AiSP

CISO SIG

Article from CISO SIG

Introducing CISO with a deep interest in cybersecurity

Eugene Teo is the Chief Security Advisor at Microsoft ASEAN. As a seasoned CISO, he provides strategic guidance and thought leadership, serving as a trusted advisor to CXOs and Board directors on cybersecurity governance and strategy, data protection and digital resilience. He also serves as the Data Protection Officer (DPO) for Microsoft Singapore.

Eugene brings more than two decades of experience in digital and cybersecurity, having dedicated much of his career helping US companies establish and grow their Asia Pacific cybersecurity capabilities in Singapore. Before joining Microsoft, Eugene was Vice President of Security and Deputy Chief Security Officer at UKG (formerly Ultimate Software) and also served as a Subsidiary Board Director for its Singapore entity. His earlier roles include security leadership positions at Symantec Security Response and Red Hat Product Security.

Beyond his professional role, Eugene serves as the Co-Chair of the Singapore Chapter at the FAIR Institute and is a Co-opted Committee Member of the Cybersecurity Chapter at the Singapore Computer Society (SCS). His involvement in the security community began in the early 2000s as a founding executive committee member of SIG^2 (Special Interest Group in Security and Information InteGrity).

Eugene is an Accredited Director with the Singapore Institute of Directors (SID) and a Boardroom Certified Qualified Technology Expert (QTE). Eugene holds bachelor's and master’s degrees in computing from the National University of Singapore (NUS), along with industry-recognized certifications including CISM, CRISC, CIPM, CIPP/E and Open FAIR 2 Foundation. He is featured in the book Tribe of Hackers Security Leaders: Tribal Knowledge from the Best in Cybersecurity Leadership. Eugene has spoken at security conferences including DEF CON’s AI Village and Black Hat Asia’s AI Summit, served on advisory and review boards, and regularly advises technology startups.

What brought you to the Cybersecurity industry?

My early exposure to Unix during my pre-university days ignited a strong passion for Linux and open source development. I often found myself more immersed in exploring system internals and contributing to the open source community than focusing on my coursework. Thankfully, I still performed well academically, and this passion led to opportunities with several startups during the dot-com days, where I was able to apply and further hone my technical skills.

My first significant encounter with a computer security incident came during the ILOVEYOU virus outbreak. It was a VBScript-based worm that propagated itself through emails and caused widespread disruption at the startup I was working with. That experience was a pivotal moment when I realised I could combine my Unix/Linux background with a deeper understanding of computer security to carve out a distinctive and valuable niche in the field.

What were your defining moments in this industry, and factors or guidance that helped you achieve them?

Let me share another defining moment that shaped my career.

I had a fulfilling career at Red Hat, where I led the global Cloud Business Unit’s product security team. I also earned a place on the upstream Linux kernel security team, becoming the only member from Asia at the time. I’m proud of the work we did to strengthen the security of numerous prominent open source projects, particularly the Linux kernel.

Over time, however, I began to feel that my expertise was becoming too narrowly focused. I wanted to broaden my perspective and gain experience across other domains of cybersecurity. Seeking new challenges, I took a leap of faith and joined Symantec. They took a chance on me, bringing me in as the founding leader to help build and lead a new team supporting both global security response efforts and regional initiatives. I made my fair share of mistakes along the way, but each one taught me valuable lessons and shaped me into a more well-rounded leader with a deeper understanding of business alignment and execution.

That role opened the door to my next opportunity at Ultimate Software (prior to its acquisition, merger, and rebranding as UKG), where I was tasked with establishing the company’s first international office in Singapore. My initial mission was to build a Security Operations Centre (SOC) capable of monitoring, detecting, and responding to cybersecurity threats and payment frauds. It was a true startup experience backed by a well-established, publicly listed company in the States. On my first day, we had to find a serviced office just so I had a place to work. When I hired my second employee, a Korean, I even had to pay for his Employment Pass (EP) application with my personal credit card. We did not have group insurance policies until our team reached a certain size. Those early days were my happiest and incredibly formative.

As the office grew, so did my responsibilities. I worked closely with legal, compliance, finance, HR, and other key stakeholders, not only on local operational matters, but also to align our global security programme around protecting our company’s most critical business activities. When Ultimate Software was acquired by a private equity firm, I gained valuable exposure to portfolio-level CISOs and board members. This gave me a much deeper appreciation for cybersecurity governance from the boardroom’s perspective, and what it takes to mature a security programme at scale.

Looking back, had I not taken the leap from Red Hat to Symantec, I might never have gained the experience of building a regional team from the ground up, or later stepping into a global cybersecurity executive role.

What is it that you love most about your role?

At Microsoft, I have the privilege of working alongside some of the brightest minds in the industry. I joined the company at a pivotal time when we were, and continue to be, focused on rebuilding customer trust following a couple of high-profile nation-state intrusions.

Witnessing firsthand how our CEO sets the tone at the top by prioritising security above all else, and making it clear that it is everyone’s responsibility, was impactful. This is inspiring because not many CISOs have the privilege of seeing cybersecurity championed so strongly at the highest level of leadership.

I have seen how transformational changes were implemented across the company to strengthen our defences, reduce our attack surface, and minimise the likelihood of future incidents. Many of the lessons and best practices we have developed internally have become valuable insights that I have had the opportunity to learn from, share with our customers, and hopefully apply should I return to a CISO role in the future.

In my current role, I work closely with CISOs and CIOs across diverse industries, from highly regulated sectors and critical information infrastructure providers to industries like real estate where security programmes tend to be less mature and more IT-driven. Drawing on my background as a former CISO, I help these leaders strengthen their cybersecurity strategies and programmes. It is also a great opportunity to grow my local and regional network and stay connected to the evolving priorities across the cybersecurity landscape.

What are some of the trends you have seen in the market lately, and what do you think will emerge in the future?

There has been growing discussion around digital resilience, looking beyond just cybersecurity risks. How can organisations strengthen business continuity and ensure resilience against both cyber and non-cyber disruptions? How can organisations build resilience into the critical services and workloads their business depends on? And importantly, how should companies prepare for scenarios where access to commercial services is disrupted due to geopolitical events beyond their control?

Another top of mind topic is Agentic AI. How can organisations harness AI to automate business processes and enhance employee productivity? At the same time, how can they strike the right balance between driving innovation through AI and managing the costs required to implement it effectively across the business?

There is a growing interest in learning to quantify cybersecurity risks using frameworks like Open FAIR (Factor Analysis of Information Risk). How can we explain cybersecurity in a language that resonates with senior stakeholders? Should we continue to rely on 5x5 risk matrices, or is it time to express cybersecurity risks in terms of probable loss exposure in financial terms based on specific cybersecurity risk scenarios that are relevant to the business context?

What do you think is the role of CISO?

The CISO role has evolved from a purely technical position to that of a strategic business leader, with a mandate that extends well beyond IT. Today’s CISO is not a gatekeeper who tells the business what it can or cannot do, but a partner who understands the business landscape. The CISO is there to support the business to conform with legal and regulatory requirements, meet strategic objectives and performance, and unlock new opportunities. The CISO’s mission is to protect critical business activities by implementing the necessary controls that are proportionate to the risks and aligned with the value they safeguard.

What can we do to encourage more people to join the cybersecurity sector?

There is no shortage of people looking to enter the cybersecurity field. It is important to join for the right reasons. You need to have the passion, the relentless drive to keep learning, and the adaptability and resilience to face evolving threats and challenges head-on. Cybersecurity is dynamic and demanding, and for those who are truly invested, it can be very rewarding.

What do you want to achieve or contribute to the Cybersecurity Ecosystem?

Boards have a timely opportunity to transform and strengthen how they govern digital and cybersecurity risks. Cybersecurity is now recognized as a critical business risk, amplified by the increasing number of high-profile cyber incidents reported in mainstream media. Directors must go beyond surface-level awareness by asking the right questions, thoughtfully assessing and challenging the responses, and providing meaningful oversight. The Cyber Resilience Guide for Boards in Singapore, published by SID, is a step towards the right direction.

As an aspiring independent non-executive director (INED), I am seeking board opportunities with organisations that are open to adding directors with digital and cybersecurity expertise. I am also keen to contribute by writing thought leadership articles and participating in discussions and sharing sessions to help directors strengthen their oversight of cybersecurity risks. At the same time, I continue to learn and broaden my knowledge by exploring topics beyond cybersecurity, including ESG (Environmental, Social, and Governance).

Any advice for the Cybersecurity Professionals?

Build a strong technical foundation early in your career is essential. As you gain experience on the job, it is equally important to develop your soft skills, such as communication, presentation and critical thinking skills. Do not shy aware from difficult or unfamiliar projects as growth often comes from stepping outside your comfort zone.

Author Bio