@ the IERP® Global Conference, August 2024
The views and opinions expressed in this article are solely those of the featured speakers and do not necessarily reflect the official view or stance of the IERP®. The content is provided for informational purposes only.
Discussing the management of technology risk were Julia Chin, Regulatory Affairs Officer of xcube, and James Thang, Group Chief Information Officer, UCSI. Chin established the criticality of data protection from the outset, remarking that there were numerous types of cybercrime, but some victims of hacking may not realise the reason(s) their data is being hacked. Sometimes this could be for ransom, but there were also instances where hackers will not tell you because they want to steal information and sell it on the Dark Web.
She said that this may have already happened, as the numerous unsolicited phone calls and e-mails we receive could be seen as one example of misappropriated, hacked or stolen information. Companies may not be aware of this, hence the need for increasing organisational resilience against cybercrime. But how can they do this? Surprisingly, Thang said, in Southeast Asia, Malaysia scores highly where cybersecurity is concerned, even topping Singapore. This could be due to better protection through more robust government policy, better education and greater awareness.
It could also be due to the availability of talent in Malaysia, in the form of Chief Information Security Officers, CISOs. “CISOs help organisations to benchmark cybersecurity,” Thang said, adding that the authorities’ regular announcements of how many people had fallen victim to online scams etc, also went a long way towards raising public awareness of the need for tighter cybersecurity. Thang urged risk professionals to create awareness in their organisations of the ways in which employees could be induced into illegally divulging information.
“UCSI has about 50,000 students, and each student carries at least two devices,” he said, as an example of the challenges of managing cybersecurity risk. “There needs to be training and awareness for all, at all levels.” The organisation needs to be able to manage network security, implement firewalls and respond to alerts and alarms, which may run into the hundreds of thousands every day. This is where AI tools may be applied, he said. UCSI’s servers are equipped with counter-attack tools to prevent suspicious elements from corrupting their systems. Proper design is crucial.
Opining that humans were simultaneously the weakest and strongest links where cybersecurity was concerned, Chin pointed out that one of the most effective – and dangerous – hacking methods is phishing. What should the focus of the organisation be, when it comes to managing these situations? Thang suggested having security to classify the data being downloaded. But again, he urged caution. “As an education institution, we encourage our students to explore AI,” he said. “But the tools that we build – we have to be careful about them, especially if we are applying AI.”
He constantly cautions students to be aware of and understand the tools they are using, as a preventive measure. His comprehensive explanation of systems and loopholes included methods of circumventing them, but the main takeaway was that systems need to be thoroughly tested for loopholes in order to identify and correct them, before proper policy could be applied, to prevent misuse or abuse. Thang also stressed that Bank Negara was very strict about compliance, and insisted on having qualified CROs, CIOs, CCOs and CISOs where required.
Chin agreed, adding that there was urgency in this matter because Bank Negara was mandated to protect consumers and maintain the economic stability of the country, hence its focus on protecting customer data, particularly that of the less trained or educated. To a question on how to manage systems that have been discontinued or become obsolete due to initial impulse buying or to keep up with trends, Thang acknowledged that hundreds of systems deployed throughout organisations become white elephants; there was no alternative but to keep them functional as long as possible.
Citing an example of what happened when a systems vendor pulled out while the system was still running, he said that the organisation could not stop the system because it was in operation, and the operations of the major subsidiary depended heavily on the system. “For every new system we implement, we have to make it work because we are the first line,” he said. “We had to do the minimum while waiting for (a) replacement…If it can continue to be developed by the team, then continuing may be the best option.” Users should understand and master vendors’ systems as well.
To another question on whether the cybersecurity officer (or CISO) should be placed in IT or the risk department, especially for smaller companies, Thang said that the CISO was a portfolio introduced by Bank Negara requirements. All financial institutions were required to have one, but the CISO role is a takeaway from that of the CIO or CTO. “The CISO most likely will report directly to the CEO or the board,” he said. “Many SMEs cannot afford to hire two persons for the roles.” But new cyber laws require documents to be validated by a CISO; companies have started outsourced auditing by CISOs.
Chin agreed that CISO-as-a-service was already a trend in Singapore as there was not enough talent to go around. “In most situations, the engineer or CTO does not have a background in governance,” she said. “Basically the CISO is a very new function…so it’s really up to us to pick up tech information so that we can have those conversations with the tech people. We need to work together, not in siloes. Everything is moving so fast that we cannot afford to have people not talking to each other.” Risk professionals also need to be exposed to the kinds of technology being used today.
It is part of the risk manager’s responsibility to protect the company; they should work together with CIOs and CISOs. “Have regular reviews based on information scattered across the world,” she said. Review how to safeguard information, (even) prevent blackmailing from what is published on the web as this could affect reputations. As a risk manager, it is not fully your responsibility (but) you have to work with other departments to safeguard the company.” Laws pertaining to cybersecurity were also being strengthened and increasingly enforced.
Thang pointed out that Parliament had already passed the Cybersecurity Act; breaches could now be subject to heavy fines. Chin said that the same conditions were applicable to Singapore, with equally severe penalties. “The government is trying to show how important protecting consumer data is,” she said. Addressing a question on how to manage staff of different generations (Boomers, Gen X) in the workplace, when the dynamics of the environment were challenging, she said that explanations should be given as to why certain things needed to be done, instead of just telling people to do them.
“Bank Negara has the mandate to protect the people,” she said. “We need to work together and learn about technology. This is the era when innovation is going faster than compliance or risk management people, and the regulators. The law comes after the cybersecurity events happened. For all of us to be able to catch up, we have to work together; that includes Boomers and Gen X.” She urged risk professionals to dispel the myth that Boomers will lose their jobs with changes in tech risk management policy or more stringent requirements.
To a question on how beneficial integrated systems are, when considering the trade-off between cybersecurity and operational efficiency, Thang said cybersecurity was important as a check and balance; operations software that hosts customers’ information constantly undergoes testing. The tools and processes that are used to check the organisation’s information and information security allow breaches to be easily traced and protect against loopholes in the system. The issue of outsourcing of risk and transferring of risk was also discussed.
On outsourcing IT risk and cybersecurity management to third parties, Chin said that while this may be expedient, organisations may not know what their vendors’ risks are. For instance, “Will they take your information and sell it on the Dark Web?” she queried. “The third-party conversation is a very deep one to have.” Due diligence should be done on both customers and vendors and should continue because there is always more to learn and share, particularly in the growing battle against cybercrime, where cybersecurity remains the biggest concern.
