Interview with Lee Chin Hon, Faculty Member of the IERP
Cornerstones of Cybersecurity
It looked like Lee Chin Hon was all set for an accounting career, with a first degree in Accounting & Finance, and a second, a Bachelor of Commerce with Honours, also in Accounting & Finance. In fact, from the middle of the 1990s, his educational focus was on little else and culminated, in 2003, in membership with Chartered Accountants Australia & New Zealand (CA ANZ). Somewhere along the way, his interest in cybersecurity was sparked. In his early school days, he had an interest in computing and took programming language classes in Primary School. At that time, the programming language he picked up was GW-BASIC.
At university, his Accounting lecturer saw his potential and encouraged him to pursue the area related to IT. Hence, his first professional job was as an IT Auditor with Arthur Andersen, one of the Big Five, at that time.
“In the early days we didn’t have ‘cyber’ – it was considered a part of IT audit,” Lee said, adding that he decided to leave the auditing line because he wanted to try his hand in the commercial world. In one company that he worked with, he took up various roles: in finance, data analytics and helping his firm on a data migration project, among others. His experience in areas other than cyber helped to boost his career as well, and enrich his professional qualifications, allowing him to link the “cyber” to other key critical functions of the business processes. “There’s really a blurred line between cyber and IT audit,” he continued. “With cyber, it’s about “getting out from the doors” – systems connect to the outside world. In principle, it doesn’t differ much from an IT audit – just that the coverage is wider and involves additional technologies.”
Certain methods applied during external auditing turned out to be precursors to cybersecurity, he found. Now, after more than two decades in the corporate world, he finds all things cyber have become second nature. An accredited trainer, he conducts training for the Information Systems Audit and Control Association (ISACA), as a member of the local chapter. These sessions are primarily for people who are looking for certification in the field. His interest in (and affinity for) cybersecurity was an element in all his positions from the outset of his career, although this was not viewed as developing cybersecurity per se for the various firms. In addition, Lee is also a faculty member at the International Institute of Enterprise Risk Practitioners (IERP®) where he instructs on Cybersecurity Risk Management and cybersecurity frameworks for professionals seeking knowledge and certification in all areas of risk management.
Lee credits a friend from university for his first hands-on IT project: setting up a system for a charity organisation, as a favour. It was an opportunity, he said, that sparked even more interest in IT, and gave rise to subsequent opportunities in the field. He began to realise that his qualifications in accounting and finance were a boon because they allowed him to explain the finer points of both finance and IT to others, when it came to reconciling technical and operational aspects of the organisations he worked in. In many instances, matters were not clear-cut, and needed clarification before implementation.
“Theory is a foundation,” he remarked. “You can learn everything from books but experience makes things stand out.” Experience is also necessary when it comes to knowing what will work for the organisation, and what won’t. Lee conceded that not all processes and procedures, even when they have been enhanced, will perform as intended. “The world of cybersecurity is very dynamic,” he cautioned. “The way we do things today will (need to) be different tomorrow. We need to secure things because the cyber world is always changing. We need to keep up to date as cyber professionals.” Hence, he believes in continuous learning, as evidenced by the various professional qualifications that he currently holds.
Governance, too, needs to evolve in tandem with the increasing sophistication of the cyber world. This was particularly important in the light of crafting strategies and policies. “When you craft strategy and policy, you need to put more succinct and useful recommendations forward because certain measures will not be suitable,” he said. The more informed and knowledgeable cybersecurity professionals are, the more useful recommendations they will be able to make. He pointed out the need to understand existing strategies and resources, including the organisation’s systems, hardware and software (and the talent required to run them), to add value.
Understanding cybersecurity is really a lifelong learning process, he said, but it also depends on what level the user wants. In response to a question on whether boards should have an above-average understanding of the firm’s cyber operations and cybersecurity needs, he stressed that understanding the basics is essential because of high level dependency on technology. Technology is evolving and becoming more and more interconnected. As an example, the Internet of Things is enabling lifestyle improvements through enabling different, formerly “dumb” appliances to “talk” to each other. “We can already see the potential of a refrigerator, which, connected to an integrated system, can ascertain if certain supplies need replenishing, and make online orders to keep stocks at desired levels,” he said. “Understanding basic cybersecurity has become as essential as knowing our ABCs”.
But there are certain risks that come with higher levels of IT use and integration. Directors thus need to be aware of the risks associated with these, and what mitigative measures need to be in place. He cited the central bank regulations that require at least one member of the board of directors to be technically well-versed in IT, but stressed that with growing interconnectivity and levels of cybersecurity sophistication, the more members knew about cybersecurity, the better. As a faculty member of the IERP and a specialist in data protection and cybersecurity, he admits that one thing which keeps him up at night is the growing number of hacking attempts, data breaches and online fraud.
Even more worrying is their increasing sophistication, with fraudsters now incorporating psychological manipulation and elements of social engineering in their phishing attempts. It has come to the point, he said, where even just clicking on a link may be the precursor to a cyber-attack. Conceding that certain things are not blocked by the systems in place, he said attachments can be potentially dangerous, as malicious programs might be embedded in innocent-looking e-mails that go undetected by virus detection software. These, he said, are capable of opening back doors into systems. But with the volume of messages received every day through various channels, how can these be avoided?
Lee recommends scepticism. “You need to be sceptical of everything, all the time,” he emphasised, adding that with the pandemic, more people were working from home, where security was not as stringent as the office environment. He urged firms to “invest in awareness” besides having secure passwords, and increased wariness of WiFi. “Routers should be secure,” he advised, adding that the firewalls for these should be up-to-date. “Check the physical environment for security, and if you have small cloud storage, this needs to be secured as well.” Organisations, he said, should do their due diligence when establishing appropriate policies, processes and procedures.
He also advised against buying software merely on trends or because “everyone is owning one too.” Raising awareness is important. As an example, he cited the growing number of users who were now accessing helpdesk facilities because they recognised something amiss with their systems. This is the outcome of what they have learned from awareness programs. “Whether you are new or just starting (to look into cybersecurity), you need to have the appropriate level of awareness to help people recognise problems, cyberattacks or systems breaches,” he said. “Do the foundation first. Make sure this is good. The level of awareness of the firm needs to be good.”