evidence in line with standard procedures and reporting of findings
for legal proceedings
TSC
Proficiency
Description
Level 1 Level 2 Level 3 Level 4 Level 5 Level 6
ICT-OUS-2002-1.1 ICT-OUS-3002-1.1 ICTOUS-4002-1.1 ICTOUS-5002-1.1 ICTOUS-6002-1.1
Scan, retrieve
and preserve
digital evidence
from various
sources, following
authorized
protocols
Coordinate the
collection and
preservation of
evidence and
analyses forensic
evidence to draw
inferences
Develop a
digital forensic
investigation plan,
and integrate
analysis of
evidence, outlining
key conclusions,
insights and
recommendations
Establish
digital forensic
investigation
policies and
protocols for the
organization, and
manage multiple
investigations
Define new cyber
forensics tools,
techniques and
methodologies
and lead cyber
forensics
investigations on
an international
scale
Knowledge •Types of data
devices and
storage
•Features of the
different type
of data services
storage
•Types of computer,
network and
mobile evidence
•Computer forensic
hardware and
software tools
•Procedures
used to acquire,
preserve and
maintain integrity
of evidence
for different IT
systems
•Potential internal
and external data
sources
•Range of
analytical
techniques to
examine digital
evidence
•Broad range
of computer,
network and
mobile forensic
tools and
techniques
•Statistical analysis
procedures used
to identify trends
•Legal principles
and regulations
in relation
to forensic
investigation
•End-to-end
process and
procedures
in forensics
investigation
•Critical milestones
and touchpoints
in a forensics
investigation
•Emerging and
specialized
forensic tools,
solutions and
methodologies
•Changes and
updates to
regulatory or legal
requirements
•Implications of
regulatory and
legal parameters
on forensic
investigations
•Evolving trends
in forensic
investigation
•New and
emerging trends
in the Infocomm
Technology or
related fields
•Impact and
consequences
of forensics
investigation
policies and
protocols on the
organization
•Cyber forensics
tool developers
•Cyber forensics
process
development
•International
considerations
and implications
of cyber forensics
investigation and
activities
Abilities •Access evidence
from electronic
devices using
various forensic
tools
•Extract digital
evidence from
various sources,
following
authorized
protocols
•Use forensic tools
to back-up and
preserve
•Monitor a range
of internal and
external data
sources to
identify relevant
information to
incident at hand
•Coordinate the
collection and
preservation of
digital evidence
•Develop a
digital forensic
investigation
plan, including
the tools,
processes and
methodologies to
be used
•Assess suitability
of new and
emerging forensic
•Establish
digital forensic
investigation
policies and
standards for the
organization
•Develop protocols
and Standard
Operating
Procedures (SOP)
for investigation
procedures
including
guidelines for
•Chart direction
for new cyber
forensics
techniques and
methodologies
•Establish cyber
or digital forensic
tools for adoption
©SkillsFuture Singapore and Infocomm Development Authority
Effective Date: January 2020, Version 1.1

2.5 Current National Cyber Talent Framework
Multiple opinions were encountered about frameworks related to cybersecurity in the Philippines, to
include mention of privacy frameworks, legal frameworks, national frameworks, skills frameworks,
and infrastructure frameworks. When it came to frameworks specific to cybersecurity, the team
encountered a range of opinions from “there is none” to “it’s [already] in the National Cybersecurity
Plan 2022”. To shed light on this diversity of opinions, below are select quotes taken from interviews
conducted between Feb 2022 and May 2022 in support of this report:
IBM: Describe to me the ecosystem, as you perceive it, for cybersecurity in Singapore.
Since you held that up as a good ecosystem.
Clayton Jones (ISC2): They [Singapore] have a framework on skills, you know, so, like, you have
NICE, and it’s linked. I mean, I’m not like, I’m not suggesting that every economy needs to develop
its own framework and start from scratch, but there are frameworks that are out there. And, like I
said, [an] economy can look at those.
IBM: For example, [a country] might have its own framework to be part of [a] financial
group. Do you abide by their framework? It becomes a de facto law. It’s not been enacted
by any Congress or any presidential signature. What is this current state in your mind of
either - Laws at the top level or different sector frameworks, as it pertains to cybersecurity?
Anton Bonifacio (GLOBE Telecom): Some elements of our frameworks are more mature than
others. Our privacy laws, based on the GDPR are fairly mature, but our anti-cybercrime laws
less so.
Our banking frameworks are also robust and are in use as benchmarks by others in finance.
We could benefit, however, from greater agreement on and standardization of a cybersecurity
framework that applies across multiple sectors of Philippine society.
Gen Macalinao (DICT): Yes, we definitely envision here in the [Philippines that] cybersecurity will
be a coordinated approach. In addressing the cybersecurity workforce, [we] need … something
similar to the NICE, the NICE cybersecurity workforce development framework….
Angelica Sarmiento (DOF) Department of Finance: That’s… encoded in the Philippine National
Cybersecurity Plan, … so we already have the National Cybersecurity Framework. That’s, I think,
being followed by all government offices.

IBM: [Do associations] have a framework that they’re trying to use for cybersecurity?
Joel Dabao: (Philippine Cable and Telecommunications Association, or PCTA): We would like to
have one, we don’t have one as of yet. It’s challenging to come up with frameworks… because
we’re an organization of volunteers.
IBM: [Used a similar lead-in question for the next reply]
Dr. William Yu (Ateneo De Manila University): But what we are pushing right now is, of course,
we want a regulation on [what] critical infrastructure actually is, …. Because right now… you can
be a critical infrastructure operator here and have no cybersecurity protection whatsoever. And
it’s okay. There’s not lot of require[ments] so that’s, I think that’s left for … the government or the
national frameworks …. [W]e just have to create a framework that makes it specifically cyber and
that’s actually good ….
Summary
The interviews conducted revealed a diversity of opinions about the status of cybersecurity
frameworks. These disparities indicate a current lack of:
(1) A common (national) understanding about what a cybersecurity framework is or
should be.
Explanation of (1)—Interviewees asked about their understanding of cybersecurity
frameworks alluded to variations and/or related frameworks such as: legal, national,
skills and infrastructure frameworks. Each of these typically has a place as a subset
of mature and complete cybersecurity framework but should not be confused with a
cybersecurity framework in and of itself.
(2) A sense of how a national cybersecurity framework will impact and benefit various
sectors in the Philippines society and economy.
Explanation of (2)—The National Cybersecurity Plan 2022 uses a diagram to illustrate an
overview of the cybersecurity framework (see Figure 2.6-1). The diagram itself reflects
this issue; the entire framework, as displayed, seems to indicate only government
and/or law enforcement as working elements of the framework. If other sectors of
the Philippine nation are to be active participants in the cybersecurity framework, their
roles and communications channels to/from DICT should be depicted and explained at
least at a high level.
(3) Standardization around the language and terminology used in discussion and
planning for enhanced cybersecurity.
Explanation of (3) —Interviews indicated that key terms such as “framework”,
“infrastructure”, and “career pathway” have ambiguous definitions among interviewees.
Of even greater importance will be gaining agreement about cyber security job
descriptions and associated lists of cyber security skill sets. When various sectors, e.g.,
industry and academia, agree about the various skill sets and responsibilities entailed by
any given cyber security job description universities and potential employers augment the
effectiveness of the feedback loops between them.

The next section reviews the current model of the Philippines’ cybersecurity framework as illustrated
in the Philippine National Cybersecurity Plan 2022.
2.6 Current Governance/Risk/Compliance
The National Cybersecurity Plan 2022 includes the graphic in Figure 2.6-1. This high-level illustration
is labeled in the National Cybersecurity Plan 2022 as, “Figure 2: The National Cybersecurity
Framework.”
It provides a visual map of how the DICT sees the current and near-future shape of a cybersecurity
framework in the Philippines.
As reflected in Figure 2.6-1, the framework as described in the 2022 plan:
• Describes the rough hierarchy of the organizations supporting cybersecurity in the Philippines;
• Outlines at a high level the responsibilities and roles of various organizations;
• Identifies the five key principles of cybersecurity in the Philippines—Identify, Protect, Detect,
Respond, Recover (derived from the U.S.’s NIST Cybersecurity Framework, Version 1.1); and
• Implies various working relationships between agencies essential to addressing the five principles
that form the foundation of the cybersecurity framework.
What the cybersecurity framework does not provide:
The cybersecurity framework, as depicted in Figure 2.6-1, does not provide details about the “how”
of various actions described therein. Many of these seemingly missing details become visible only in
an operational arena.
Figure 2.6-1:
Cybersecurity
Framework, From:
DICT’s National
Cybersecurity Plan
2022
What the
cybersecurity
framework provides:

For example, the cybersecurity framework chart indicates (roughly) that the Department of National
Defense (DND) is charged with working with military networks, to include “investigating cybercrimes
under military jurisdiction.” Yet, a September 2021 CNN Philippines report of a potential cyber-attack
originating from a Philippine Army IP address appears to indicate the subsequent investigation was
handled by the DICT. (See https://www.cnnphilippines.com/news/2021/9/24/Philippine-Army-
cyber-attack-media-Bulatlat-Altermidya.html for the article).
In partial summary, it is important to note that the following valuable details are not provided by the
cybersecurity framework as displayed in Figure 2.6-1:
• Actionable details about the interrelationships between organizations such as the DND and DICT;
• Chain-of-command details such as which specific office within a given agency or organization is, in
fact, responsible for action;
• Chain-of-command details such as which specific office within a given agency or organization is,
in fact, responsible for coordination between agencies and/or sectors of Philippine economy and
society;
• Timelines and dates for implementation of agency functionality described within the framework;
• Details related to communication, education, and building awareness of cybersecurity in the
Philippines;
• Details as to which agency, group, or organization will lead the effort to standardize language,
concepts, job role descriptions, and other elements of cybersecurity that benefit from common
understanding across sectors of society; or
• Specifics about meetings, consortiums, and outreach events and mechanisms designed to
strengthen cybersecurity understanding and mutual support both within Philippine society and
within the larger international community.
Note that Table 1, on page 23 of the National Cybersecurity Plan 2022, lists multiple bullets
indicating the respective responsibilities of various agencies. While this is a good starting point,
representatives from multiple Philippine sectors indicated during interviews that they did not
believe the existing legal and administrative structures were able to address cybersecurity incidents
adequately. It’s not clear whether their perceptions are accurate or if the problem may be a lack of
understanding or incomplete communication about options available to them in a cyber emergency.
Related, Pierre Galla, of USAID’s BEACON activity, noted, “Currently, the law being referenced
is primarily the Cybercrime Prevention Act. There is no ‘National Cybersecurity and Information
Security Act’. There is also a poor understanding about the separations between cybercrime
prevention and cybersecurity, and hence the poor organization currently.”
In any case, a cybersecurity framework that provides enough contact and communication specifics to
be actionable would likely change perceptions about the status of cybersecurity in the Philippines.

3 The Way Forward for Cybersecurity in the Philippines
As mentioned above, there are two tracks that should be implemented by the Philippines National
Administration:
• Track 1—Incremental. The incremental recommendations are natural evolutions/extensions
of existing cybersecurity activities and are considered low risk. These recommendations are
designed to move the Philippines’ national cybersecurity posture forward in successive steps.
This track includes four recommendations.
• Track 2—Jumpstart/Adaptive. The jumpstart/adaptive recommendations are designed to prime
the pump for a more robust Philippine cybersecurity ecosystem. These recommendations move
the Philippines forward by a leap that is more radical and therefore must also be adaptive.
There are five major recommendations, with five key ecosystem actions assigned to the
proposed Executive Agency for Cybersecurity.
3.1 Track 1—Incremental
The Incremental Track will have a strong impact on the cybersecurity awareness culture and can
also improve gender demographics. Track 1 recommendations are summarized in Figure 3.1-2 and
described further below:
Figure 3.1-2: Track 1 Incremental
Encourage Cyber
Awareness at all
Levels
Ensure Filipino
citizens have the
Right to Freeze
their Credit
Ensure that the Philippine
government, Especially the DICT,
is Staffed by Competent
Cybersecurity Personnel and
Cybersecurity Initiatives are
Sufficiently Funded to Harden ICT
Infrastructure in the Near Future
Move Towards Formal
Adoption of a Cyber
“Common Consistent
Lexicon” such as that
offered by the US NIST
NICE Framework
Philippines’
Current Job
Market and
Government
Cyber Position
Descriptions
Philippines’
Current Cyber
Laws
DICT’s Current
Staffing Level
DICT’s
Current
Charter

1. Encourage Cyber Awareness at All Levels
Encouraging tech as a career choice—among children: “The idea of tech as a career choice for
women must be seeded early, even starting from the toys they play with.” said Mr. Wong Wai Meng,
Chairman of SGTech (Singapore). (Ref. 31)
Encouraging cyber awareness—among kindergarten to 12th grade: “Apart from educating parents,
Ms. Caposell [of the U.S. Cybersecurity and Infrastructure Agency (CISA)] advocates building into the
K-12 curriculum tools and resources for children to be more aware of how to use technology. This
early exposure will help parents talk to their children about keeping safe in cyberspace. Equally
important, it can inspire young girls early on to explore careers in infosec, thereby building a pipeline
of talent to grow into the workforce.”(Ref. 01)
Encouraging cyber awareness among all educational institutions: As recommended by Angel
S. Averia, Jr., et al, “Develop a cybersecurity culture by raising awareness, supporting training
and capacity building for cybersecurity talent, and instilling cybersecurity as a way of life through
educational institutions.” (Ref. 07)
Encouraging cyber awareness among employees: As offered by the authors of the Fortinet Global
Survey: “Even though the recruitment, retention, and certification of a cybersecurity team is vital,
companies cannot realistically protect themselves until they also raise the cyber awareness of
all employees. That requires ensuring that all employees, at all levels and all roles within the
organization, have the knowledge and awareness to protect themselves and their organization’s
data. Until they do, breaches will always be likely. Asian (56 percent) leaders feel employees lack
the necessary awareness. Worryingly, federal governments (69 percent) and state-level government
organizations (61 percent) feel the same way. Interestingly, local and state government organizations
(28 percent) and media organizations (25 percent) are the most likely to not have cybersecurity
awareness programs in place.” (Ref. 15)
, our emphasis in bold)
A National cyber-awareness campaign can include any of the following:
• Straight-forward reading materials, such as offered by the Bank Marketing Association of the
Philippines (BMAP) “Fight Fraud Together Campaign.” (See Ref. 10)
• Engaging drama, as in a short five minute film on YouTube. (See Ref. 48)
• Using available cyber awareness games, such as Targeted Attack, Cybersecurity Lab, Cyber
Awareness Challenge, Keep Tradition Secure, Zero Threat, and Game of Threats. (Ref. 16)
• Using university computer science students to create games. A U.S. university—Texas A&M—
creates a campus-wide security game each year. (Ref. 17)
Philippine universities could implement the
same process as part of a class exercise and/or as part of a national competition.

Stakeholders and Actions:
Cyber Awareness at All Levels (whole of nation approach)
Stakeholders
Government (education)
DepEd, TESDA, CHED
(supported by DICT mandate)
Implement age-appropriate
cyber content in curricula.
Government (workforce)
DOLE, DTI (supported by
DICT mandate)
Promote in the private sector
cyber content appropriate to
informal sector, blue collar, and
white-collar workers, and cyber
content appropriate to MSMEs
and larger enterprises.
2. Ensure that the Philippine government, Especially the DICT, is Staffed by Competent
Cybersecurity Personnel and Cybersecurity Initiatives are Sufficiently Funded to Harden ICT
Infrastructure in the Near Future
The DICT charter, per their National Cybersecurity Plan 2022—AN UPDATE, has four key imperatives:
Protection of Critical Infrastructures, Protection of Government, Protection of Businesses and Supply
Chains, and Protection of Individuals.(Ref. 11)
These imperatives are essential to a national cybersecurity
plan.
In addition, the original DICT National Cybersecurity Plan 2022 shows the following four mission
objectives for DICT:
1.To systematically and methodically harden the Critical Information Infrastructure (CII) for
resiliency.
2.To prepare and secure government “infostructure”.
3. To raise awareness in the business sector on cyber risk and use of security measures among
businesses to prevent and protect, respond and recover from attacks.
4.To raise awareness of individuals on cyber risks among users as they are the weakest links, they
need to adopt the right norms in cybersecurity. (Ref. 21)
These mission objectives are excellent in light of international norms and trends in cybersecurity.
And on the positive side, DICT appears to be staffed for mission objective #4 “To raise awareness of
individuals….”; and is perhaps staffed for objective #3 “To raise awareness in the business sector….”.
However, given the previously referenced high-profile data breaches and the fact that the National
Cybersecurity Plan 2022 identified an incomplete cybersecurity framework, DICT does not appear
to be adequately staffed or funded for two of their critical mission objectives: “To systematically and
methodically harden the CII for resiliency” and “To prepare and secure government infostructure.”

The Marcos administration should consider examining closely the staffing and funding of DICT—and
increase that staffing and funding as required to meet mission objectives.
Identifying Solutions and Funds/Staffing to Provide Them
Existing gaps in the DICT’s desired end state for Philippines’ cybersecurity are evident in this
statement from former Assistant Secretary Allan Cabanlong (Cybersecurity and Enabling
Technologies, DICT). He offered this mission statement:
“DICT will enforce, evaluate, and constantly monitor … cybersecurity policies through regular
assessment and compliance activities, … annual cyber drills and exercises, and cybersecurity
awareness and education programs.” (Ref. 21)
Interviews conducted by the IBM team indicate that significant annual drills and assessments are
not in progress; likewise, “constant monitoring”—the definition of which is subject to debate—is not
in place to an extent that anticipates (or avoids) major data breaches (COMELEAK) or embarrassing
“Philippines’-internal” conflicts such as those covered by CNN in 2021 (See https://www.
cnnphilippines.com/news/2021/9/24/Philippine-Army-cyber-attack-media-Bulatlat-Altermidya.html
for the article).
The intentions of the statement by the former Assistant Secretary seem laudable. That is,
enforcement, evaluation, and continuous monitoring of cyber policies are essential. Regular
assessment/audit and compliance activities are vital as well.
Annual cyber drills and exercises, if more substantial than desktop or paper drills can have excellent
positive effect. The same can be said regarding robust cybersecurity awareness and education
programs.
The IBM team notes that the Marcos administration should consider examining closely the staffing
and funding of DICT—and increase that staffing and funding as required to meet mission objectives.
More to the point, interviews conducted by the IBM team indicate that foundational planning steps,
such as delineating clearly which government/military/NGO organization holds responsibility for which
aspects of the Cybersecurity Framework, (as depicted in Figure Y of DICT’s National Cybersecurity
Plan 2022), are not yet in place. In short, accurate estimates of actual funding and staffing shortfalls
are themselves dependent upon clearly delineated inter-governmental responsibilities. These can, and
should, be refined in the regular cybersecurity consortium meetings recommended within this report.
Lastly, a benchmark analysis was attempted to examine “Budget, Billets, Bodies, and Training” which
noted that the U.S. equivalent of DICT is the CISA. The benchmarks as provided by the U.S. CISA are
as follows:
• Budget: $ 3.16 billion
• Billets (Bodies plus unmanned positions): Unknown—the information is not publicly available
• Bodies: 2,500
• Training: positions appear to conform to DoD 8570, which requires specified professional cyber
certifications based on the position’s role (Ref. 34)

For further discussion on this type of benchmark analysis, please see this report’s Section 4,
“Recommended Areas for Further Research and Analysis”.
Adequate Budgets are Necessary.
As stated by Angel S. Averia, Jr., et al,
“Cybersecurity programs must also be given the necessary budget to purchase
technology solutions and, more importantly, to continuously train people and build
the capacity of the institution to identify, respond, and prevent cyber incidents.” (Ref. 07)
Again, the Marcos administration should consider examining closely the staffing and funding of DICT
and increase that staffing and funding as required to meet mission objectives.

Ensure that the Philippine Government, Especially the DICT, is Staffed by Competent Cybersecurity
Personnel and Cybersecurity Initiatives are Sufficiently Funded to Harden ICT Infrastructure in the
Near Future (whole of nation approach)
Stakeholders Suggested Actions
Government
(education):
DepEd (supported by
DICT mandate)
Encourage primary education learners to enter
STEM tracks
Government
(education):
TESDA (supported by
DICT mandate)
Develop TVET certifications related to
cybersecurity; establish Centers of Excellence
like U.S. National Centers of Academic Excellence
in Cybersecurity (NCAE-C) program (discussed in
IBM paper)
Government
(education):
CHED (supported by
DICT mandate)
Establish BS and higher education courses
related to cybersecurity; establish Centers of
Excellence similar to U.S. National Centers of
Academic Excellence in Cybersecurity (NCAE-C)
program (discussed in IBM paper)
Government (public
sector workforce):
CSC (supported by DICT
mandate)
Develop for the Philippines civil service job
descriptions and salary grades for cyber jobs in
the Philippine bureaucracy
Government (public
sector workforce):
DBM Update the Organizational Structure and Staffing
Plans (OSSPs) of the government bureaucracy to
include the appropriate cyber jobs
Government (private
sector workforce):
DTI (supported by DICT
mandate)
Encourage growth of ICT sector enterprises,
thereby inducing greater demand for
cybersecurity professionals; encourage growth of
ICT training companies, including cybersecurity
training companies (no need to incentivize, but
costs of certification should be encouraged to be
reduced)

3. Move Towards Formal Adoption of a Cyber “Common Consistent Lexicon” such as
that offered by the U.S. NIST NICE Framework.
The U.S. National Institute of Standards and Technology (NIST), offers a lexicon for cybersecurity
within its NIST Special Publication 800-181 Revision 1 Workforce Framework for Cybersecurity (NICE
Framework) document. This lexicon has the intent to help students, job seekers, and employees, and
to improve communication. The following key statements from the NICE Framework summarize the
Framework’s intent:
“[The NICE Framework] expresses … work as Task statements and describes Knowledge
and Skill statements that provide a foundation for learners including students, job seekers,
and employees.
The use of these statements helps students to develop skills, job seekers to demonstrate
competencies, and employees to accomplish tasks.
As a common, consistent lexicon that categorizes and describes cybersecurity work, the
NICE Framework improves communication about how to identify, recruit, develop, and
retain cybersecurity talent.” (Ref. 22)
Consider the Operational Technology Cybersecurity Competency Framework (OTCCF) developed by
CSA Singapore as a first step. Appendix D further explores why the Singapore model may be a more
moderate and successful initial lexicon for implementation by the Philippine government agencies.
See Figure 3.1-1 for an example of how NIST incorporates tasks, knowledge, and skills as building
blocks within their approach to creating cyber security frameworks. NIST’s standardized approach,
incorporated openly and collaboratively within organizations can lead to standardization of language
and lexicon that facilitate effective and efficient communication.
Figure 3.1-1: NIST’s Approach
to Security Frameworks

Move Towards Formal Adoption of a Cyber “Common Consistent Lexicon” such as that offered by
the U.S. NIST NICE Framework
Government
(interim standards):
Office of the President Transitional—as a stopgap measure,
the Office of the President could issue
an Executive Order (EO) mandating the
adoption of minimum cybersecurity and
information security standards, amending
and expanding the purpose/the standards
set by AO 39 s. 2013 (Government Web
Hosting Standards).
4. Ensure Filipino citizens have the Right to Freeze their Credit
In order to greatly reduce the chance of financial credit fraud and identity theft, the Philippine
government could also ensure that a free credit freeze is in place for all citizens, which may require
an Executive Order or legislation to be passed. As stated by the CBC News, A credit freeze locks your
credit report with TransUnion and Equifax—no one, including fraudsters, can access your credit unless
you unfreeze it.” (Ref. 49)
[For a video presentation on the effectiveness of credit monitoring vs. credit
freezes, (Ref. 49)
which shows the difference between the lack of Canadian credit freeze laws and the
effectiveness of the U.S. credit freeze laws—see minute 13:13 and onward.]
Ensure Philippine Citizens have the Right to Freeze their Credit
Nongovernment
organization
The Credit Information
Corporation
The Credit Information Corporation
has implied powers under its
mandate created by RA 9510 (Credit
Information System Act) to implement
this recommendation, backstopped
by the broad powers of the Bangko
Sentral ng Pilipinas by way of Bangko
Sentral ng Pilipinas issuances to
this effect

3.2 Track 2—Jumpstart/Adaptive
As stated earlier in this report, Track 1 is needed
and helpful—however, Track 1 takes years to
successfully implement. And, years equals risk
within the rapidly evolving world of cybersecurity.
The following risks apply if only Track 1 is
implemented:
Risk 1—75 percent of the $23 billion
Philippines BPO may soon be jeopardized.
Without a jumpstart for the Philippine cyber
ecosystem, there is a high business risk to the
Philippines economy, especially to the BPO sector.
As stated by Angel S. Averia, Jr., et al, 75 percent of
the $23 billion USD Philippine BPO industry caters
to the United States (Morales and Lima, 2016). (Ref. 07,
our emphasis in bold)
The rational for the increase in risk is that States
within the United States are passing GDPR-like
laws. (Ref. 51)
And, the GDPR has a strong emphasis
on fining violators:
• Euro 225 million fine given to WhatsApp Ireland
(September 2021)
• Euro 746 million fine given to Amazon Europe
(June 2021)
• Euro 60 million fine given to Google France
(December 2020) (Ref. 52)
It is likely only a matter of time before the United
States follows the GDPR example, and ultimately,
violations followed by large fines will cause U.S.
businesses to shift to the most cyber-secure BPO
nations/suppliers.
The Philippines will almost certainly benefit by
being proactive and not reactive. As stated by
Averia, Jr., et al, “The Philippine government has to
actively play a part in enforcing ... assurances that
data and the transmission of such are safe in the
Philippines.” (Ref. 07)
Former National Security Advisor and National
Security Council Director General Hermogenes
Esperon, jr. states, “Ensuring that cybersecurity is in
place and addressed by the Philippine government
also has implications on our economic security.
Other governments and businesses would have
more confidence in our processes, businesses, and
government if we have more robust and responsive
cybersecurity.”(Ref. 21)
Within the Rapidly Evolving
World of Cybersecurity:
Years to Implement = Risk

Risk 2—If cyber staff shortages
continue within the Philippines, then
real—not hypothetical— negative cyber
consequences will result.
The authors of the global 2021 (ISC)²
Cybersecurity Workforce Study stated,
“Staff shortages have real-life, real-world
consequences. What are the benefits of bridging
the workforce gap? Would we really be more
secure if we eliminated the gap? To find out, we
asked participants, for the first time, to share
what negative impacts their organizations have
experienced because of their own cybersecurity
workforce shortages.”
“The 2021 study confirms, from the perspective
of the global cybersecurity workforce, that when
cybersecurity staff is stretched thin, the negative
consequences are real:
• Misconfigured systems (32 percent);
• Slow patch cycles (29 percent);
• Rushed deployments (27 percent);
• Not enough time for proper risk assessment
(30 percent);
• Not enough oversight of processes and
procedures (28 percent)….
“The list of issues cybersecurity professionals
say can be prevented with enough people covers
many root causes of reported data breaches and
ransomware attacks.” (Ref. 19, our emphasis in bold)
If Only Track 1 Is
Implemented, Then There
Are Risks:
1. 75 percent of the $23 billion
Philippine BPO industry may
soon be jeopardized.
2. If cyber staff shortages
continue within the Philippines,
then real—not hypothetical—
negative cyber consequences
will result.

What are some of the positives of
implementing Track 2 via an Ecosystem
View?
Positive Result 1. An ecosystem view allows
us to ask questions above-and-beyond
compliance.
An ecosystem view allows us to
question how to make an environment:
• That is conducive to desired growth
(incentives);
• That will reduce unwanted competitors;
• That will protect the product (which, in this
case, is data) and human life; and
• That will provide inputs/outputs/feedback
loops for adaptation.
The ecosystem view is above-and-beyond a
classic view of government which focuses on
laws and compliance.
Classic View:
1. The focus is on Laws and
Compliance.
Ecosystem View:
1. Can also focus on desired
growth, competitors,
protections, and inputs/outputs/
feedback loops for adaptation.

Positive Result 2. An ecosystem view
allows the use of positive levers to
manipulate the environment.
Ecosystem view of positive levers:
• Incentives that will encourage businesses to
make changes that are conducive to growth;
• Grants and recognition that will encourage
academia to update curriculum; and
• Scholarships that will encourage student
investment in their education.
The ecosystem view is above-and-beyond a
classic view that noncompliance must be met
by punishment/fines.
The jumpstart/adaptive recommendations are
designed to “prime the pump” for a more robust
Philippine cybersecurity ecosystem. These
recommendations move the Philippines forward
by a “leap” that is more radical and therefore
must also be adaptive. There are five major
recommendations, with five key ecosystem
actions assigned to the proposed Executive
Agency for Cybersecurity, which are discussed
in the following sections.
Classic View:
1. Noncompliance must be
met by punishment or fines.
Ecosystem View:
1. Noncompliance can also
be met with incentives:
tax incentives, grants,
scholarships, etc.

3.3 Major Recommendation 1 of 5: Appoint an Executive Agency for Cybersecurity.
This agency will be the nexus for the Philippines cyber ecosystem.
The current DICT is limited by its emphasis/charter, which shows four key imperatives: Protection of
Critical Infrastructures, Protection of Government, Protection of Businesses and Supply Chains, and
Protection of Individuals. (Ref. 11)
All four of these imperatives are necessary and beneficial.
However, jumpstarting the Philippine cyber ecosystem depends upon an Executive Agency that is
staffed and funded for ecosystem actions that are above and beyond the DICT charter’s emphasis of
protection. Therefore, it is recommended that an Executive Agency for Cybersecurity be created.
It is understood that, as an example, the Philippine Government has an executive agency for data
privacy, the National Privacy Commission, formed by RA 10173.
It is further understood that a similar nexus for competition/ antitrust is the Philippine Competition
Commission, formed by RA 10667.
An Executive Agency can be given sufficiently broad scope and powers, in order to accomplish its
mission.
The Executive Agency should implement the following ecosystem actions:
1. Review and Right-size Current Cyber Laws.
• Use tax incentives to create cyber apprentice programs within Philippine industries.
• Provide grants to create cybersecurity COE.
• Provide vouchers for examinations.
• Provide after-the-fact 50 percent scholarships to COE graduates that pass selected cyber/privacy
examinations; and regulate cost of training.
Additionally, the recommended Executive Agency for Cybersecurity should chair the National
Cybersecurity Consortium that will improve and adapt these recommendations every quarter (every
three months).
The five ecosystem actions of Track 2 are shown in Figure 3.3-1 with the major input lines, processes,
output lines, and feedback lines.

National Cybersecurity Talent Workforce Assessment Report of the Philippines.pdf

National Cybersecurity Talent Workforce Assessment Report of the Philippines.pdf

Recommended

Recommended

More Related Content

Similar to National Cybersecurity Talent Workforce Assessment Report of the Philippines.pdf

Similar to National Cybersecurity Talent Workforce Assessment Report of the Philippines.pdf (20)

Recently uploaded

Recently uploaded (20)

National Cybersecurity Talent Workforce Assessment Report of the Philippines.pdf