In today’s hyperconnected world, innovation thrives alongside a constant threat: cybercrime. As Chief Information Security Officer (CISO) at ASUSI navigate this invisible battlefield, protecting our business and our users from ever-evolving digital threats.
From innovation to responsibility: the double-edged sword of technology
The history of technology is both a story of progress and vulnerability. From the dawn of the mainframe to the ubiquity of the internet, each advancement has paved the way for cybercriminals. Today, with more than 450,000 new malware and potentially unwanted applications (PUAs) emerging every day, according to AV-TEST InstituteRobust security is no longer a luxury but a necessity.
At ASUS, security is paramount
At ASUS, innovation is in our DNA. We have pioneered a wide range of products and solutions, and now we are embracing AI to revolutionize our products. However, this drive for progress is balanced by a deep commitment to responsible AI use and data security.
At ASUS, each business unit carefully evaluates how to leverage AI while maintaining the highest security and privacy standards. We provide our teams with comprehensive training and guidelines to mitigate risks, ensuring the security of our data and our customers’ information.
Cybersecurity also plays a critical role in our ESG framework. Companies are increasingly required by ESG regulations to disclose their efforts to improve the security of their products and services. That’s why our ESG 2035 strategy prioritizes strengthening the security of our supply chain. ASUS also continues to promote ISO/IEC 27001 Information Security Management Systems (ISMS) to comply with international standards. In addition, we comply with the European Union’s GDPR to ensure that the collection, processing, and use of personal data are compliant.
At the same time, ASUS has integrated existing internal resources to facilitate communication and collaboration across departments and functions. Our vision is: “Building digital resilience, strengthening brand trust: pursuing excellence with security in mind.”
The Digital Security Center: our cyber defense hub
Two years ago, we established the ASUS Digital Security Center. This dedicated team addresses both internal and external threats, fostering a culture of security by design. We focus on product security across all devices and work closely with industry leaders like Microsoft.
Our approach is proactive. During our monthly meetings with management, we evaluate how we handle security incidents. This involves detecting, analyzing, responding to, and recovering from security issues to reduce their impact and prevent future problems. We also talk about “DevSecOps” (Development Security Operations), which involves integrating security into the design of the product, often called shift-left design. This approach encourages security consideration, testing, and validation early in development, before mass production, to save effort and resolve issues earlier.
The Center also ensures that security is fully integrated into our product design process so that we can prevent vulnerabilities before products reach customers. This effort involves integrating features such as fingerprinting technology and conducting rigorous security audits.
I also established our Information Security Committee, which reports directly to the CEO and includes senior executives and heads of each business unit. Monthly meetings ensure that new products and solutions have robust security measures in place, minimizing vulnerabilities. This collaborative approach extends beyond ASUS.
ASUS also spearheaded the establishment of the High-Tech Information Security Alliance, which brings together ten leading Taiwanese high-tech companies, fostering collaboration and knowledge sharing to strengthen the industry’s collective cyber defenses.
Beyond ASUS Walls: Securing the Entire Ecosystem
My team’s mission is to ensure the security of ASUS offices in eighty countries and also includes our supply chain. It’s important to secure not only the areas directly related to our business, but current security issues require us to take a much broader view. Indeed, it’s quite common that if hackers can’t penetrate our direct systems, they will then try to target our supply chain, for example. We’ve had issues in this area in the past and we’re constantly working to improve the security of our suppliers to create a more secure supply chain, which is essential for overall resilience. This philosophy also applies to our subsidiaries.
The SolarWinds incident two years ago highlighted the importance of supply chain security. Russian hackers infiltrated the company, which supplied software to the U.S. government, and quietly stole information for years. The incident had significant consequences, including a 30% drop in its stock price and a $26 million settlement with shareholders. In addition, the U.S. Securities and Exchange Commission (SEC) sued the company for alleged failure to meet its product and corporate security obligations.
Regarding our partners, Microsoft has recently experienced several cybersecurity incidents, such as the M365 email issues and vulnerabilities in some of its products. We regularly receive notifications from Microsoft called “Patch Tuesday.” This is a monthly event where Microsoft sends official notifications to all its customers worldwide detailing vulnerabilities and bugs in its products, categorized by industry standards. Microsoft can address eighty to ninety issues each month in these announcements. This is a huge challenge and a headache for any CEO or CISO.
The Human Element: Why User Training Matters
Often overlooked, human error is a major factor in cybersecurity breaches, study finds joint study According to Stanford University and Tessian, employee errors are responsible for a large portion of data breach incidents. For example, 52% of people clicked on a phishing email because it appeared to come from a senior executive in the company.
In fact, many security issues are due to simple configuration errors that leave devices vulnerable. Just like in the early days of complex consumer electronics, many users struggle to properly configure their devices and services, inadvertently leaving them exposed. These issues are especially relevant now as we enter the era of AI PCs.
At ASUS, we address these challenges with comprehensive training programs. New employees complete cybersecurity training within three months of joining, and annual refresher courses ensure that all employees have the knowledge needed to protect sensitive data. Phishing simulations and social engineering exercises further reinforce awareness, emphasizing that cybersecurity is a shared responsibility.
The Future of Cybersecurity: A Collective Effort
Cybersecurity is an ongoing battle that requires constant vigilance and collaboration. By prioritizing security by design, encouraging user training, and building strong industry alliances, we can create a safer digital future for all.
Learn more about ASUS’ commitment to ESG and information security:
https://esg.asus.com/en/philosophy/corporate-governance/information-security-management
Robert Chin
Chief Information Security Officer (CISO) at ASUS
