I recently sat down with Ian Tan, chief transformation officer and head of infrastructure and operations at Philippines-based SM Prime Holdings, one of the leading integrated property developers in Southeast Asia, to talk about the company’s use of zero trust to address cybersecurity and IT governance challenges.
One of the biggest challenges SM Prime faces is ensuring uniformity in the company's threat intelligence, incident response, and data compliance across all operations. “Governance plays a critical part in this,” Tan said. “It’s not just about watching what’s happening internally, but also about assessing and monitoring the security posture of our vendors and partners. We need to maintain consistency in how we manage data access permissions, and that involves a lot of moving parts: identity management, protection, detection, response, and recovery.”
Tan’s approach to governance is methodical. He spoke of the importance of frameworks that encompass everything from identity protection to automated incident response, along with playbooks to maintain consistency and quality control. Tan collects every piece of data at every control point within any given environment so it can be analyzed and orchestrated in real time in a single-pane-of-glass management system. This not only provides visibility, it also helps his organization maintain a consistent security posture and allows for more effective incident management.
Zero trust: A pivotal shift in security thinking
Central to SM Prime’s cybersecurity strategy is zero trust—an approach that’s gaining significant traction in the region.
Tan noted SM Prime’s zero trust journey begins with the end user—the ultimate customer. “Visibility into the end-user experience is crucial,” he said. “Access to resources must be consistent, no matter where the user is located. And while access control seems deceptively simple, there’s more to it than meets the eye. It involves connecting to specific apps, enforcing policy, evaluating security risks, and verifying the who, what, and where of the origination point of connectivity.”
Tan said that it’s not just about detecting security issues, but about using technology to understand the business better and serve it more effectively. “Our zero trust dashboard tells us everything. We can get a complete view of our security posture, across the cloud and down to every device. This is truly a modern IT superpower!”
The organization deployed its zero trust framework more than two years ago: “It started with an evaluation of our current infrastructure—both server and network policies,” Tan said. “But we went beyond the technology. We also partnered closely with our human resources team to communicate the transformation effectively. Introducing new technology isn’t an overnight process. It requires careful planning, training, and a lot of collaboration.”
Tan’s focus on bringing together people, process, and technology was refreshing. Too often, IT transformations are seen as purely technical endeavors, but Tan recognizes the importance of bringing the entire organization along for the ride. “Even a one-page infographic can go a long way in helping people understand what’s changing and why,” he added.
Including business value analysis
Tan and his team conducted a Business Value Analysis (BVA) exercise as part of their zero trust deployment. “Most of the time, IT executives focus on the architecture and infrastructure,” Ian said. “But we often overlook the financial impact of downtime or inefficiencies. The BVA exercise puts a dollar sign on things like an hour of downtime or the time it takes to recover from a security incident.”
Tan’s approach to BVA wasn’t just for the purpose of measuring cost savings; it was also to understand the financial impact of doing nothing. “What’s the cost of perpetuating legacy technologies and security constructs?” he asked rhetorically. “What’s the risk if we don’t evolve?” It’s a question that resonates with many leaders in the technology space. The cost of inaction can be devastating, both financially and operationally.
Breaking down silos: Align IT, security, and business units
Tan explained how he addressed silos within his organization, especially when striving to align IT, security, and user computing. “There’s no one-size-fits-all approach for all business units,” Tan said. “It starts with understanding the business context and the complexity of each business stream.”
He explained that, by categorizing different business units based on their revenue and risk levels, his team was able to prioritize their efforts more effectively. “We had to redefine processes and enforce new fine-grained access policies because the old ones just didn’t work anymore,” he said. “We partner with people, understand the business, and then introduce technology in a way that speeds up time to market.”
Leaders like Tan play a huge role in shaping the future of cybersecurity and IT governance—not just in Asia, but all over the world. It goes beyond simply keeping the lights on: it’s about driving innovation, ensuring business continuity, and, ultimately, enabling organizations to thrive in our complex digital world.
What to read next:
Taking stock of zero trust in the ANZ region with Tower’s Darren Beattie
CXOs: Collaboration is key to public sector cybersecurity
Three characteristics of successful phased digital transformations